GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-02-16 21:19:17 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST3250410AS rev.3.AAA Running: qq69z426.exe; Driver: C:\DOCUME~1\Maciek\USTAWI~1\Temp\pfwiiaow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xF4530610] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xF4530C10] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xF4530730] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xF45304B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xF4530570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xF45306D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xF4530790] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xF4530690] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xF4530650] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xF45307D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xF4530510] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xF4530590] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xF45304D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xF45305D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xF4530750] ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6D3D360, 0x24526E, 0xE8000020] .INIT C:\WINDOWS\System32\drivers\afd.sys entry point in ".INIT" section [0xF442F422] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1328] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[2236] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 012AB750 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2236] CRYPT32.dll!CryptMsgCountersignEncoded + 27A 77A82F52 7 Bytes JMP 356753FE C:\WINDOWS\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) ? C:\WINDOWS\system32\svchost.exe[2700] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; ? C:\WINDOWS\system32\svchost.exe[2756] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: DNSAPI.dllunknown module: gdiplus.dll ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] 57EC8B55 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 00087D83 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 20EB0275 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] 8A087D8B IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] E08A0C45 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] E0C15066 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 8B586610 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenProcessToken] E9C1104D IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenThreadToken] ABF2FC02 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 83104D8B IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] AAF203E1 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegCloseKey] CCC35D5F IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] 000000E8 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 00255800 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] EB000100 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrlenW] CCCCC3F2 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalFree] CCCCCCCC IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcess] 53EC8B55 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThread] 558B5756 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcAddress] 8BDA8B08 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] FA033C7A IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LCMapStringW] 20738B18 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!FreeLibrary] 03247B8B IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcpyW] FCFA03F2 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 0C6D8B55 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpiW] 96C203AD IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExitProcess] 3351FD87 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCommandLineW] 0FC180C9 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 0C72A6F3 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcessHeap] FD875996 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetErrorMode] 47471774 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 23EBE6E2 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] BE66F633 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 8166EEC5 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] 2BEEB6EE IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] EBFE2BF1 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetTickCount] 66C033E3 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] E0C1078B IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 1C738B02 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] F003F203 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!TerminateProcess] 5DC203AD IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] [5D5B5E5F] C:\WINDOWS\system32\comctl32.dll (Common Controls Library/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalAlloc] CCCCCCC3 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpW] CCCCCCCC IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] CCCCCCCC IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 64C03356 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlFreeHeap] 000030A1 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] 0C408B00 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscat] AD1C708B IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscpy] 5E08408B IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlAllocateHeap] CCCCCCC3 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] CCCCCCCC IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitUnicodeString] CCCCCCCC IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitializeSid] 83EC8B55 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 4CA14CEC IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] 89044020 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] 0D8BE445 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] [04402050] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] 8BE84D89 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 40205415 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetAce] EC558904 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlImageNtHeader] 2058A166 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcslen] 89660440 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 0D8AF045 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCopySid] [0440205A] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] FFFFFFA8 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 68CC4589 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] [0440205C] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 52CC558B IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerListen] FFFF17E8 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 08C483FF IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] C7D84589 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 0000DC45 IAT C:\WINDOWS\system32\svchost.exe[2700] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 458D0000 IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] [77DCF00C] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] [77DEC238] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] [77DC798B] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] [77DC6C27] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [77DC7ABB] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] [77DC7852] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!GetTokenInformation] [77DCEAE7] C:\WINDOWS\system32\ADVAPI32.dll (Advanced Windows 32 Base API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 00000000 IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenThreadToken] [76F26C80] C:\WINDOWS\system32\DNSAPI.dll (DNS Client API DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetServiceStatus] [76F24DF2] C:\WINDOWS\system32\DNSAPI.dll (DNS Client API DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] [76F15B12] C:\WINDOWS\system32\DNSAPI.dll (DNS Client API DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegCloseKey] 00000000 IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] [77F1EF1C] C:\WINDOWS\system32\GDI32.dll (GDI Client DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] 00000000 IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [7C80A530] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrlenW] [7C838A3C] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalFree] [7C80D302] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcess] [7C812847] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThread] [7C8099B5] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcAddress] [7C812F16] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7C92AA79] C:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LCMapStringW] [7C90FE30] C:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!FreeLibrary] [7C809806] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcpyW] [7C809C65] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] [7C80BE56] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpiW] [7C812FBD] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExitProcess] [7C81127A] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCommandLineW] [7C802446] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] [7C8106D7] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcessHeap] [7C8097D0] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetErrorMode] [7C80E9DF] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] [7C809F91] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] [7C809BE7] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] [7C80EABB] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [7C81CB12] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] [7C80C0F8] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetTickCount] [7C81CB3B] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] [7C82FC08] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] [7C830D7C] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] [7C809AA9] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!TerminateProcess] [7C809EA1] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] [7C80BB41] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalAlloc] [7C90FE21] C:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpW] [7C80934A] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] [7C810E27] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtQuerySecurityObject] [7C821982] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlFreeHeap] [7C80AC61] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [7C812C56] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscat] [7C90FF2D] C:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscpy] [7C809F19] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlAllocateHeap] [7C901000] C:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] [7C9010E0] C:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitUnicodeString] [7C9100C4] C:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitializeSid] [7C918477] C:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] [7C809B12] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] [7C8104CC] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [7C802213] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] [7C801E1A] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] [7C80236B] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] [7C814B92] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetAce] [7C801A28] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlImageNtHeader] [7C80AC7E] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcslen] [7C80AE40] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] [7C801D7B] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCopySid] [7C80B741] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] [7C809AF1] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] [7C809B84] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] [7C8017E9] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] [7C801D53] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerListen] [7C810BBC] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] [7C8350EF] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] [7C834D71] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] [7C80BEA1] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[2756] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] [7C814F8A] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) F7647000-F7656000 (61440 bytes) ---- Threads - GMER 1.0.15 ---- Thread System [4:536] 85EFF540 Thread System [4:540] 85EFF540 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\$NtUninstallKB6104$\1450607790 0 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302 0 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302\@ 2048 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302\L 0 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302\L\rhjrauyj 138496 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302\loader.tlb 2632 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302\U 0 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302\U\@00000001 45968 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302\U\@000000c0 3072 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302\U\@000000cb 3072 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302\U\@000000cf 1536 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302\U\@80000000 73216 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302\U\@800000c0 41984 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302\U\@800000cb 24576 bytes File C:\WINDOWS\$NtUninstallKB6104$\4178645302\U\@800000cf 31232 bytes ---- EOF - GMER 1.0.15 ----