GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-06 20:05:36 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST925082 rev.3.CM 232,89GB Running: ct9bew5d.exe; Driver: C:\Users\marek\AppData\Local\Temp\pwdoypog.sys ---- System - GMER 2.1 ---- INT 0x51 ? 85934BF8 INT 0x51 ? 873A8F00 INT 0x51 ? 873A8F00 INT 0x51 ? 85934BF8 INT 0x72 ? 873A8F00 INT 0x82 ? 873A8F00 INT 0x92 ? 873A8F00 INT 0xA2 ? 873A8F00 INT 0xA2 ? 873A8F00 ---- Kernel code sections - GMER 2.1 ---- ? System32\Drivers\spsp.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EA0F340, 0x3E9407, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\conime.exe[364] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 017FB285 .text C:\Windows\system32\conime.exe[364] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 017FB32B .text C:\Windows\system32\conime.exe[364] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 017FB476 .text C:\Windows\system32\conime.exe[364] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 017FB3CD .text C:\Windows\system32\conime.exe[364] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 017F9D69 .text C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe[1380] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 01B8B285 .text C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe[1380] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 01B8B32B .text C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe[1380] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 01B8B476 .text C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe[1380] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 01B8B3CD .text C:\Program Files\Lenovo\ATK Hotkey\LFKA.exe[1380] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 01B89D69 .text C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe[1712] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 01B8B285 .text C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe[1712] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 01B8B32B .text C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe[1712] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 01B8B476 .text C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe[1712] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 01B8B3CD .text C:\Program Files\Lenovo\NPDIRECT\tpfnf7sp.exe[1712] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 01B89D69 .text C:\Windows\system32\rundll32.exe[1776] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 00C1B285 .text C:\Windows\system32\rundll32.exe[1776] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 00C1B32B .text C:\Windows\system32\rundll32.exe[1776] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 00C1B476 .text C:\Windows\system32\rundll32.exe[1776] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 00C1B3CD .text C:\Windows\system32\rundll32.exe[1776] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 00C19D69 .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] ntdll.dll!LdrLoadDll 776D9378 5 Bytes JMP 71E71F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] ntdll.dll!NtCreateFile 77714264 5 Bytes JMP 5D429440 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] ntdll.dll!NtFlushBuffersFile 77714764 5 Bytes JMP 5D117CC9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] ntdll.dll!NtQueryFullAttributesFile 77714C94 5 Bytes JMP 5D117F40 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] ntdll.dll!NtReadFile 77714EC4 5 Bytes JMP 5D117D20 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] ntdll.dll!NtReadFileScatter 77714ED4 5 Bytes JMP 5DD87D51 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] ntdll.dll!NtWriteFile 777154D4 5 Bytes JMP 5D42A3D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] ntdll.dll!NtWriteFileGather 777154E4 5 Bytes JMP 5DD87D00 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 000BB285 .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 000BB32B .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] kernel32.dll!HeapSetInformation + 26 7785A9B8 7 Bytes JMP 5D425E74 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] kernel32.dll!LockResource + C 77876BD3 7 Bytes JMP 5DCC923C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] kernel32.dll!VirtualAllocEx + 54 7787B030 7 Bytes JMP 5DCC925F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] USER32.dll!GetWindowInfo 75F6428E 5 Bytes JMP 5DBCAF4C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] GDI32.dll!SetStretchBltMode + 256 75EF745C 7 Bytes JMP 5DCC91BD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 000BB476 .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 000BB3CD .text C:\Program Files\Mozilla Firefox\firefox.exe[1840] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 000B9D69 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1872] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 00F1B285 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1872] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 00F1B32B .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1872] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 00F1B476 .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1872] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 00F1B3CD .text C:\Program Files\ThinkVantage Fingerprint Software\upeksvr.exe[1872] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 00F19D69 .text C:\Windows\system32\notepad.exe[2424] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0073B285 .text C:\Windows\system32\notepad.exe[2424] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0073B32B .text C:\Windows\system32\notepad.exe[2424] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0073B476 .text C:\Windows\system32\notepad.exe[2424] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0073B3CD .text C:\Windows\system32\notepad.exe[2424] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 00739D69 .text C:\Windows\Explorer.EXE[2672] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0357B285 .text C:\Windows\Explorer.EXE[2672] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0357B32B .text C:\Windows\Explorer.EXE[2672] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0357B476 .text C:\Windows\Explorer.EXE[2672] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0357B3CD .text C:\Windows\Explorer.EXE[2672] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 03579D69 .text C:\Windows\system32\taskeng.exe[2696] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0304B285 .text C:\Windows\system32\taskeng.exe[2696] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0304B32B .text C:\Windows\system32\taskeng.exe[2696] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0304B476 .text C:\Windows\system32\taskeng.exe[2696] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0304B3CD .text C:\Windows\system32\taskeng.exe[2696] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 03049D69 .text C:\Windows\System32\rundll32.exe[2716] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0290B285 .text C:\Windows\System32\rundll32.exe[2716] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0290B32B .text C:\Windows\System32\rundll32.exe[2716] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0290B476 .text C:\Windows\System32\rundll32.exe[2716] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0290B3CD .text C:\Windows\System32\rundll32.exe[2716] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 02909D69 .text C:\Windows\System32\rundll32.exe[2808] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0224B285 .text C:\Windows\System32\rundll32.exe[2808] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0224B32B .text C:\Windows\System32\rundll32.exe[2808] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0224B476 .text C:\Windows\System32\rundll32.exe[2808] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0224B3CD .text C:\Windows\System32\rundll32.exe[2808] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 02249D69 .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2948] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 01C2B285 .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2948] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 01C2B32B .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2948] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 01C2B476 .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2948] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 01C2B3CD .text C:\Program Files\Lenovo\HOTKEY\TPONSCR.exe[2948] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 01C29D69 .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3012] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 01AEB285 .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3012] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 01AEB32B .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3012] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 01AEB476 .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3012] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 01AEB3CD .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[3012] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 01AE9D69 .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3396] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 01C9B285 .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3396] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 01C9B32B .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3396] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 01C9B476 .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3396] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 01C9B3CD .text C:\Program Files\Common Files\Lenovo\Scheduler\scheduler_proxy.exe[3396] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 01C99D69 .text C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe[3456] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 01CCB285 .text C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe[3456] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 01CCB32B .text C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe[3456] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 01CCB476 .text C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe[3456] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 01CCB3CD .text C:\Program Files\Lenovo\ATK Hotkey\LCONTROL.exe[3456] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 01CC9D69 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3648] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 014DB285 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3648] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 014DB32B .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3648] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 014DB476 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3648] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 014DB3CD .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3648] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 014D9D69 .text C:\Windows\System32\TpShocks.exe[3808] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 01DAB285 .text C:\Windows\System32\TpShocks.exe[3808] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 01DAB32B .text C:\Windows\System32\TpShocks.exe[3808] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 01DAB476 .text C:\Windows\System32\TpShocks.exe[3808] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 01DAB3CD .text C:\Windows\System32\TpShocks.exe[3808] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 01DA9D69 .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[3888] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0159B285 .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[3888] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0159B32B .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[3888] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0159B476 .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[3888] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0159B3CD .text C:\Program Files\Lenovo\Zoom\TpScrex.exe[3888] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 01599D69 .text C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe[3912] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0240B285 .text C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe[3912] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0240B32B .text C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe[3912] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0240B476 .text C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe[3912] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0240B3CD .text C:\Program Files\Lenovo\HOTKEY\LVOSDSVC.exe[3912] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 02409D69 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3956] kernel32.dll!CreateProcessW 77831BF3 3 Bytes JMP 020EB285 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3956] kernel32.dll!CreateProcessW + 4 77831BF7 1 Byte [8A] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3956] kernel32.dll!CreateProcessA 77831C28 3 Bytes JMP 020EB32B .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3956] kernel32.dll!CreateProcessA + 4 77831C2C 1 Byte [8A] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3956] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 020EB476 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3956] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 020EB3CD .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3956] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 020E9D69 .text C:\Windows\vsnp2uvc.exe[3996] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 01D1B285 .text C:\Windows\vsnp2uvc.exe[3996] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 01D1B32B .text C:\Windows\vsnp2uvc.exe[3996] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 01D1B476 .text C:\Windows\vsnp2uvc.exe[3996] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 01D1B3CD .text C:\Windows\vsnp2uvc.exe[3996] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 01D19D69 .text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4024] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 00D2B285 .text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4024] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 00D2B32B .text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4024] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 00D2B476 .text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4024] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 00D2B3CD .text C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe[4024] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 00D29D69 .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[4144] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0250B285 .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[4144] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0250B32B .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[4144] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0250B476 .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[4144] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0250B3CD .text C:\Program Files\Common Files\Nokia\MPlatform\NokiaMServer.exe[4144] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 02509D69 .text C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe[4196] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 00AAB285 .text C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe[4196] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 00AAB32B .text C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe[4196] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 00AAB476 .text C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe[4196] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 00AAB3CD .text C:\Program Files\Lenovo\Message Center Plus\MCPLaunch.exe[4196] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 00AA9D69 .text C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE[4228] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0283B285 .text C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE[4228] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0283B32B .text C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE[4228] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0283B476 .text C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE[4228] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0283B3CD .text C:\Program Files\Lenovo\LenovoCare\LPMGR.EXE[4228] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 02839D69 .text C:\Program Files\Lenovo\LenovoCare\LPMLCHK.EXE[4280] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0290B285 .text C:\Program Files\Lenovo\LenovoCare\LPMLCHK.EXE[4280] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0290B32B .text C:\Program Files\Lenovo\LenovoCare\LPMLCHK.EXE[4280] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0290B476 .text C:\Program Files\Lenovo\LenovoCare\LPMLCHK.EXE[4280] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0290B3CD .text C:\Program Files\Lenovo\LenovoCare\LPMLCHK.EXE[4280] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 02909D69 .text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[4300] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0113B285 .text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[4300] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0113B32B .text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[4300] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0113B476 .text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[4300] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0113B3CD .text C:\Program Files\LogMeIn\x86\LogMeInSystray.exe[4300] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 01139D69 .text C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE[4332] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 01B9B285 .text C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE[4332] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 01B9B32B .text C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE[4332] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 01B9B476 .text C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE[4332] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 01B9B3CD .text C:\Program Files\ThinkPad\Utilities\EZEJMNAP.EXE[4332] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 01B99D69 .text C:\Program Files\Lenovo\Client Security Solution\cssauth.exe[4348] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0331B285 .text C:\Program Files\Lenovo\Client Security Solution\cssauth.exe[4348] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0331B32B .text C:\Program Files\Lenovo\Client Security Solution\cssauth.exe[4348] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0331B476 .text C:\Program Files\Lenovo\Client Security Solution\cssauth.exe[4348] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0331B3CD .text C:\Program Files\Lenovo\Client Security Solution\cssauth.exe[4348] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 03319D69 .text C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe[4396] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 026BB285 .text C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe[4396] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 026BB32B .text C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe[4396] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 026BB476 .text C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe[4396] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 026BB3CD .text C:\Program Files\ThinkPad\ConnectUtilities\ACWLIcon.exe[4396] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 026B9D69 .text C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe[4404] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0270B285 .text C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe[4404] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0270B32B .text C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe[4404] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0270B476 .text C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe[4404] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0270B3CD .text C:\Program Files\ThinkPad\ConnectUtilities\ACTray.exe[4404] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 02709D69 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4412] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 025CB285 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4412] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 025CB32B .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4412] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 025CB476 .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4412] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 025CB3CD .text C:\Program Files\Common Files\Common Desktop Agent\CDASrv.exe[4412] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 025C9D69 .text C:\Program Files\Windows Sidebar\sidebar.exe[4420] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 034FB285 .text C:\Program Files\Windows Sidebar\sidebar.exe[4420] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 034FB32B .text C:\Program Files\Windows Sidebar\sidebar.exe[4420] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 034FB476 .text C:\Program Files\Windows Sidebar\sidebar.exe[4420] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 034FB3CD .text C:\Program Files\Windows Sidebar\sidebar.exe[4420] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 034F9D69 .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[4436] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 01BFB285 .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[4436] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 01BFB32B .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[4436] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 01BFB476 .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[4436] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 01BFB3CD .text C:\Program Files\LogMeIn\x86\LMIGuardian.exe[4436] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 01BF9D69 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4464] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 028AB285 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4464] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 028AB32B .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4464] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 028AB476 .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4464] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 028AB3CD .text C:\Program Files\Windows Media Player\wmpnscfg.exe[4464] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 028A9D69 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[4592] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 031CB285 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[4592] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 031CB32B .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[4592] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 031CB476 .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[4592] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 031CB3CD .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[4592] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 031C9D69 .text C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe[4600] KERNEL32.dll!CreateProcessW 77831BF3 5 Bytes JMP 04F4B285 .text C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe[4600] KERNEL32.dll!CreateProcessA 77831C28 5 Bytes JMP 04F4B32B .text C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe[4600] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 04F4B476 .text C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe[4600] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 04F4B3CD .text C:\Program Files\Lenovo\Camera Center\bin\LenovoCameraCenter.exe[4600] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 04F49D69 .text C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe[4980] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 02D8B285 .text C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe[4980] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 02D8B32B .text C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe[4980] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 02D8B476 .text C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe[4980] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 02D8B3CD .text C:\Program Files\ThinkPad\Bluetooth Software\BtStackServer.exe[4980] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 02D89D69 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[5016] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 016DB285 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[5016] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 016DB32B .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[5016] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 016DB476 .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[5016] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 016DB3CD .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[5016] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 016D9D69 .text C:\Windows\system32\notepad.exe[7288] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 002DB285 .text C:\Windows\system32\notepad.exe[7288] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 002DB32B .text C:\Windows\system32\notepad.exe[7288] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 002DB476 .text C:\Windows\system32\notepad.exe[7288] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 002DB3CD .text C:\Windows\system32\notepad.exe[7288] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 002D9D69 .text C:\Users\marek\Downloads\ct9bew5d.exe[8616] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0086B285 .text C:\Users\marek\Downloads\ct9bew5d.exe[8616] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0086B32B .text C:\Users\marek\Downloads\ct9bew5d.exe[8616] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0086B476 .text C:\Users\marek\Downloads\ct9bew5d.exe[8616] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0086B3CD .text C:\Users\marek\Downloads\ct9bew5d.exe[8616] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 00869D69 .text C:\Program Files\Internet Explorer\iexplore.exe[10544] kernel32.dll!CreateThread 7787CBEE 5 Bytes JMP 6C6A74FB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!EnableWindow 75F5CD8B 5 Bytes JMP 6C6EA25C C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!DefWindowProcA 75F5DB88 7 Bytes JMP 6C6A9729 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!CreateWindowExA 75F5DC2A 5 Bytes JMP 6C6B353B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!CreateWindowExW 75F61305 5 Bytes JMP 6C70FFDF C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!DefWindowProcW 75F703B4 7 Bytes JMP 6C707C92 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!DialogBoxParamW 75F810B0 5 Bytes JMP 6C6418E3 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!DialogBoxIndirectParamW 75F82EF5 3 Bytes JMP 6C83DBA6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!DialogBoxIndirectParamW + 4 75F82EF9 1 Byte [F6] .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!DialogBoxParamA 75F98152 5 Bytes JMP 6C83DB41 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!DialogBoxIndirectParamA 75F9847D 5 Bytes JMP 6C83DC0B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!MessageBoxIndirectA 75FAD4D9 5 Bytes JMP 6C83DAC8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!MessageBoxIndirectW 75FAD5D3 5 Bytes JMP 6C83DA4F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!MessageBoxExA 75FAD639 5 Bytes JMP 6C83D9EB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] USER32.dll!MessageBoxExW 75FAD65D 5 Bytes JMP 6C83D987 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[10544] ole32.dll!OleLoadFromStream 773C1E80 5 Bytes JMP 6C83E374 C:\Windows\system32\IEFRAME.dll .text C:\Windows\system32\notepad.exe[11392] kernel32.dll!CreateProcessW 77831BF3 5 Bytes JMP 0183B285 .text C:\Windows\system32\notepad.exe[11392] kernel32.dll!CreateProcessA 77831C28 5 Bytes JMP 0183B32B .text C:\Windows\system32\notepad.exe[11392] ADVAPI32.dll!CreateProcessAsUserA 75DACEB9 5 Bytes JMP 0183B476 .text C:\Windows\system32\notepad.exe[11392] ADVAPI32.dll!CreateProcessAsUserW 75DC1EE9 5 Bytes JMP 0183B3CD .text C:\Windows\system32\notepad.exe[11392] CRYPT32.dll!PFXImportCertStore 7575A13D 5 Bytes JMP 01839D69 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74C17817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74C5B4F1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74C1BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74C0F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74C175E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74C0E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74C473F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74C1DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74C0FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74C0FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74C071CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74C9CB12] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74C3C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74C0D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74C06853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74C0687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[2672] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74C12AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 859351F8 Device \FileSystem\fastfat \FatCdrom 86E0D1F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \Driver\volmgr \Device\VolMgrControl 84F9C1F8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll iastor.sys spsp.sys >>UNKNOWN [0x858ec938]<< 858ec938 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8501c778] 8501c778 Trace 3 CLASSPNP.SYS[8add18b3] -> nt!IofCallDriver -> [0x859ea3b0] 859ea3b0 Trace 5 acpi.sys[8a60f6bc] -> nt!IofCallDriver -> \Device\Ide\IAAStorageDevice-1[0x8599b028] 8599b028 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@0017e4cf6de7 0xD3 0xA3 0xE7 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@1c62b8d87cc1 0x6B 0x47 0x69 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@a04e04d7b2df 0xBA 0x88 0x75 0x6B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@0026ff00a9f1 0xA0 0x88 0x91 0xEA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@8c3ae3df8e2f 0x22 0xA1 0xC2 0xC0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00234def4a90@502e5c7a81fd 0xE3 0xF1 0x64 0x4A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDF 0xBF 0x9D 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x36 0x45 0x07 0xCE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x07 0x66 0xF1 0x26 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90@0017e4cf6de7 0xD3 0xA3 0xE7 0xE6 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90@1c62b8d87cc1 0x6B 0x47 0x69 0x1C ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90@a04e04d7b2df 0xBA 0x88 0x75 0x6B ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90@0026ff00a9f1 0xA0 0x88 0x91 0xEA ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90@8c3ae3df8e2f 0x22 0xA1 0xC2 0xC0 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00234def4a90@502e5c7a81fd 0xE3 0xF1 0x64 0x4A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDF 0xBF 0x9D 0x56 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x36 0x45 0x07 0xCE ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x07 0x66 0xF1 0x26 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----