GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-23 14:57:56 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_HD321KJ rev.CP100-13 298,09GB Running: t6zmvt0v.exe; Driver: C:\Users\Korek\AppData\Local\Temp\kwddykog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwNotifyChangeKey [0x996946F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwNotifyChangeMultipleKeys [0x99694820] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwOpenProcess [0x99694010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwOpenThread [0x996944E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwSuspendProcess [0x99694300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwSuspendThread [0x996943F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwTerminateProcess [0x99694120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwTerminateThread [0x99694210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwWriteVirtualMemory [0x996945F0] Code \??\C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSKsp.sys KeUserModeCallback ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1271 8304E819 8 Bytes JMP 996CC27D \SystemRoot\system32\drivers\TsFltMgr.sys .text ntoskrnl.exe!ZwRollbackEnlistment + 1401 8304E9A9 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8306E4D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 161F 830759DC 8 Bytes [F0, 46, 69, 99, 20, 48, 69, ...] .text ntoskrnl.exe!KeRemoveQueueEx + 1667 83075A24 4 Bytes [10, 40, 69, 99] {ADC [EAX+0x69], AL; CDQ } .text ntoskrnl.exe!KeRemoveQueueEx + 1687 83075A44 4 Bytes [E0, 44, 69, 99] .text ntoskrnl.exe!KeRemoveQueueEx + 1927 83075CE4 8 Bytes [00, 43, 69, 99, F0, 43, 69, ...] .text ntoskrnl.exe!KeRemoveQueueEx + 1937 83075CF4 8 Bytes [20, 41, 69, 99, 10, 42, 69, ...] {AND [ECX+0x69], AL; CDQ ; ADC [EDX+0x69], AL; CDQ } .text ... .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x896D0774] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90429000, 0x2309CE, 0xE8000020] ? C:\Windows\System32\Drivers\ado7wit1.SYS suspicious PE modification ? C:\Windows\System32\Drivers\aw14gowb.SYS suspicious PE modification .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x8B7AE300, 0x1B7E, 0xE8000020] ? C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSSysKit.sys Nie można odnaleźć określonego pliku. ! ? system32\drivers\TsFltMgr.sys System nie może odnaleźć określonej ścieżki. ! ? C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMUdisk.sys Nie można odnaleźć określonego pliku. ! ? C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSKsp.sys Nie można odnaleźć określonego pliku. ! ? C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QQSysMon.sys Nie można odnaleźć określonego pliku. ! ? C:\Windows\system32\drivers\TAOKernel.sys Nie można odnaleźć określonego pliku. ! ? C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\tscpm.sys Nie można odnaleźć określonego pliku. ! ? system32\Drivers\TFsFlt.sys System nie może odnaleźć określonej ścieżki. ! ? system32\DRIVERS\TSDefenseBt.sys System nie może odnaleźć określonej ścieżki. ! ? C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TS888.sys Nie można odnaleźć określonego pliku. ! .text C:\Program Files\DAEMON Tools Lite\Engine.dll section is writeable [0x778B1000, 0xB5BE2, 0xE0000020] .text kernel32.dll!CreateProcessInternalW 76C107A2 5 Bytes [E9, B9, 0A, AF, E5] {JMP 0xe5af0abe} ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[2316] ntdll.dll!NtCreateUserProcess 77CC5778 5 Bytes JMP 627A405E C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMBrowserSafe.dll .text C:\Windows\Explorer.EXE[2316] ntdll.dll!RtlCreateProcessParametersEx 77CE6EB9 5 Bytes JMP 61DB601D C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMIEsafeDll.dll .text C:\Windows\Explorer.EXE[2316] ntdll.dll!RtlCreateProcessParameters 77D298E2 5 Bytes JMP 61DB5FBC C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMIEsafeDll.dll .text C:\Windows\Explorer.EXE[2316] kernel32.dll!ExitProcess 76C1BBE2 4 Bytes JMP 62FE83B0 C:\ProgramData\Tencent\TSVulFw\TSVulFW.DAT (????-TSVulFW/Tencent) .text C:\Windows\Explorer.EXE[2316] USER32.dll!ShowWindow 7647F2A9 5 Bytes JMP 62FE8DFE C:\ProgramData\Tencent\TSVulFw\TSVulFW.DAT (????-TSVulFW/Tencent) .text C:\Windows\Explorer.EXE[2316] SHLWAPI.dll!SHRegGetValueW 76B7B8BA 5 Bytes JMP 627A3D42 C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMBrowserSafe.dll .text C:\Windows\Explorer.EXE[2316] SHELL32.dll!SHGetSpecialFolderPathW 77050418 5 Bytes JMP 61DB5D29 C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMIEsafeDll.dll .text C:\Windows\Explorer.EXE[2316] SHELL32.dll!ShellExecuteExW 77051DF6 5 Bytes JMP 61DB5DD4 C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMIEsafeDll.dll .text C:\Windows\Explorer.EXE[2316] SHELL32.dll!SHGetItemFromDataObject + 378 7707EBCC 4 Bytes [92, 58, DB, 61] .text C:\Windows\Explorer.EXE[2316] SHELL32.dll!PathIsExe + 1BF7 7708DD8C 4 Bytes [6D, 5B, DB, 61] .text C:\Program Files\AVG\AVG2015\avgemcx.exe[2808] ntdll.dll!NtMapViewOfSection 77CC5C28 5 Bytes JMP 5C701460 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Program Files\AVG\AVG2015\avgemcx.exe[2808] ntdll.dll!NtWriteVirtualMemory 77CC6A98 5 Bytes JMP 5C701120 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Program Files\AVG\AVG2015\avgemcx.exe[2808] kernel32.dll!CreateProcessInternalW 76C107A2 5 Bytes JMP 5C701260 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Program Files\AVG\AVG2015\avgui.exe[5024] ntdll.dll!NtMapViewOfSection 77CC5C28 5 Bytes JMP 5C701460 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Program Files\AVG\AVG2015\avgui.exe[5024] ntdll.dll!NtWriteVirtualMemory 77CC6A98 5 Bytes JMP 5C701120 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Program Files\AVG\AVG2015\avgui.exe[5024] kernel32.dll!CreateProcessInternalW 76C107A2 5 Bytes JMP 5C701260 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Program Files\AVG\AVG2015\avgnsx.exe[9896] ntdll.dll!NtMapViewOfSection 77CC5C28 5 Bytes JMP 5C701460 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Program Files\AVG\AVG2015\avgnsx.exe[9896] ntdll.dll!NtWriteVirtualMemory 77CC6A98 5 Bytes JMP 5C701120 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Program Files\AVG\AVG2015\avgnsx.exe[9896] kernel32.dll!CreateProcessInternalW 76C107A2 5 Bytes JMP 5C701260 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Windows\explorer.exe[11688] ntdll.dll!NtCreateUserProcess 77CC5778 5 Bytes JMP 627A405E C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMBrowserSafe.dll .text C:\Windows\explorer.exe[11688] ntdll.dll!NtMapViewOfSection 77CC5C28 5 Bytes JMP 5C701460 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Windows\explorer.exe[11688] ntdll.dll!NtWriteVirtualMemory 77CC6A98 5 Bytes JMP 5C701120 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Windows\explorer.exe[11688] ntdll.dll!RtlCreateProcessParametersEx 77CE6EB9 5 Bytes JMP 632772A2 C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMIEsafeDll.dll .text C:\Windows\explorer.exe[11688] ntdll.dll!RtlCreateProcessParameters 77D298E2 5 Bytes JMP 632770FA C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMIEsafeDll.dll .text C:\Windows\explorer.exe[11688] kernel32.dll!CreateProcessInternalW 76C107A2 5 Bytes JMP 5C701260 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Windows\explorer.exe[11688] kernel32.dll!ExitProcess 76C1BBE2 4 Bytes JMP 62FE83B0 C:\ProgramData\Tencent\TSVulFw\TSVulFW.DAT (????-TSVulFW/Tencent) .text C:\Windows\explorer.exe[11688] USER32.dll!ShowWindow 7647F2A9 5 Bytes JMP 62FE8DFE C:\ProgramData\Tencent\TSVulFw\TSVulFW.DAT (????-TSVulFW/Tencent) .text C:\Windows\explorer.exe[11688] SHELL32.dll!SHGetSpecialFolderPathW 77050418 4 Bytes JMP 63276E6C C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMIEsafeDll.dll .text C:\Windows\explorer.exe[11688] SHELL32.dll!ShellExecuteExW 77051DF6 4 Bytes JMP 63276F17 C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMIEsafeDll.dll .text C:\Windows\explorer.exe[11688] SHELL32.dll!SHGetItemFromDataObject + 378 7707EBCC 4 Bytes [D2, 69, 27, 63] .text C:\Windows\explorer.exe[11688] SHELL32.dll!PathIsExe + 1BF7 7708DD8C 4 Bytes [AD, 6C, 27, 63] .text C:\Windows\explorer.exe[11688] SHLWAPI.dll!SHRegGetValueW 76B7B8BA 5 Bytes JMP 627A3D42 C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMBrowserSafe.dll .text C:\Program Files\AVG\AVG2015\avgwdsvc.exe[18628] ntdll.dll!NtMapViewOfSection 77CC5C28 5 Bytes JMP 5C701460 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Program Files\AVG\AVG2015\avgwdsvc.exe[18628] ntdll.dll!NtWriteVirtualMemory 77CC6A98 5 Bytes JMP 5C701120 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Program Files\AVG\AVG2015\avgwdsvc.exe[18628] kernel32.dll!CreateProcessInternalW 76C107A2 5 Bytes JMP 5C701260 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Users\Korek\Downloads\t6zmvt0v.exe[18804] ntdll.dll!NtMapViewOfSection 77CC5C28 5 Bytes JMP 5C701460 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Users\Korek\Downloads\t6zmvt0v.exe[18804] ntdll.dll!NtWriteVirtualMemory 77CC6A98 5 Bytes JMP 5C701120 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Users\Korek\Downloads\t6zmvt0v.exe[18804] kernel32.dll!CreateProcessInternalW 76C107A2 5 Bytes JMP 5C701260 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\ProgramData\Avg_Update_0215pit\AVG-Secure-Search-Update_0215pit.exe[19904] ntdll.dll!NtMapViewOfSection 77CC5C28 5 Bytes JMP 5C701460 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\ProgramData\Avg_Update_0215pit\AVG-Secure-Search-Update_0215pit.exe[19904] ntdll.dll!NtWriteVirtualMemory 77CC6A98 5 Bytes JMP 5C701120 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\ProgramData\Avg_Update_0215pit\AVG-Secure-Search-Update_0215pit.exe[19904] kernel32.dll!CreateProcessInternalW 76C107A2 5 Bytes JMP 5C701260 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Windows\system32\taskeng.exe[22140] ntdll.dll!NtMapViewOfSection 77CC5C28 5 Bytes JMP 5C701460 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Windows\system32\taskeng.exe[22140] ntdll.dll!NtWriteVirtualMemory 77CC6A98 5 Bytes JMP 5C701120 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text C:\Windows\system32\taskeng.exe[22140] kernel32.dll!CreateProcessInternalW 76C107A2 5 Bytes JMP 5C701260 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] ntdll.dll!TpReleaseIoCompletion 77C9CEB8 5 Bytes JMP 5D9B09A3 C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSWebMon.dat .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] ntdll.dll!NtCreateFile 77CC55C8 5 Bytes JMP 5E950BCB c:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] ntdll.dll!NtFlushBuffersFile 77CC5958 5 Bytes JMP 5E950916 c:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] ntdll.dll!NtMapViewOfSection 77CC5C28 5 Bytes JMP 5C701460 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] ntdll.dll!NtQueryFullAttributesFile 77CC5FE8 5 Bytes JMP 5E950A43 c:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] ntdll.dll!NtReadFile 77CC62B8 5 Bytes JMP 5E950950 c:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] ntdll.dll!NtReadFileScatter 77CC62C8 5 Bytes JMP 5EC69BCE c:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] ntdll.dll!NtWriteFile 77CC6A68 5 Bytes JMP 5E950D6F c:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] ntdll.dll!NtWriteFileGather 77CC6A78 5 Bytes JMP 5EC69C1E c:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] ntdll.dll!NtWriteVirtualMemory 77CC6A98 5 Bytes JMP 5C701120 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] ntdll.dll!LdrLoadDll 77CE223E 4 Bytes JMP 6409921C c:\Program Files\Mozilla Firefox\mozglue.dll (Mozilla Foundation) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] kernel32.dll!CreateThreadpoolIo 76BF34B0 5 Bytes JMP 5D9B0FCE C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSWebMon.dat .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76C0941E 7 Bytes JMP 5EC55622 c:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] kernel32.dll!QueryPerformanceCounter + 13 76C0C435 7 Bytes JMP 5EC56DFA c:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] kernel32.dll!LoadAppInitDlls + 355 76C0F4F6 7 Bytes JMP 5E9F6358 c:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] kernel32.dll!CreateProcessInternalW 76C107A2 5 Bytes JMP 5C701260 C:\Program Files\AVG\AVG2015\avghookx.dll (None/AVG Technologies CZ, s.r.o.) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] kernel32.dll!ExitProcess 76C1BBE2 4 Bytes JMP 62FE83B0 C:\ProgramData\Tencent\TSVulFw\TSVulFW.DAT (????-TSVulFW/Tencent) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] USER32.dll!GetWindowInfo 76484B5E 5 Bytes JMP 5F668E4A c:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] GDI32.dll!GetViewportOrgEx + 26C 7609884B 7 Bytes JMP 5EC53E16 c:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] WS2_32.dll!closesocket 766B3918 5 Bytes JMP 5D9B0E93 C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSWebMon.dat .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] WS2_32.dll!WSASocketW 766B3CD3 7 Bytes JMP 5D9B092F C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSWebMon.dat .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] WS2_32.dll!WSASend 766B4406 5 Bytes JMP 5D9B0B3B C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSWebMon.dat .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] WS2_32.dll!recv 766B6B0E 5 Bytes JMP 5D9B0DFF C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSWebMon.dat .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] WS2_32.dll!send 766B6F01 5 Bytes JMP 5D9B0C04 C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSWebMon.dat .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] WS2_32.dll!WSARecv 766B7089 5 Bytes JMP 5D9B0CAB C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSWebMon.dat .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] WS2_32.dll!WSAGetOverlappedResult 766B7489 5 Bytes JMP 5D9B0D5C C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSWebMon.dat .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] WS2_32.dll!WSAAsyncSelect 766CB014 5 Bytes JMP 5D9B0AA7 C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSWebMon.dat .text c:\Program Files\Mozilla Firefox\firefox.exe[33680] SHELL32.dll!ShellExecuteExW 015A1DF6 5 Bytes JMP 5D9D71AF C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSWebMon.dat ---- Kernel IAT/EAT - GMER 2.1 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8961D732] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8961DF14] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [8961E234] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8961E0F2] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8961D916] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74A524CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74A3562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74A356EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74A52546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74A485AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74A44D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74A45105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74A451DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74A46707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74A48301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74A48850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74A490B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74A4E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2316] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74A44C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [74A524CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [74A3562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [74A356EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [74A52546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [74A485AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [74A44D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [74A45105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [74A451DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74A46707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [74A48301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [74A48850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [74A490B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [74A4E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[11688] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [74A44C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 850611F8 Device \Driver\usbuhci \Device\USBPDO-0 8610A1F8 Device \Driver\usbuhci \Device\USBPDO-1 8610A1F8 Device \Driver\usbuhci \Device\USBPDO-2 8610A1F8 Device \Driver\PCI_PNP8846 \Device\00000053 sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) Device \Driver\usbuhci \Device\USBPDO-3 8610A1F8 Device \Driver\PCI_PNP8846 \Device\00000054 sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) Device \Driver\usbehci \Device\USBPDO-4 8612E440 AttachedDevice \Driver\tdx \Device\Tcp TAOKernel.sys AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\cdrom \Device\CdRom0 8671B1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 8505F1F8 Device \Driver\atapi \Device\Ide\IdePort0 8505F1F8 Device \Driver\atapi \Device\Ide\IdePort1 8505F1F8 Device \Driver\atapi \Device\Ide\IdePort2 8505F1F8 Device \Driver\atapi \Device\Ide\IdePort3 8505F1F8 Device \Driver\cdrom \Device\CdRom1 8671B1F8 Device \Driver\cdrom \Device\CdRom2 8671B1F8 Device \Driver\cdrom \Device\CdRom3 8671B1F8 Device \Driver\cdrom \Device\CdRom4 8671B1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 85FF91F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{04F817B4-2DA3-4891-A114-F55241BE88E8} 85FF91F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{9F961439-C909-45A1-BB2D-0EC1B37B1658} 85FF91F8 AttachedDevice \Driver\tdx \Device\Udp TAOKernel.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\tdx \Device\RawIp TAOKernel.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbuhci \Device\USBFDO-0 8610A1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{B5BBEE0F-2046-4F89-BC22-CDCDDE33DB85} 85FF91F8 Device \Driver\usbuhci \Device\USBFDO-1 8610A1F8 Device \Driver\usbuhci \Device\USBFDO-2 8610A1F8 Device \Driver\usbuhci \Device\USBFDO-3 8610A1F8 Device \Driver\usbehci \Device\USBFDO-4 8612E440 Device \Driver\ado7wit1 \Device\Scsi\ado7wit11Port4Path0Target0Lun0 861791F8 Device \Driver\ado7wit1 \Device\Scsi\ado7wit11Port4Path0Target2Lun0 861791F8 Device \Driver\ado7wit1 \Device\Scsi\ado7wit11 861791F8 Device \Driver\aw14gowb \Device\Scsi\aw14gowb1 861991F8 Device \Driver\aw14gowb \Device\Scsi\aw14gowb1Port5Path0Target0Lun0 861991F8 Device \Driver\ado7wit1 \Device\Scsi\ado7wit11Port4Path0Target3Lun0 861791F8 Device \Driver\ado7wit1 \Device\Scsi\ado7wit11Port4Path0Target1Lun0 861791F8 Device \FileSystem\cdfs \Cdfs 87F041F8 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x8505f1f8]<< 8505f1f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85e62030] 85e62030 Trace 3 CLASSPNP.SYS[89e6b59e] -> nt!IofCallDriver -> [0x85d90918] 85d90918 Trace 5 ACPI.sys[896f53d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x85d85338] 85d85338 Trace \Driver\atapi[0x85d74f38] -> IRP_MJ_CREATE -> 0x8505f1f8 8505f1f8 ---- Processes - GMER 2.1 ---- Library C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMGCShellExt.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [2316] 0x0A910000 Library C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMIEsafeDll.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [2316] 0x61DB0000 Library C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMBrowserSafe.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [2316] 0x627A0000 Library C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMIpc.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [2316] 0x70450000 Library C:\Program Files\VuuPC\remoteengine.exe (*** hidden *** ) @ C:\Program Files\VuuPC\remoteengine.exe [10752] 0x00400000 Library C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\exnscan.dll (*** hidden *** ) @ C:\Windows\explorer.exe [11688] 0x62650000 Library C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMIEsafeDll.dll (*** hidden *** ) @ C:\Windows\explorer.exe [11688] 0x63270000 Library C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMBrowserSafe.dll (*** hidden *** ) @ C:\Windows\explorer.exe [11688] 0x627A0000 Library C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMIpc.dll (*** hidden *** ) @ C:\Windows\explorer.exe [11688] 0x70450000 Library C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMGCShellExt.dll (*** hidden *** ) @ C:\Windows\explorer.exe [11688] 0x10000000 Library C:\Users\Korek\AppData\Roaming\00000000-1434998750-0000-0000-406186C562FA\jnsb4DFC.tmp (*** hidden *** ) @ C:\Users\Korek\AppData\Roaming\00000000-1434998750-0000-0000-406186C562FA\jnsb4DFC.tmp [12404] 0x01010000 Library C:\Users\Korek\AppData\Local\00000000-1435006139-0000-0000-406186C562FA\snspF87D.tmp (*** hidden *** ) @ C:\Users\Korek\AppData\Local\00000000-1435006139-0000-0000-406186C562FA\snspF87D.tmp [12936] 0x00DC0000 Library C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\TSWebMon.dat (*** hidden *** ) @ c:\Program Files\Mozilla Firefox\firefox.exe [33680] 0x5D990000 Library C:\Program Files\Tencent\QQPCMgr\10.10.16434.218\QMIpc.dll (*** hidden *** ) @ c:\Program Files\Mozilla Firefox\firefox.exe [33680] 0x70450000 Library C:\Users\Korek\AppData\Roaming\00000000-1434998750-0000-0000-406186C562FA\hnst6D3E.tmp (*** hidden *** ) @ C:\Users\Korek\AppData\Roaming\00000000-1434998750-0000-0000-406186C562FA\hnst6D3E.tmp [47748] 0x00AD0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{C7BF0F51-B027-4268-BE61-B1CE924BBB18}\Connection@Name isatap.{B5BBEE0F-2046-4F89-BC22-CDCDDE33DB85} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{D9AB70EF-1115-4980-B07B-A5920AF1FCC0}?\Device\{C7BF0F51-B027-4268-BE61-B1CE924BBB18}?\Device\{A136D42A-BB13-49FA-93B6-6DD8ECE66D07}?\Device\{9B14238C-E051-462C-9043-5C170721E8D2}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{D9AB70EF-1115-4980-B07B-A5920AF1FCC0}"?"{C7BF0F51-B027-4268-BE61-B1CE924BBB18}"?"{A136D42A-BB13-49FA-93B6-6DD8ECE66D07}"?"{9B14238C-E051-462C-9043-5C170721E8D2}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{D9AB70EF-1115-4980-B07B-A5920AF1FCC0}?\Device\TCPIP6TUNNEL_{C7BF0F51-B027-4268-BE61-B1CE924BBB18}?\Device\TCPIP6TUNNEL_{A136D42A-BB13-49FA-93B6-6DD8ECE66D07}?\Device\TCPIP6TUNNEL_{9B14238C-E051-462C-9043-5C170721E8D2}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{C7BF0F51-B027-4268-BE61-B1CE924BBB18}@InterfaceName isatap.{B5BBEE0F-2046-4F89-BC22-CDCDDE33DB85} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{C7BF0F51-B027-4268-BE61-B1CE924BBB18}@ReusableType 0 ---- EOF - GMER 2.1 ----