GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2003-12-11 00:51:29 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380215A rev.3.AAD Running: lhwh0jjx.exe; Driver: C:\DOCUME~1\PAWE~1\USTAWI~1\Temp\uxliikoc.sys ---- System - GMER 1.0.15 ---- INT 0x62 ? 823DEBF8 INT 0x63 ? 820B5F00 INT 0x73 ? 820B5F00 INT 0x82 ? 823DEBF8 INT 0xB4 ? 820B5F00 ---- Kernel code sections - GMER 1.0.15 ---- ? spzv.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF784D360, 0x372FAD, 0xE8000020] .text USBPORT.SYS!DllUnload F782D8AC 5 Bytes JMP 820B54E0 .text aon33laq.SYS F76CE386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text aon33laq.SYS F76CE3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text aon33laq.SYS F76CE3C4 3 Bytes [00, 80, 02] .text aon33laq.SYS F76CE3C9 1 Byte [30] .text aon33laq.SYS F76CE3C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\VT101.EXE[488] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\VT101.EXE[488] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\VT101.EXE[488] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\VT101.EXE[488] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\VT101.EXE[488] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7B30 .text C:\WINDOWS\system32\VT101.EXE[488] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\VT101.EXE[488] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7CE4 .text C:\WINDOWS\system32\VT101.EXE[488] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\VT101.EXE[488] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\WINDOWS\system32\VT101.EXE[488] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7DE0 .text C:\WINDOWS\system32\VT101.EXE[488] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7D64 .text C:\WINDOWS\system32\VT101.EXE[488] WS2_32.dll!send 71A54C27 5 Bytes JMP 7FFA81BC .text C:\WINDOWS\system32\VT101.EXE[488] WS2_32.dll!WSARecv 71A54CB5 5 Bytes CALL 7FFA811C .text C:\WINDOWS\system32\VT101.EXE[488] WS2_32.dll!WSASend 71A568FA 5 Bytes CALL 7FFA8020 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7B30 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7CE4 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7DE0 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7D64 .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] WS2_32.dll!send 71A54C27 5 Bytes JMP 7FFA81BC .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] WS2_32.dll!WSARecv 71A54CB5 5 Bytes CALL 7FFA811C .text C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe[500] WS2_32.dll!WSASend 71A568FA 5 Bytes CALL 7FFA8020 .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7B30 .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7CE4 .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7DE0 .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7D64 .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] WS2_32.DLL!send 71A54C27 5 Bytes JMP 7FFA81BC .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] WS2_32.DLL!WSARecv 71A54CB5 5 Bytes CALL 7FFA811C .text C:\Documents and Settings\All Users\Menu Start\Programy\Autostart\system.exe[552] WS2_32.DLL!WSASend 71A568FA 5 Bytes CALL 7FFA8020 .text C:\WINDOWS\system32\winlogon.exe[596] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FF96591 .text C:\WINDOWS\system32\winlogon.exe[596] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FF96620 .text C:\WINDOWS\system32\winlogon.exe[596] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FF9662D .text C:\WINDOWS\system32\winlogon.exe[596] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FF968B1 .text C:\WINDOWS\system32\winlogon.exe[596] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FF96616 .text C:\WINDOWS\system32\winlogon.exe[596] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FF9666E .text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FF96591 .text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FF96620 .text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FF9662D .text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FF968B1 .text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FF96616 .text C:\WINDOWS\system32\services.exe[640] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FF9666E .text C:\WINDOWS\system32\lsass.exe[652] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FF96591 .text C:\WINDOWS\system32\lsass.exe[652] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FF96620 .text C:\WINDOWS\system32\lsass.exe[652] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FF9662D .text C:\WINDOWS\system32\lsass.exe[652] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FF968B1 .text C:\WINDOWS\system32\lsass.exe[652] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FF96616 .text C:\WINDOWS\system32\lsass.exe[652] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FF9666E .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[696] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[696] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[696] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[696] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[696] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\LogMeIn Hamachi\hamachi-2.exe[696] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\System32\svchost.exe[1116] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\System32\svchost.exe[1116] NETAPI32.dll!NetpwPathCanonicalize 6FF4A3A9 5 Bytes JMP 01C19D64 .text C:\WINDOWS\system32\svchost.exe[1172] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes JMP 009D9DC4 .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7B30 .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7CE4 .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7DE0 .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7D64 .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] WS2_32.dll!send 71A54C27 5 Bytes JMP 7FFA81BC .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] WS2_32.dll!WSARecv 71A54CB5 5 Bytes CALL 7FFA811C .text C:\Documents and Settings\Paweł\Pulpit\lhwh0jjx.exe[1256] WS2_32.dll!WSASend 71A568FA 5 Bytes CALL 7FFA8020 .text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Java\jre6\bin\jqs.exe[1656] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\Java\jre6\bin\jqs.exe[1656] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\Java\jre6\bin\jqs.exe[1656] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\Java\jre6\bin\jqs.exe[1656] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Java\jre6\bin\jqs.exe[1656] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\Java\jre6\bin\jqs.exe[1656] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text D:\Programy\Malwarebytes' Anti-Malware\mbamservice.exe[1716] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text D:\Programy\Malwarebytes' Anti-Malware\mbamservice.exe[1716] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text D:\Programy\Malwarebytes' Anti-Malware\mbamservice.exe[1716] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text D:\Programy\Malwarebytes' Anti-Malware\mbamservice.exe[1716] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text D:\Programy\Malwarebytes' Anti-Malware\mbamservice.exe[1716] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text D:\Programy\Malwarebytes' Anti-Malware\mbamservice.exe[1716] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\Explorer.EXE[1832] Explorer.EXE 0101A57C 4 Bytes JMP 00111C15 .text C:\WINDOWS\Explorer.EXE[1832] C:\WINDOWS\Explorer.EXE section is writeable [0x01001000, 0x44C09, 0xE0000020] .reloc C:\WINDOWS\Explorer.EXE[1832] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0xA800, 0xE0000060] dgaieap C:\WINDOWS\Explorer.EXE[1832] C:\WINDOWS\Explorer.EXE entry point in "dgaieap" section [0x0111D822] dgaieap C:\WINDOWS\Explorer.EXE[1832] C:\WINDOWS\Explorer.EXE unknown last code section [0x01116000, 0x8000, 0xE0000020] .text C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7B30 .text C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7CE4 .text C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7DE0 .text C:\WINDOWS\Explorer.EXE[1832] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7D64 .text C:\WINDOWS\Explorer.EXE[1832] WS2_32.dll!send 71A54C27 5 Bytes JMP 7FFA81BC .text C:\WINDOWS\Explorer.EXE[1832] WS2_32.dll!WSARecv 71A54CB5 5 Bytes CALL 7FFA811C .text C:\WINDOWS\Explorer.EXE[1832] WS2_32.dll!WSASend 71A568FA 5 Bytes CALL 7FFA8020 .text C:\WINDOWS\System32\svchost.exe[1844] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\System32\svchost.exe[1844] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\System32\svchost.exe[1844] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\System32\svchost.exe[1844] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\System32\svchost.exe[1844] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\System32\svchost.exe[1844] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\nvsvc32.exe[1904] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\nvsvc32.exe[1904] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\nvsvc32.exe[1904] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\nvsvc32.exe[1904] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\nvsvc32.exe[1904] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\nvsvc32.exe[1904] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\rundll32.exe[1936] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\rundll32.exe[1936] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\rundll32.exe[1936] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\rundll32.exe[1936] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\rundll32.exe[1936] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\rundll32.exe[1936] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text D:\Programy\Firefox 5.0\firefox.exe[2024] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text D:\Programy\Firefox 5.0\firefox.exe[2024] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text D:\Programy\Firefox 5.0\firefox.exe[2024] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text D:\Programy\Firefox 5.0\firefox.exe[2024] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text D:\Programy\Firefox 5.0\firefox.exe[2024] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7B30 .text D:\Programy\Firefox 5.0\firefox.exe[2024] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text D:\Programy\Firefox 5.0\firefox.exe[2024] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7CE4 .text D:\Programy\Firefox 5.0\firefox.exe[2024] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text D:\Programy\Firefox 5.0\firefox.exe[2024] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text D:\Programy\Firefox 5.0\firefox.exe[2024] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7DE0 .text D:\Programy\Firefox 5.0\firefox.exe[2024] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7D64 .text D:\Programy\Firefox 5.0\firefox.exe[2024] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 00401410 D:\Programy\Firefox 5.0\firefox.exe (Firefox/Mozilla Corporation) .text D:\Programy\Firefox 5.0\firefox.exe[2024] WS2_32.dll!send 71A54C27 5 Bytes JMP 7FFA81BC .text D:\Programy\Firefox 5.0\firefox.exe[2024] WS2_32.dll!WSARecv 71A54CB5 5 Bytes CALL 7FFA811C .text D:\Programy\Firefox 5.0\firefox.exe[2024] WS2_32.dll!WSASend 71A568FA 5 Bytes CALL 7FFA8020 .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7B30 .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7CE4 .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7DE0 .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7D64 .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] WS2_32.dll!send 71A54C27 5 Bytes JMP 7FFA81BC .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] WS2_32.dll!WSARecv 71A54CB5 5 Bytes CALL 7FFA811C .text D:\Programy\Gadu-Gadu 10\gg.exe[2332] WS2_32.dll!WSASend 71A568FA 5 Bytes CALL 7FFA8020 .text C:\Program Files\Opera\Opera.exe[2428] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA6591 .text C:\Program Files\Opera\Opera.exe[2428] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA6620 .text C:\Program Files\Opera\Opera.exe[2428] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA662D .text C:\Program Files\Opera\Opera.exe[2428] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Opera\Opera.exe[2428] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7B30 .text C:\Program Files\Opera\Opera.exe[2428] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6616 .text C:\Program Files\Opera\Opera.exe[2428] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7CE4 .text C:\Program Files\Opera\Opera.exe[2428] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA666E .text C:\Program Files\Opera\Opera.exe[2428] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\Program Files\Opera\Opera.exe[2428] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7DE0 .text C:\Program Files\Opera\Opera.exe[2428] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7D64 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 823732D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F844DDDC] spzv.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F844DE30] spzv.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8423042] spzv.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F842313E] spzv.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84230C0] spzv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F8423800] spzv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F84236D6] spzv.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 820B55E0 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8432B90] spzv.sys IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!RtlInitUnicodeString] 8800001C IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!swprintf] 001CBA86 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeSetEvent] C61AEB00 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoCreateSymbolicLink] 001C8986 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoGetConfigurationInformation] 86C61200 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoDeleteSymbolicLink] 00001C8B IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!MmFreeMappingAddress] 96868801 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoFreeErrorLogEntry] 8800001C IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoDisconnectInterrupt] 001CB286 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!MmUnmapIoSpace] 88968B00 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!ObReferenceObjectByPointer] 8900001C IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IofCompleteRequest] 001CA496 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!RtlCompareUnicodeString] C6168B00 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IofCallDriver] 001CC186 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!MmAllocateMappingAddress] 428A0A00 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoAllocateErrorLogEntry] C286880C IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoConnectInterrupt] 8B00001C IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoDetachDevice] 24A48DFA IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeWaitForSingleObject] 00000000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeInitializeEvent] 4B8BDF8B IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeCancelTimer] 8D3F0304 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] CB033043 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!RtlInitAnsiString] 0673C13B IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoBuildDeviceIoControlRequest] C13B0003 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoQueueWorkItem] 8366FA72 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!MmMapIoSpace] 75000E7B IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoInvalidateDeviceRelations] 0B7D80E3 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoReportDetectedDevice] 307B8D00 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoReportResourceForDetection] 00AA840F IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 83660000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!NlsMbCodePageTag] 6A000E7A IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!PoRequestPowerIrp] C6647400 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeInsertByKeyDeviceQueue] 001CC386 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!PoRegisterDeviceForIdleDetection] 4F8B0200 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!sprintf] 968D5140 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 00001C98 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!ObfDereferenceObject] 22F6E852 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoGetAttachedDeviceReference] 478B0000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoInvalidateDeviceState] 50016A40 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!ZwClose] 1CB48E8D IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!ObReferenceObjectByHandle] E8510000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!ZwCreateDirectoryObject] 000022E4 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 6A18538B IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 868D5200 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoCreateDevice] 00001CA0 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!RtlCopyUnicodeString] 22D2E850 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoAllocateDriverObjectExtension] 4B8B0000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 51016A18 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!ZwOpenKey] 1CBC968D IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!RtlFreeUnicodeString] E8520000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoStartTimer] 000022C0 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeInitializeTimer] 8A05478A IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoInitializeTimer] 001CC38E IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeInitializeDpc] 30C48300 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeInitializeSpinLock] 1CC58688 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoInitializeIrp] 80E90000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!ZwCreateKey] C6000000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!RtlAppendUnicodeStringToString] 001CC386 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!RtlIntegerToUnicodeString] 438B0100 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!ZwSetValueKey] 8E8D5018 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeInsertQueueDpc] 00001C98 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 2292E851 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoStartPacket] 538B0000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 52016A18 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoBuildAsynchronousFsdRequest] 1CB4868D IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoFreeMdl] E8500000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!MmUnlockPages] 00002280 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoWriteErrorLogEntry] 8A05478A IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeRemoveByKeyDeviceQueue] 001CC38E IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!MmMapLockedPagesWithReservedMapping] 18C48300 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!MmUnmapReservedMapping] 1CC58688 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeSynchronizeExecution] 43EB0000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoStartNextPacket] 320C538A IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeBugCheckEx] 88F93BC0 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeRemoveDeviceQueue] 001CC396 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeSetTimer] [F6317300] \SystemRoot\system32\DRIVERS\rdbss.sys (Redirected Drive Buffering SubSystem Driver/Microsoft Corporation) IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!_allmul] 74070647 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!MmProbeAndLockPages] 75C0841A IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!_except_handler3] 05578A0B IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!PoSetPowerState] 968801B0 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 00001CC5 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!RtlWriteRegistryValue] 57B60F66 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!RtlDeleteRegistryValue] 533B6604 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!_aulldiv] 03087408 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!strstr] 72F93B3F IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!_strupr] 8A09EBDA IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeQuerySystemTime] 86880547 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoWMIRegistrationControl] 00001CC5 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!KeTickCount] 88084B8A IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 001CC68E IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoDeleteDevice] 40578B00 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 8D52006A IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoAllocateWorkItem] 001CC886 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoAllocateIrp] 11E85000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoAllocateMdl] 8B000022 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 001CC08E IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!MmLockPagableDataSection] C4968B00 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoGetDriverObjectExtension] 8900001C IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!MmUnlockPagableImageSection] 001CCC8E IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!ExFreePoolWithTag] D0968900 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoFreeIrp] 8B00001C IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!IoFreeWorkItem] 016A4047 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!InitSafeBootMode] D4C68150 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!RtlCompareMemory] 5600001C IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!PoCallDriver] 0021E7E8 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!memmove] 18C48300 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[ntoskrnl.exe!MmHighestUserAddress] 5D5B5E5F IAT \SystemRoot\System32\Drivers\aon33laq.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E IAT \SystemRoot\System32\Drivers\aon33laq.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[HAL.dll!KeGetCurrentIrql] 9E880000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[HAL.dll!KfRaiseIrql] 00001CB1 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[HAL.dll!KfLowerIrql] 0E798366 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[HAL.dll!HalGetInterruptVector] 74AAB000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[HAL.dll!HalTranslateBusAddress] 8986C636 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C IAT \SystemRoot\System32\Drivers\aon33laq.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[HAL.dll!READ_PORT_USHORT] 001C9686 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2 IAT \SystemRoot\System32\Drivers\aon33laq.SYS[WMILIB.SYS!WmiSystemControl] 8800001C IAT \SystemRoot\System32\Drivers\aon33laq.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 823DD1F8 Device \Driver\usbuhci \Device\USBPDO-0 81FD41F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 823711F8 Device \Driver\dmio \Device\DmControl\DmConfig 823711F8 Device \Driver\dmio \Device\DmControl\DmPnP 823711F8 Device \Driver\dmio \Device\DmControl\DmInfo 823711F8 Device \Driver\usbuhci \Device\USBPDO-1 81FD41F8 Device \Driver\usbuhci \Device\USBPDO-2 81FD41F8 Device \Driver\PCI_PNP1980 \Device\00000046 spzv.sys Device \Driver\usbehci \Device\USBPDO-3 820C91F8 Device \Driver\sptd \Device\1617378230 spzv.sys Device \Driver\Ftdisk \Device\HarddiskVolume1 823DF1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 823DF1F8 Device \Driver\Cdrom \Device\CdRom0 820A3500 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F8375B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F8375B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F8375B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F8375B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 823DF1F8 Device \Driver\Cdrom \Device\CdRom1 820A3500 Device \Driver\Cdrom \Device\CdRom2 820A3500 Device \Driver\NetBT \Device\NetBt_Wins_Export 82231500 Device \Driver\NetBT \Device\NetbiosSmb 82231500 Device \Driver\usbuhci \Device\USBFDO-0 81FD41F8 Device \Driver\usbuhci \Device\USBFDO-1 81FD41F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 821AF1F8 Device \Driver\usbuhci \Device\USBFDO-2 81FD41F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 821AF1F8 Device \Driver\usbehci \Device\USBFDO-3 820C91F8 Device \Driver\Ftdisk \Device\FtControl 823DF1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{5B54A7DF-7516-42F4-9969-6CB74BBB4EAB} 82231500 Device \Driver\aon33laq \Device\Scsi\aon33laq1 820A81F8 Device \Driver\aon33laq \Device\Scsi\aon33laq1Port2Path0Target0Lun0 820A81F8 Device \Driver\aon33laq \Device\Scsi\aon33laq1Port2Path0Target1Lun0 820A81F8 Device \FileSystem\Cdfs \Cdfs 821C71F8 ---- Processes - GMER 1.0.15 ---- Process C:\WINDOWS\system32\VT101.EXE (*** hidden *** ) 488 Library C:\WINDOWS\system32\VT101.EXE (*** hidden *** ) @ C:\WINDOWS\system32\VT101.EXE [488] 0x00400000 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\drivers\EagleNT.sys (*** hidden *** ) [MANUAL] EagleNT <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] iuitj <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] jknfgjx <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@ImagePath \??\C:\WINDOWS\system32\drivers\EagleNT.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@DisplayName EagleNT Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iuitj@DisplayName Windows Update Reg HKLM\SYSTEM\CurrentControlSet\Services\iuitj@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\iuitj@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\iuitj@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iuitj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\iuitj@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\iuitj@Description Provides system and desktop level support to the NVIDIA display driver Reg HKLM\SYSTEM\CurrentControlSet\Services\iuitj\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\iuitj\Parameters@ServiceDll C:\WINDOWS\system32\xyewmbm.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\jknfgjx@DisplayName Installer Time Reg HKLM\SYSTEM\CurrentControlSet\Services\jknfgjx@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\jknfgjx@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\jknfgjx@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\jknfgjx@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\jknfgjx@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\jknfgjx@Description Wykrywa i monitoruje nowe dyski twarde i wysy?a informacje o woluminach do us?ugi administracyjnej Mened?era dysk?w logicznych w celu konfiguracji. Je?li ta us?uga zostanie zatrzymana, informacje o stanie i konfiguracji dysk?w dynamicznych mog? sta? si? nieaktualne. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\CurrentControlSet\Services\jknfgjx\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\jknfgjx\Parameters@ServiceDll C:\WINDOWS\system32\xyewmbm.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1A 0x71 0xBA 0xC6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x31 0xC9 0x3E 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xEA 0x49 0x7F 0xB4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xFC 0xF2 0x72 0x2E ... Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@Type 1 Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@Start 3 Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@ImagePath \??\C:\WINDOWS\system32\drivers\EagleNT.sys Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@DisplayName EagleNT Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT\Security (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\ControlSet003\Services\iuitj@DisplayName Windows Update Reg HKLM\SYSTEM\ControlSet003\Services\iuitj@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\iuitj@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\iuitj@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\iuitj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\iuitj@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\iuitj@Description Provides system and desktop level support to the NVIDIA display driver Reg HKLM\SYSTEM\ControlSet003\Services\iuitj\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\iuitj\Parameters@ServiceDll C:\WINDOWS\system32\xyewmbm.dll Reg HKLM\SYSTEM\ControlSet003\Services\jknfgjx@DisplayName Installer Time Reg HKLM\SYSTEM\ControlSet003\Services\jknfgjx@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\jknfgjx@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\jknfgjx@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\jknfgjx@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\jknfgjx@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\jknfgjx@Description Wykrywa i monitoruje nowe dyski twarde i wysy?a informacje o woluminach do us?ugi administracyjnej Mened?era dysk?w logicznych w celu konfiguracji. Je?li ta us?uga zostanie zatrzymana, informacje o stanie i konfiguracji dysk?w dynamicznych mog? sta? si? nieaktualne. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\ControlSet003\Services\jknfgjx\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\jknfgjx\Parameters@ServiceDll C:\WINDOWS\system32\xyewmbm.dll Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1A 0x71 0xBA 0xC6 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x31 0xC9 0x3E 0x12 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xEA 0x49 0x7F 0xB4 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xFC 0xF2 0x72 0x2E ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@VT100 Emulator C:\WINDOWS\system32\VT101.EXE Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@LogMeIn Hamachi Ui "C:\Program Files\LogMeIn Hamachi\hamachi-2-ui.exe" --auto-start