GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2003-12-11 02:16:50 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380215A rev.3.AAD Running: lhwh0jjx.exe; Driver: C:\DOCUME~1\PAWE~1\USTAWI~1\Temp\uxliikoc.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF7C63360, 0x372FAD, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .rsrc C:\WINDOWS\system32\svchost.exe[376] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\system32\svchost.exe[376] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\system32\svchost.exe[376] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\system32\svchost.exe[376] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\system32\svchost.exe[376] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\system32\svchost.exe[376] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\system32\svchost.exe[376] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\WINDOWS\system32\wscntfy.exe[436] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\system32\wscntfy.exe[436] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\system32\wscntfy.exe[436] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\system32\wscntfy.exe[436] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\system32\wscntfy.exe[436] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7A64 .text C:\WINDOWS\system32\wscntfy.exe[436] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\system32\wscntfy.exe[436] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7C18 .text C:\WINDOWS\system32\wscntfy.exe[436] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\WINDOWS\system32\wscntfy.exe[436] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7D14 .text C:\WINDOWS\system32\wscntfy.exe[436] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7C98 .text C:\WINDOWS\system32\wscntfy.exe[436] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 7FFA79D8 .text C:\WINDOWS\system32\VT101.EXE[520] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\system32\VT101.EXE[520] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\system32\VT101.EXE[520] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\system32\VT101.EXE[520] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\system32\VT101.EXE[520] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7A64 .text C:\WINDOWS\system32\VT101.EXE[520] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\system32\VT101.EXE[520] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7C18 .text C:\WINDOWS\system32\VT101.EXE[520] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\WINDOWS\system32\VT101.EXE[520] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7D14 .text C:\WINDOWS\system32\VT101.EXE[520] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7C98 .text C:\WINDOWS\system32\VT101.EXE[520] WS2_32.dll!send 71A54C27 5 Bytes JMP 7FFA80F0 .text C:\WINDOWS\system32\VT101.EXE[520] WS2_32.dll!WSARecv 71A54CB5 5 Bytes CALL 7FFA8050 .text C:\WINDOWS\system32\VT101.EXE[520] WS2_32.dll!WSASend 71A568FA 5 Bytes CALL 7FFA7F54 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[532] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[532] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[532] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[532] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[532] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7A64 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[532] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[532] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7C18 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[532] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[532] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7D14 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[532] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7C98 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[532] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 7FFA79D8 .text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\system32\winlogon.exe[584] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\system32\services.exe[628] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FF964CD .text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FF9655C .text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FF96569 .text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FF967ED .text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FF96552 .text C:\WINDOWS\system32\lsass.exe[640] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FF965AA .rsrc C:\WINDOWS\system32\svchost.exe[812] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .rsrc C:\WINDOWS\system32\svchost.exe[968] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text D:\Programy\Advanced SystemCare 4\ASCTray.exe[1004] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text D:\Programy\Advanced SystemCare 4\ASCTray.exe[1004] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text D:\Programy\Advanced SystemCare 4\ASCTray.exe[1004] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text D:\Programy\Advanced SystemCare 4\ASCTray.exe[1004] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text D:\Programy\Advanced SystemCare 4\ASCTray.exe[1004] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7A64 .text D:\Programy\Advanced SystemCare 4\ASCTray.exe[1004] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text D:\Programy\Advanced SystemCare 4\ASCTray.exe[1004] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7C18 .text D:\Programy\Advanced SystemCare 4\ASCTray.exe[1004] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text D:\Programy\Advanced SystemCare 4\ASCTray.exe[1004] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7D14 .text D:\Programy\Advanced SystemCare 4\ASCTray.exe[1004] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7C98 .text D:\Programy\Advanced SystemCare 4\ASCTray.exe[1004] WS2_32.dll!send 71A54C27 5 Bytes JMP 7FFA80F0 .text D:\Programy\Advanced SystemCare 4\ASCTray.exe[1004] WS2_32.dll!WSARecv 71A54CB5 5 Bytes CALL 7FFA8050 .text D:\Programy\Advanced SystemCare 4\ASCTray.exe[1004] WS2_32.dll!WSASend 71A568FA 5 Bytes CALL 7FFA7F54 .text C:\Program Files\Gadu-Gadu\gg.exe[1020] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\Program Files\Gadu-Gadu\gg.exe[1020] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\Program Files\Gadu-Gadu\gg.exe[1020] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\Program Files\Gadu-Gadu\gg.exe[1020] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\Program Files\Gadu-Gadu\gg.exe[1020] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7A64 .text C:\Program Files\Gadu-Gadu\gg.exe[1020] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\Program Files\Gadu-Gadu\gg.exe[1020] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7C18 .text C:\Program Files\Gadu-Gadu\gg.exe[1020] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\Program Files\Gadu-Gadu\gg.exe[1020] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7D14 .text C:\Program Files\Gadu-Gadu\gg.exe[1020] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7C98 .text C:\Program Files\Gadu-Gadu\gg.exe[1020] WS2_32.dll!send 71A54C27 5 Bytes JMP 7FFA80F0 .text C:\Program Files\Gadu-Gadu\gg.exe[1020] WS2_32.dll!WSARecv 71A54CB5 5 Bytes CALL 7FFA8050 .text C:\Program Files\Gadu-Gadu\gg.exe[1020] WS2_32.dll!WSASend 71A568FA 5 Bytes CALL 7FFA7F54 .rsrc C:\WINDOWS\system32\svchost.exe[1124] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\system32\svchost.exe[1124] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .rsrc C:\WINDOWS\system32\svchost.exe[1260] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\system32\svchost.exe[1260] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1288] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1288] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1288] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1288] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1288] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[1288] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\WINDOWS\Explorer.EXE[1308] Explorer.EXE 0101A57C 4 Bytes JMP 00111C15 .text C:\WINDOWS\Explorer.EXE[1308] C:\WINDOWS\Explorer.EXE section is writeable [0x01001000, 0x44C09, 0xE0000020] .reloc C:\WINDOWS\Explorer.EXE[1308] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0xA800, 0xE0000060] lltjfpo C:\WINDOWS\Explorer.EXE[1308] C:\WINDOWS\Explorer.EXE entry point in "lltjfpo" section [0x011158F8] dgaieap C:\WINDOWS\Explorer.EXE[1308] C:\WINDOWS\Explorer.EXE unknown last code section [0x01116000, 0xF000, 0xE0000020] .text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7A64 .text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7C18 .text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7D14 .text C:\WINDOWS\Explorer.EXE[1308] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7C98 .text C:\WINDOWS\Explorer.EXE[1308] WS2_32.dll!send 71A54C27 5 Bytes JMP 7FFA80F0 .text C:\WINDOWS\Explorer.EXE[1308] WS2_32.dll!WSARecv 71A54CB5 5 Bytes CALL 7FFA8050 .text C:\WINDOWS\Explorer.EXE[1308] WS2_32.dll!WSASend 71A568FA 5 Bytes CALL 7FFA7F54 .rsrc C:\WINDOWS\System32\svchost.exe[1368] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\System32\svchost.exe[1368] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\Documents and Settings\Pawe許Pulpit\OTL.exe[1420] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\Documents and Settings\Pawe許Pulpit\OTL.exe[1420] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\Documents and Settings\Pawe許Pulpit\OTL.exe[1420] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\Documents and Settings\Pawe許Pulpit\OTL.exe[1420] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\Documents and Settings\Pawe許Pulpit\OTL.exe[1420] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7A64 .text C:\Documents and Settings\Pawe許Pulpit\OTL.exe[1420] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\Documents and Settings\Pawe許Pulpit\OTL.exe[1420] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7C18 .text C:\Documents and Settings\Pawe許Pulpit\OTL.exe[1420] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\Documents and Settings\Pawe許Pulpit\OTL.exe[1420] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7D14 .text C:\Documents and Settings\Pawe許Pulpit\OTL.exe[1420] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7C98 .text C:\Documents and Settings\Pawe許Pulpit\OTL.exe[1420] WS2_32.dll!send 71A54C27 5 Bytes JMP 7FFA80F0 .text C:\Documents and Settings\Pawe許Pulpit\OTL.exe[1420] WS2_32.dll!WSARecv 71A54CB5 5 Bytes CALL 7FFA8050 .text C:\Documents and Settings\Pawe許Pulpit\OTL.exe[1420] WS2_32.dll!WSASend 71A568FA 5 Bytes CALL 7FFA7F54 .text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1452] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1452] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1452] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1452] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1452] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1452] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[1452] kernel32.dll!CreateThread + 1A 7C8106E1 4 Bytes CALL 0044C771 C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (IObit Malware Fighter Service/IObit) .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1504] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1504] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1504] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1504] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1504] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1504] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text D:\Programy\Advanced SystemCare 4\PMonitor.exe[1588] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text D:\Programy\Advanced SystemCare 4\PMonitor.exe[1588] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text D:\Programy\Advanced SystemCare 4\PMonitor.exe[1588] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text D:\Programy\Advanced SystemCare 4\PMonitor.exe[1588] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text D:\Programy\Advanced SystemCare 4\PMonitor.exe[1588] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7A64 .text D:\Programy\Advanced SystemCare 4\PMonitor.exe[1588] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text D:\Programy\Advanced SystemCare 4\PMonitor.exe[1588] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7C18 .text D:\Programy\Advanced SystemCare 4\PMonitor.exe[1588] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text D:\Programy\Advanced SystemCare 4\PMonitor.exe[1588] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7D14 .text D:\Programy\Advanced SystemCare 4\PMonitor.exe[1588] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7C98 .text D:\Programy\Advanced SystemCare 4\PMonitor.exe[1588] WS2_32.dll!send 71A54C27 5 Bytes JMP 7FFA80F0 .text D:\Programy\Advanced SystemCare 4\PMonitor.exe[1588] WS2_32.dll!WSARecv 71A54CB5 5 Bytes CALL 7FFA8050 .text D:\Programy\Advanced SystemCare 4\PMonitor.exe[1588] WS2_32.dll!WSASend 71A568FA 5 Bytes CALL 7FFA7F54 .text D:\Programy\Advanced SystemCare 4\ASCService.exe[1692] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text D:\Programy\Advanced SystemCare 4\ASCService.exe[1692] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text D:\Programy\Advanced SystemCare 4\ASCService.exe[1692] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text D:\Programy\Advanced SystemCare 4\ASCService.exe[1692] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text D:\Programy\Advanced SystemCare 4\ASCService.exe[1692] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text D:\Programy\Advanced SystemCare 4\ASCService.exe[1692] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text D:\Programy\java\bin\jqs.exe[1748] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text D:\Programy\java\bin\jqs.exe[1748] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text D:\Programy\java\bin\jqs.exe[1748] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text D:\Programy\java\bin\jqs.exe[1748] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text D:\Programy\java\bin\jqs.exe[1748] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text D:\Programy\java\bin\jqs.exe[1748] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text D:\Programy\Malwarebytes' Anti-Malware\mbamservice.exe[1796] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text D:\Programy\Malwarebytes' Anti-Malware\mbamservice.exe[1796] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text D:\Programy\Malwarebytes' Anti-Malware\mbamservice.exe[1796] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text D:\Programy\Malwarebytes' Anti-Malware\mbamservice.exe[1796] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text D:\Programy\Malwarebytes' Anti-Malware\mbamservice.exe[1796] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text D:\Programy\Malwarebytes' Anti-Malware\mbamservice.exe[1796] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\WINDOWS\system32\nvsvc32.exe[1836] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\WINDOWS\system32\nvsvc32.exe[1836] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\WINDOWS\system32\nvsvc32.exe[1836] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\WINDOWS\system32\nvsvc32.exe[1836] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\WINDOWS\system32\nvsvc32.exe[1836] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\WINDOWS\system32\nvsvc32.exe[1836] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\Documents and Settings\Pawe許Pulpit\Gamer\lhwh0jjx.exe[2652] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes CALL 7FFA64CD .text C:\Documents and Settings\Pawe許Pulpit\Gamer\lhwh0jjx.exe[2652] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes CALL 7FFA655C .text C:\Documents and Settings\Pawe許Pulpit\Gamer\lhwh0jjx.exe[2652] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes CALL 7FFA6569 .text C:\Documents and Settings\Pawe許Pulpit\Gamer\lhwh0jjx.exe[2652] ntdll.dll!NtDeviceIoControlFile 7C90D27E 5 Bytes CALL 7FFA67ED .text C:\Documents and Settings\Pawe許Pulpit\Gamer\lhwh0jjx.exe[2652] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 7FFA7A64 .text C:\Documents and Settings\Pawe許Pulpit\Gamer\lhwh0jjx.exe[2652] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes CALL 7FFA6552 .text C:\Documents and Settings\Pawe許Pulpit\Gamer\lhwh0jjx.exe[2652] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 7FFA7C18 .text C:\Documents and Settings\Pawe許Pulpit\Gamer\lhwh0jjx.exe[2652] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes CALL 7FFA65AA .text C:\Documents and Settings\Pawe許Pulpit\Gamer\lhwh0jjx.exe[2652] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 7FFA7D14 .text C:\Documents and Settings\Pawe許Pulpit\Gamer\lhwh0jjx.exe[2652] ntdll.dll!NtVdmControl 7C90DF1E 5 Bytes JMP 7FFA7C98 .text C:\Documents and Settings\Pawe許Pulpit\Gamer\lhwh0jjx.exe[2652] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 7FFA79D8 ---- Processes - GMER 1.0.15 ---- Process C:\WINDOWS\system32\VT101.EXE (*** hidden *** ) 520 Library C:\WINDOWS\system32\VT101.EXE (*** hidden *** ) @ C:\WINDOWS\system32\VT101.EXE [520] 0x00400000 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\drivers\EagleNT.sys (*** hidden *** ) [MANUAL] EagleNT <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@ImagePath \??\C:\WINDOWS\system32\drivers\EagleNT.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT@DisplayName EagleNT Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\EagleNT\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1A 0x71 0xBA 0xC6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x31 0xC9 0x3E 0x12 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xEA 0x49 0x7F 0xB4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xFC 0xF2 0x72 0x2E ... Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@Type 1 Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@Start 3 Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@ImagePath \??\C:\WINDOWS\system32\drivers\EagleNT.sys Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT@DisplayName EagleNT Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT\Security (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\EagleNT\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1A 0x71 0xBA 0xC6 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x31 0xC9 0x3E 0x12 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xEA 0x49 0x7F 0xB4 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xFC 0xF2 0x72 0x2E ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@VT100 Emulator C:\WINDOWS\system32\VT101.EXE Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@SunJavaUpdateSched "C:\Program Files\Common Files\Java\Java Update\jusched.exe" Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@MSConfig C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto