GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-31 12:56:56 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST3500630AS rev.3.AAK Running: yskdexu8.exe; Driver: C:\Users\MATEUS~1\AppData\Local\Temp\ugtiafog.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 82A4A3D9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A83D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? System32\drivers\xyjkaj.sys System nie może odnaleźć określonej ścieżki. ! ? System32\Drivers\spno.sys System nie może odnaleźć określonej ścieżki. ! .text tdx.sys 88C00300 1415 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text tdx.sys 88C0088C 333 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text tdx.sys 88C009DB 197 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text tdx.sys 88C00AA4 1372 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text tdx.sys 88C01006 6 Bytes [8B, FF, 55, 8B, EC, 6A] .text ... .INIT C:\Windows\system32\DRIVERS\tdx.sys entry point in ".INIT" section [0x88C0E622] ? C:\Windows\system32\DRIVERS\tdx.sys suspicious PE modification .text USBPORT.SYS!DllUnload 9411CDB9 5 Bytes JMP 8606F1D8 .text a1rdl325.SYS 94174000 12 Bytes [44, 38, E2, 82, EE, 36, E2, ...] .text a1rdl325.SYS 9417400D 9 Bytes [17, E2, 82, 48, 3B, E2, 82, ...] {POP SS; LOOP 0xffffffffffffff85; DEC EAX; CMP ESP, EDX; ADD BYTE [EAX], 0x0} .text a1rdl325.SYS 94174017 170 Bytes [00, DE, 17, DA, 88, E6, 15, ...] .text a1rdl325.SYS 941740C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text a1rdl325.SYS 941740CE 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[4240] kernel32.dll!GetTempFileNameW 75F87039 5 Bytes JMP 10002040 C:\Users\Mateusz Laskowski\AppData\Local\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] kernel32.dll!CreateFileW 75F9E8A5 5 Bytes JMP 10001D10 C:\Users\Mateusz Laskowski\AppData\Local\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!UnhookWindowsHookEx 7646ADF9 5 Bytes JMP 72B8D927 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!SetWindowsHookExW 7646E30C 5 Bytes JMP 72B27DF1 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!CreateDialogParamA 76481F42 5 Bytes JMP 05A3D020 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!TrackPopupMenu 76482228 5 Bytes JMP 05A3C180 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!DialogBoxParamW 76483B9B 5 Bytes JMP 05A3D200 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!DialogBoxIndirectParamW 76493B7F 5 Bytes JMP 72C9DEC8 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!TrackPopupMenuEx 76494832 5 Bytes JMP 05A3C2E0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!CreateDialogParamW 76495630 5 Bytes JMP 05A3CEA0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!DialogBoxParamA 764ACF42 5 Bytes JMP 05A3D110 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!DialogBoxIndirectParamA 764AD274 5 Bytes JMP 72C9DF2B C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!MessageBoxIndirectA 764BE869 5 Bytes JMP 72C9DDFA C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!MessageBoxIndirectW 764BE963 5 Bytes JMP 72C9DD8F C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!MessageBoxExA 764BE9C9 5 Bytes JMP 72C9DD2D C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!MessageBoxExW 764BE9ED 5 Bytes JMP 72C9DCCB C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!MessageBoxA 764BEA11 5 Bytes JMP 05A3D380 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] USER32.dll!MessageBoxW 764BEA5F 5 Bytes JMP 05A3D460 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] ole32.dll!OleLoadFromStream 76036143 5 Bytes JMP 72C9E226 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] CRYPT32.dll!CryptImportPublicKeyInfoEx + 98 75C16CCA 7 Bytes JMP 35675637 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4240] CRYPT32.dll!I_CryptEnumMatchingLruEntries + D5D 75C1CADD 7 Bytes JMP 35675697 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] kernel32.dll!GetTempFileNameW 75F87039 5 Bytes JMP 10002040 C:\Users\Mateusz Laskowski\AppData\Local\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] kernel32.dll!CreateFileW 75F9E8A5 5 Bytes JMP 10001D10 C:\Users\Mateusz Laskowski\AppData\Local\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] ADVAPI32.dll!RegSetValueExA 765414B3 5 Bytes JMP 082FCC10 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] ADVAPI32.dll!RegSetValueExW 765414D6 5 Bytes JMP 082FCCD0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] ADVAPI32.dll!RegSetValueW 7655A68A 5 Bytes JMP 082FCB50 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] ADVAPI32.dll!RegSetValueA 76590E41 5 Bytes JMP 082FCA90 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!CreateDialogParamA 76481F42 5 Bytes JMP 082FD020 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!TrackPopupMenu 76482228 5 Bytes JMP 082FC180 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!DialogBoxParamW 76483B9B 5 Bytes JMP 082FD200 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!DialogBoxIndirectParamW 76493B7F 5 Bytes JMP 72C9DEC8 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!TrackPopupMenuEx 76494832 5 Bytes JMP 082FC2E0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!CreateDialogParamW 76495630 5 Bytes JMP 082FCEA0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!DialogBoxParamA 764ACF42 5 Bytes JMP 082FD110 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!DialogBoxIndirectParamA 764AD274 5 Bytes JMP 72C9DF2B C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!MessageBoxIndirectA 764BE869 5 Bytes JMP 72C9DDFA C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!MessageBoxIndirectW 764BE963 5 Bytes JMP 72C9DD8F C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!MessageBoxExA 764BE9C9 5 Bytes JMP 72C9DD2D C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!MessageBoxExW 764BE9ED 5 Bytes JMP 72C9DCCB C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!MessageBoxA 764BEA11 5 Bytes JMP 082FD380 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] USER32.dll!MessageBoxW 764BEA5F 5 Bytes JMP 082FD460 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] CRYPT32.dll!CryptImportPublicKeyInfoEx + 98 75C16CCA 7 Bytes JMP 35675637 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4528] CRYPT32.dll!I_CryptEnumMatchingLruEntries + D5D 75C1CADD 7 Bytes JMP 35675697 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] kernel32.dll!GetTempFileNameW 75F87039 5 Bytes JMP 10002040 C:\Users\Mateusz Laskowski\AppData\Local\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] kernel32.dll!CreateFileW 75F9E8A5 5 Bytes JMP 10001D10 C:\Users\Mateusz Laskowski\AppData\Local\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!UnhookWindowsHookEx 7646ADF9 5 Bytes JMP 72B8D927 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!SetWindowsHookExW 7646E30C 5 Bytes JMP 72B27DF1 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!CreateDialogParamA 76481F42 5 Bytes JMP 0555D020 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!TrackPopupMenu 76482228 5 Bytes JMP 0555C180 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!DialogBoxParamW 76483B9B 5 Bytes JMP 0555D200 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!DialogBoxIndirectParamW 76493B7F 5 Bytes JMP 72C9DEC8 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!TrackPopupMenuEx 76494832 5 Bytes JMP 0555C2E0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!CreateDialogParamW 76495630 5 Bytes JMP 0555CEA0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!DialogBoxParamA 764ACF42 5 Bytes JMP 0555D110 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!DialogBoxIndirectParamA 764AD274 5 Bytes JMP 72C9DF2B C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!MessageBoxIndirectA 764BE869 5 Bytes JMP 72C9DDFA C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!MessageBoxIndirectW 764BE963 5 Bytes JMP 72C9DD8F C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!MessageBoxExA 764BE9C9 5 Bytes JMP 72C9DD2D C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!MessageBoxExW 764BE9ED 5 Bytes JMP 72C9DCCB C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!MessageBoxA 764BEA11 5 Bytes JMP 0555D380 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] USER32.dll!MessageBoxW 764BEA5F 5 Bytes JMP 0555D460 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] ole32.dll!OleLoadFromStream 76036143 5 Bytes JMP 72C9E226 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] CRYPT32.dll!CryptImportPublicKeyInfoEx + 98 75C16CCA 7 Bytes JMP 35675637 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4924] CRYPT32.dll!I_CryptEnumMatchingLruEntries + D5D 75C1CADD 7 Bytes JMP 35675697 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] kernel32.dll!GetTempFileNameW 75F87039 5 Bytes JMP 10002040 C:\Users\Mateusz Laskowski\AppData\Local\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] kernel32.dll!CreateFileW 75F9E8A5 5 Bytes JMP 10001D10 C:\Users\Mateusz Laskowski\AppData\Local\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!UnhookWindowsHookEx 7646ADF9 5 Bytes JMP 72B8D927 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!SetWindowsHookExW 7646E30C 5 Bytes JMP 72B27DF1 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!CreateDialogParamA 76481F42 5 Bytes JMP 0547D020 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!TrackPopupMenu 76482228 5 Bytes JMP 0547C180 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!DialogBoxParamW 76483B9B 5 Bytes JMP 0547D200 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!DialogBoxIndirectParamW 76493B7F 5 Bytes JMP 72C9DEC8 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!TrackPopupMenuEx 76494832 5 Bytes JMP 0547C2E0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!CreateDialogParamW 76495630 5 Bytes JMP 0547CEA0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!DialogBoxParamA 764ACF42 5 Bytes JMP 0547D110 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!DialogBoxIndirectParamA 764AD274 5 Bytes JMP 72C9DF2B C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!MessageBoxIndirectA 764BE869 5 Bytes JMP 72C9DDFA C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!MessageBoxIndirectW 764BE963 5 Bytes JMP 72C9DD8F C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!MessageBoxExA 764BE9C9 5 Bytes JMP 72C9DD2D C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!MessageBoxExW 764BE9ED 5 Bytes JMP 72C9DCCB C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!MessageBoxA 764BEA11 5 Bytes JMP 0547D380 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] USER32.dll!MessageBoxW 764BEA5F 5 Bytes JMP 0547D460 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] ole32.dll!OleLoadFromStream 76036143 5 Bytes JMP 72C9E226 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] CRYPT32.dll!CryptImportPublicKeyInfoEx + 98 75C16CCA 7 Bytes JMP 35675637 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5104] CRYPT32.dll!I_CryptEnumMatchingLruEntries + D5D 75C1CADD 7 Bytes JMP 35675697 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [88CA5042] \SystemRoot\System32\Drivers\spno.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [88CA56D6] \SystemRoot\System32\Drivers\spno.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [88CA5800] \SystemRoot\System32\Drivers\spno.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [88CA513E] \SystemRoot\System32\Drivers\spno.sys IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortNotification] 00147880 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortStallExecution] C25DC033 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortInitialize] 157B805E IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500 IAT \SystemRoot\System32\Drivers\a1rdl325.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 84C9C1F8 Device \FileSystem\fastfat \FatCdrom 86D2E1F8 Device \Driver\ACPI_HAL \Device\00000041 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\volmgr \Device\VolMgrControl 84C981F8 Device \Driver\usbuhci \Device\USBPDO-0 860741F8 Device \Driver\usbuhci \Device\USBPDO-1 860741F8 Device \Driver\usbuhci \Device\USBPDO-2 860741F8 Device \Driver\usbehci \Device\USBPDO-3 863D0500 Device \Driver\usbuhci \Device\USBPDO-4 860741F8 Device \Driver\tdx \Device\Tcp [88C0BFAA] \SystemRoot\system32\DRIVERS\tdx.sys[.data] Device \Driver\usbuhci \Device\USBPDO-5 860741F8 Device \Driver\PCI_PNP2206 \Device\00000049 spno.sys Device \Driver\usbuhci \Device\USBPDO-6 860741F8 Device \Driver\volmgr \Device\HarddiskVolume1 84C981F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-7 863D0500 Device \Driver\volmgr \Device\HarddiskVolume2 84C981F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 85CE61F8 Device \Driver\USBSTOR \Device\00000065 85FD11F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84C9A1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 84C9A1F8 Device \Driver\atapi \Device\Ide\IdePort0 84C9A1F8 Device \Driver\atapi \Device\Ide\IdePort1 84C9A1F8 Device \Driver\atapi \Device\Ide\IdePort2 84C9A1F8 Device \Driver\atapi \Device\Ide\IdePort3 84C9A1F8 Device \Driver\atapi \Device\Ide\IdePort4 84C9A1F8 Device \Driver\atapi \Device\Ide\IdePort5 84C9A1F8 Device \Driver\volmgr \Device\HarddiskVolume3 84C981F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom1 85CE61F8 Device \Driver\USBSTOR \Device\00000066 85FD11F8 Device \Driver\sptd \Device\3140834207 spno.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{053A71A4-8B57-4DD9-999C-445E18FEA938} 863A9500 Device \Driver\NetBT \Device\NetBt_Wins_Export 863A9500 Device \Driver\tdx \Device\Udp [88C0BFAA] \SystemRoot\system32\DRIVERS\tdx.sys[.data] Device \Driver\tdx \Device\RawIp [88C0BFAA] \SystemRoot\system32\DRIVERS\tdx.sys[.data] Device \Driver\usbuhci \Device\USBFDO-0 860741F8 Device \Driver\usbuhci \Device\USBFDO-1 860741F8 Device \Driver\usbuhci \Device\USBFDO-2 860741F8 Device \Driver\usbehci \Device\USBFDO-3 863D0500 Device \Driver\usbuhci \Device\USBFDO-4 860741F8 Device \Driver\usbuhci \Device\USBFDO-5 860741F8 Device \Driver\usbuhci \Device\USBFDO-6 860741F8 Device \Driver\usbehci \Device\USBFDO-7 863D0500 Device \Driver\a1rdl325 \Device\Scsi\a1rdl3251Port6Path0Target0Lun0 860B01F8 Device \Driver\a1rdl325 \Device\Scsi\a1rdl3251 860B01F8 Device \FileSystem\fastfat \Fat 86D2E1F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) 88DEB000-88DFA000 (61440 bytes) ---- Threads - GMER 1.0.15 ---- Thread System [4:276] 8609C540 Thread System [4:280] 8609C540 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBA 0xF2 0xF4 0x3A ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x93 0xE7 0x9B 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5D 0x6E 0xD0 0x28 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBA 0xF2 0xF4 0x3A ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x93 0xE7 0x9B 0x2D ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5D 0x6E 0xD0 0x28 ... ---- Files - GMER 1.0.15 ---- File C:\Users\Mateusz Laskowski\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QLL40LAF\ft[8] 0 bytes File C:\Users\Mateusz Laskowski\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\QLL40LAF\pt[1] 19548 bytes File C:\Users\Mateusz Laskowski\AppData\Local\Mozilla\Firefox\Profiles\4a39a94e.default\Cache\F\83\89DACd01 2607 bytes File C:\Users\Mateusz Laskowski\AppData\Local\Mozilla\Firefox\Profiles\4a39a94e.default\Cache\F\3A\F9873d01 6578 bytes File C:\Users\Mateusz Laskowski\AppData\Local\Mozilla\Firefox\Profiles\4a39a94e.default\Cache\F\57\6373Bd01 5166 bytes File C:\Users\Mateusz Laskowski\AppData\Local\Mozilla\Firefox\Profiles\4a39a94e.default\Cache\F\29\03185d01 7461 bytes File C:\Windows\$NtUninstallKB23224$\1324870576 0 bytes File C:\Windows\$NtUninstallKB23224$\1324870576\@ 2048 bytes File C:\Windows\$NtUninstallKB23224$\1324870576\L 0 bytes File C:\Windows\$NtUninstallKB23224$\1324870576\L\xadqgnnk 74752 bytes File C:\Windows\$NtUninstallKB23224$\1324870576\loader.tlb 2632 bytes File C:\Windows\$NtUninstallKB23224$\1324870576\U 0 bytes File C:\Windows\$NtUninstallKB23224$\1324870576\U\@00000001 45968 bytes File C:\Windows\$NtUninstallKB23224$\1324870576\U\@000000c0 2560 bytes File C:\Windows\$NtUninstallKB23224$\1324870576\U\@000000cb 704 bytes File C:\Windows\$NtUninstallKB23224$\1324870576\U\@000000cf 1536 bytes File C:\Windows\$NtUninstallKB23224$\1324870576\U\@80000000 73728 bytes File C:\Windows\$NtUninstallKB23224$\1324870576\U\@800000c0 43008 bytes File C:\Windows\$NtUninstallKB23224$\1324870576\U\@800000cb 25600 bytes File C:\Windows\$NtUninstallKB23224$\1324870576\U\@800000cf 31232 bytes File C:\Windows\$NtUninstallKB23224$\1468443894 0 bytes ---- EOF - GMER 1.0.15 ----