GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-10-05 12:28:21 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HM250HI rev.2AC101C4 Running: 42zljt8g.exe; Driver: C:\Users\emily\AppData\Local\Temp\awddrkob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0x89BC07F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0x89BC08B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0x89BC0870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0x89BC0830] ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwSaveKey + 13CD 830509C9 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 830704E2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 14CB 83077868 4 Bytes [F0, 07, BC, 89] .text ntoskrnl.exe!KeRemoveQueueEx + 15DB 83077978 4 Bytes [B0, 08, BC, 89] .text ntoskrnl.exe!KeRemoveQueueEx + 18E7 83077C84 4 Bytes [70, 08, BC, 89] .text ntoskrnl.exe!KeRemoveQueueEx + 192F 83077CCC 4 Bytes [30, 08, BC, 89] ? System32\Drivers\spen.sys System nie może odnaleźć określonej ścieżki. ! .text USBPORT.SYS!DllUnload 92E60D81 5 Bytes JMP 8659C1D8 .text ap5aq1v5.SYS 91B69000 12 Bytes [44, 38, 42, 83, EE, 36, 42, ...] .text ap5aq1v5.SYS 91B6900D 9 Bytes [17, 42, 83, 48, 3B, 42, 83, ...] {POP SS; INC EDX; OR DWORD [EAX+0x3b], 0x42; ADD DWORD [EAX], 0x0} .text ap5aq1v5.SYS 91B69017 170 Bytes [00, DE, A7, 72, 89, E6, A5, ...] .text ap5aq1v5.SYS 91B690C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text ap5aq1v5.SYS 91B690CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1804] kernel32.dll!SetUnhandledExceptionFilter 76F3F4FB 4 Bytes [C2, 04, 00, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtCreateFile + 6 77C655CE 4 Bytes [28, 00, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtCreateFile + B 77C655D3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtMapViewOfSection + 6 77C65C2E 1 Byte [28] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtMapViewOfSection + 6 77C65C2E 4 Bytes [28, 03, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtMapViewOfSection + B 77C65C33 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtOpenFile + 6 77C65CDE 4 Bytes [68, 00, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtOpenFile + B 77C65CE3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtOpenProcess + 6 77C65D8E 4 Bytes [A8, 01, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtOpenProcess + B 77C65D93 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtOpenProcessToken + B 77C65DA3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtOpenProcessTokenEx + 6 77C65DAE 4 Bytes [A8, 02, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtOpenProcessTokenEx + B 77C65DB3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtOpenThread + 6 77C65E0E 4 Bytes [68, 01, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtOpenThread + B 77C65E13 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtOpenThreadToken + 6 77C65E1E 4 Bytes [68, 02, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtOpenThreadToken + B 77C65E23 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtOpenThreadTokenEx + B 77C65E33 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtQueryAttributesFile + 6 77C65F3E 4 Bytes [A8, 00, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtQueryAttributesFile + B 77C65F43 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtQueryFullAttributesFile + B 77C65FF3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtSetInformationFile + 6 77C6663E 4 Bytes [28, 01, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtSetInformationFile + B 77C66643 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtSetInformationThread + 6 77C6669E 4 Bytes [28, 02, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtSetInformationThread + B 77C666A3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtUnmapViewOfSection + 6 77C669BE 1 Byte [68] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtUnmapViewOfSection + 6 77C669BE 4 Bytes [68, 03, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[1968] ntdll.dll!NtUnmapViewOfSection + B 77C669C3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtCreateFile + 6 77C655CE 4 Bytes [28, 00, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtCreateFile + B 77C655D3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtMapViewOfSection + 6 77C65C2E 1 Byte [28] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtMapViewOfSection + 6 77C65C2E 4 Bytes [28, 03, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtMapViewOfSection + B 77C65C33 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtOpenFile + 6 77C65CDE 4 Bytes [68, 00, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtOpenFile + B 77C65CE3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtOpenProcess + 6 77C65D8E 4 Bytes [A8, 01, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtOpenProcess + B 77C65D93 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtOpenProcessToken + B 77C65DA3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtOpenProcessTokenEx + 6 77C65DAE 4 Bytes [A8, 02, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtOpenProcessTokenEx + B 77C65DB3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtOpenThread + 6 77C65E0E 4 Bytes [68, 01, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtOpenThread + B 77C65E13 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtOpenThreadToken + 6 77C65E1E 4 Bytes [68, 02, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtOpenThreadToken + B 77C65E23 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtOpenThreadTokenEx + B 77C65E33 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtQueryAttributesFile + 6 77C65F3E 4 Bytes [A8, 00, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtQueryAttributesFile + B 77C65F43 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtQueryFullAttributesFile + B 77C65FF3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtSetInformationFile + 6 77C6663E 4 Bytes [28, 01, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtSetInformationFile + B 77C66643 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtSetInformationThread + 6 77C6669E 4 Bytes [28, 02, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtSetInformationThread + B 77C666A3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtUnmapViewOfSection + 6 77C669BE 1 Byte [68] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtUnmapViewOfSection + 6 77C669BE 4 Bytes [68, 03, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3156] ntdll.dll!NtUnmapViewOfSection + B 77C669C3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtCreateFile + 6 77C655CE 4 Bytes [28, 00, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtCreateFile + B 77C655D3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtMapViewOfSection + 6 77C65C2E 1 Byte [28] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtMapViewOfSection + 6 77C65C2E 4 Bytes [28, 03, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtMapViewOfSection + B 77C65C33 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtOpenFile + 6 77C65CDE 4 Bytes [68, 00, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtOpenFile + B 77C65CE3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtOpenProcess + 6 77C65D8E 4 Bytes [A8, 01, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtOpenProcess + B 77C65D93 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtOpenProcessToken + B 77C65DA3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtOpenProcessTokenEx + 6 77C65DAE 4 Bytes [A8, 02, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtOpenProcessTokenEx + B 77C65DB3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtOpenThread + 6 77C65E0E 4 Bytes [68, 01, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtOpenThread + B 77C65E13 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtOpenThreadToken + 6 77C65E1E 4 Bytes [68, 02, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtOpenThreadToken + B 77C65E23 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtOpenThreadTokenEx + B 77C65E33 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtQueryAttributesFile + 6 77C65F3E 4 Bytes [A8, 00, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtQueryAttributesFile + B 77C65F43 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtQueryFullAttributesFile + B 77C65FF3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtSetInformationFile + 6 77C6663E 4 Bytes [28, 01, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtSetInformationFile + B 77C66643 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtSetInformationThread + 6 77C6669E 4 Bytes [28, 02, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtSetInformationThread + B 77C666A3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtUnmapViewOfSection + 6 77C669BE 1 Byte [68] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtUnmapViewOfSection + 6 77C669BE 4 Bytes [68, 03, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3380] ntdll.dll!NtUnmapViewOfSection + B 77C669C3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtCreateFile + 6 77C655CE 4 Bytes [28, 00, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtCreateFile + B 77C655D3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtMapViewOfSection + 6 77C65C2E 1 Byte [28] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtMapViewOfSection + 6 77C65C2E 4 Bytes [28, 03, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtMapViewOfSection + B 77C65C33 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtOpenFile + 6 77C65CDE 4 Bytes [68, 00, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtOpenFile + B 77C65CE3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtOpenProcess + 6 77C65D8E 4 Bytes [A8, 01, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtOpenProcess + B 77C65D93 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtOpenProcessToken + B 77C65DA3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtOpenProcessTokenEx + 6 77C65DAE 4 Bytes [A8, 02, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtOpenProcessTokenEx + B 77C65DB3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtOpenThread + 6 77C65E0E 4 Bytes [68, 01, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtOpenThread + B 77C65E13 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtOpenThreadToken + 6 77C65E1E 4 Bytes [68, 02, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtOpenThreadToken + B 77C65E23 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtOpenThreadTokenEx + B 77C65E33 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtQueryAttributesFile + 6 77C65F3E 4 Bytes [A8, 00, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtQueryAttributesFile + B 77C65F43 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtQueryFullAttributesFile + B 77C65FF3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtSetInformationFile + 6 77C6663E 4 Bytes [28, 01, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtSetInformationFile + B 77C66643 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtSetInformationThread + 6 77C6669E 4 Bytes [28, 02, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtSetInformationThread + B 77C666A3 1 Byte [E2] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtUnmapViewOfSection + 6 77C669BE 1 Byte [68] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtUnmapViewOfSection + 6 77C669BE 4 Bytes [68, 03, 07, 00] .text C:\Users\emily\AppData\Local\Google\Chrome\Application\chrome.exe[3600] ntdll.dll!NtUnmapViewOfSection + B 77C669C3 1 Byte [E2] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoDetachDevice] [89658DDC] \SystemRoot\System32\Drivers\spen.sys IAT \SystemRoot\system32\drivers\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [89658E30] \SystemRoot\System32\Drivers\spen.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8962E042] \SystemRoot\System32\Drivers\spen.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8962E6D6] \SystemRoot\System32\Drivers\spen.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8962E800] \SystemRoot\System32\Drivers\spen.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8962E13E] \SystemRoot\System32\Drivers\spen.sys IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortNotification] 00147880 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortStallExecution] C25DC033 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortInitialize] 157B805E IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500 IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B IAT \SystemRoot\System32\Drivers\ap5aq1v5.SYS[NTOSKRNL.exe!KeTickCount] 78801875 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\windows\system32\rundll32.exe[1932] @ C:\windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75CFFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\system32\rundll32.exe[1932] @ C:\windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75CFFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\system32\rundll32.exe[1932] @ C:\windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75CFFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\system32\rundll32.exe[1932] @ C:\windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75CFFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\system32\rundll32.exe[1932] @ C:\windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75CFFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\windows\system32\rundll32.exe[1932] @ C:\windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75CFFFF6] C:\windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 850441F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{DC2DEE52-D36B-4EF4-8DDA-CFDC640DE49D} 8625E1F8 Device \Driver\volmgr \Device\VolMgrControl 8503E1F8 Device \Driver\usbuhci \Device\USBPDO-0 8654A1F8 Device \Driver\usbuhci \Device\USBPDO-1 8654A1F8 Device \Driver\usbuhci \Device\USBPDO-2 8654A1F8 Device \Driver\usbehci \Device\USBPDO-3 8650B500 AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) Device \Driver\usbuhci \Device\USBPDO-5 8654A1F8 Device \Driver\ACPI_HAL \Device\00000062 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbuhci \Device\USBPDO-6 8654A1F8 Device \Driver\PCI_PNP7978 \Device\00000070 spen.sys Device \Driver\volmgr \Device\HarddiskVolume1 8503E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-7 8650B500 Device \Driver\volmgr \Device\HarddiskVolume2 8503E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 861951F8 Device \Driver\volmgr \Device\HarddiskVolume3 8503E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 850411F8 Device \Driver\atapi \Device\Ide\IdePort0 850411F8 Device \Driver\atapi \Device\Ide\IdePort1 850411F8 Device \Driver\atapi \Device\Ide\IdePort2 850411F8 Device \Driver\atapi \Device\Ide\IdePort3 850411F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 850411F8 Device \Driver\msahci \Device\Ide\PciIde0Channel0 850421F8 Device \Driver\msahci \Device\Ide\PciIde0Channel1 850421F8 Device \Driver\msahci \Device\Ide\PciIde0Channel4 850421F8 Device \Driver\msahci \Device\Ide\PciIde0Channel5 850421F8 Device \Driver\cdrom \Device\CdRom1 861951F8 Device \Driver\cdrom \Device\CdRom2 861951F8 Device \Driver\volmgr \Device\HarddiskVolume4 8503E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume5 8503E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{D21F4D90-462F-4E99-9984-4DF63E7A3E62} 8625E1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8625E1F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\013505231d5d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\013505231d5d@1886ace63984 0x36 0x96 0x47 0x41 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBE 0x5F 0x57 0x6B ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x99 0x3B 0x90 0x48 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x82 0xD9 0x6A 0xB1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@FrequencyCorrectRate 4 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@PollAdjustFactor 5 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@LargePhaseOffset 50000000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@SpikeWatchPeriod 900 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@LocalClockDispersion 10 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@HoldPeriod 5 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@PhaseCorrectRate 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@UpdateInterval 360000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@EventLogFlags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@AnnounceFlags 10 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@TimeJumpAuditOffset 28800 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MinPollInterval 10 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxPollInterval 15 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxNegPhaseCorrection 54000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxPosPhaseCorrection 54000 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\Config@MaxAllowedPhaseOffset 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@Enabled 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@InputProvider 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@CrossSiteSyncFlags 2 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMinutes 15 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMaxTimes 7 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@CompatibilityFlags -2147483648 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@EventLogFlags 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@LargeSampleSkew 3 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@SpecialPollInterval 604800 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time.windows.com,7b9dc3c??????????? Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@Enabled 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@InputProvider 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@EventLogFlags 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainEntryTimeout 16 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainMaxEntries 128 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainMaxHostEntries 4 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainDisable 0 Reg HKLM\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer@ChainLoggingRate 30 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\013505231d5d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\013505231d5d@1886ace63984 0x36 0x96 0x47 0x41 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBE 0x5F 0x57 0x6B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x99 0x3B 0x90 0x48 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x82 0xD9 0x6A 0xB1 ... Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@FrequencyCorrectRate 4 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@PollAdjustFactor 5 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@LargePhaseOffset 50000000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@SpikeWatchPeriod 900 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@LocalClockDispersion 10 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@HoldPeriod 5 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@PhaseCorrectRate 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@UpdateInterval 360000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@EventLogFlags 2 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@AnnounceFlags 10 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@TimeJumpAuditOffset 28800 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MinPollInterval 10 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxPollInterval 15 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxNegPhaseCorrection 54000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxPosPhaseCorrection 54000 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\Config@MaxAllowedPhaseOffset 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@Enabled 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@InputProvider 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@CrossSiteSyncFlags 2 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMinutes 15 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@ResolvePeerBackoffMaxTimes 7 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@CompatibilityFlags -2147483648 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@EventLogFlags 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@LargeSampleSkew 3 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@SpecialPollInterval 604800 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpClient@SpecialPollTimeRemaining time.windows.com,7b9dc3c??????????? Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@DllName %systemroot%\system32\w32time.dll Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@Enabled 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@InputProvider 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@AllowNonstandardModeCombinations 1 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@EventLogFlags 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainEntryTimeout 16 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainMaxEntries 128 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainMaxHostEntries 4 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainDisable 0 Reg HKLM\SYSTEM\ControlSet002\services\W32Time\TimeProviders\NtpServer@ChainLoggingRate 30 ---- EOF - GMER 1.0.15 ----