GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-05-29 14:05:05 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD2500BEVE-00WZT0 rev.01.01A01 Running: iux725lo.exe; Driver: C:\DOCUME~1\Piotr\USTAWI~1\Temp\uwldqpow.sys ---- System - GMER 1.0.15 ---- SSDT 89264C90 ZwAssignProcessToJobObject SSDT sptd.sys ZwCreateKey [0xF72AEA50] SSDT 89265200 ZwDebugActiveProcess SSDT 892652F0 ZwDuplicateObject SSDT sptd.sys ZwEnumerateKey [0xF72E2FFE] SSDT sptd.sys ZwEnumerateValueKey [0xF72E338C] SSDT sptd.sys ZwOpenKey [0xF72AEA30] SSDT 89264590 ZwOpenProcess SSDT 89264800 ZwOpenThread SSDT 89264FD0 ZwProtectVirtualMemory SSDT sptd.sys ZwQueryKey [0xF72E3464] SSDT sptd.sys ZwQueryValueKey [0xF72E32E4] SSDT 892650E0 ZwQueueApcThread SSDT 89264EC0 ZwSetContextThread SSDT 89264D90 ZwSetInformationThread SSDT 89261DA0 ZwSetSecurityObject SSDT sptd.sys ZwSetValueKey [0xF72E34F6] SSDT 89264B90 ZwSuspendProcess SSDT 89264A80 ZwSuspendThread SSDT 892646E0 ZwTerminateProcess SSDT 89264A50 ZwTerminateThread SSDT 892656D0 ZwWriteVirtualMemory INT 0x62 ? 8A541CC8 INT 0x74 ? 8A4BBCC8 INT 0x94 ? 8A4BBCC8 INT 0xA4 ? 8A4BBCC8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2420 80501C30 4 Bytes JMP E47CF72A .text ntkrnlpa.exe!ZwCallbackReturn + 2558 80501D68 4 Bytes JMP E1E8F72A .text sptd.sys F7274000 32 Bytes [5E, 87, 6D, 80, 20, 37, 6D, ...] .text sptd.sys F7274024 4 Bytes [74, 6F, 26, F7] .text sptd.sys F727402C 160 Bytes [0E, 7F, 5D, 80, 48, F2, 5D, ...] .text sptd.sys F72740CD 263 Bytes [5F, 53, 80, 26, 28, 53, 80, ...] .text sptd.sys F72741E4 4 Bytes [79, 62, 73, 4C] {JNS 0x64; JAE 0x50} .text ... .sptd2 C:\WINDOWSH\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF736BD38] ? C:\WINDOWSH\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text USBPORT.SYS!DllUnload F6F4A8AC 5 Bytes JMP 8A4BB1D8 init C:\WINDOWSH\system32\drivers\senfilt.sys entry point in "init" section [0xF6C2D900] .text avnzl79s.SYS F6A55306 74 Bytes [00, 00, 00, 40, 03, 00, 40, ...] .text avnzl79s.SYS F6A55351 87 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text avnzl79s.SYS F6A553A9 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text avnzl79s.SYS F6A553B4 34 Bytes [40, 00, 00, C8, 50, 41, 47, ...] .text avnzl79s.SYS F6A553D7 1 Byte [00] .text ... .text C:\Program Files\CyberLink\PowerDVD11\Common\NavFilter\000.fcl section is writeable [0xA96CD000, 0x2BE8, 0xE8000020] .vmp2 C:\Program Files\CyberLink\PowerDVD11\Common\NavFilter\000.fcl entry point in ".vmp2" section [0xA96EF666] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1892] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0116A6B4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 01408537 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] kernel32.dll!MapViewOfFile 7C80B9A5 5 Bytes JMP 01408510 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2172] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 0140849A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3832] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 104335CE C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3832] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 10433BCD C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWSH\System32\Drivers\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F7275574] sptd.sys IAT \WINDOWSH\System32\Drivers\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F72750C0] sptd.sys IAT \WINDOWSH\System32\Drivers\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F7275FE0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72750C0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7275362] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72752A4] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72761BC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F7275FE0] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F728A312] sptd.sys IAT \SystemRoot\System32\Drivers\avnzl79s.SYS[HAL.dll!KeGetCurrentIrql] 830C4D8A IAT \SystemRoot\System32\Drivers\avnzl79s.SYS[HAL.dll!KfAcquireSpinLock] 0001CCB8 IAT \SystemRoot\System32\Drivers\avnzl79s.SYS[HAL.dll!KfReleaseSpinLock] 48880000 IAT \SystemRoot\System32\Drivers\avnzl79s.SYS[HAL.dll!KfRaiseIrql] C0940F68 IAT \SystemRoot\System32\Drivers\avnzl79s.SYS[HAL.dll!KfLowerIrql] 8B55C35D IAT \SystemRoot\System32\Drivers\avnzl79s.SYS[USBD.SYS!USBD_CreateConfigurationRequestEx] 458D5653 IAT \SystemRoot\system32\DRIVERS\ipsec.sys[NDIS.SYS!NdisInitializeTimer] [AA73C8E0] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [AA73C289] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [AA73DE90] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisAllocatePacketPoolEx] [AA73C890] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [AA73E221] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisReturnPackets] [AA73BDF0] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[TDI.SYS!TdiRegisterDeviceObject] [F798DD56] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisReturnPackets] [AA73BDF0] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [AA73C5A9] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisAllocatePacketPoolEx] [AA73C890] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [AA73E221] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [AA73DE90] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [AA73C289] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\netbt.sys[TDI.SYS!TdiRegisterDeviceObject] [F798DD56] BMLoad.sys (Bytemobile Kernel Driver Loader/Bytemobile, Inc.) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisCloseAdapter] [AA73C289] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [AA73DE90] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisInitializeTimer] [AA73C8E0] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisAllocatePacketPool] [AA73C850] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisDeregisterProtocol] [AA73C5A9] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisRegisterProtocol] [AA73E221] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisReturnPackets] [AA73BDF0] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisAllocatePacketPoolEx] [AA73C890] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [AA73E221] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [AA73C5A9] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [AA73C289] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [AA73DE90] \SystemRoot\System32\Drivers\tgbvpn.sys (TheGreenBow VPN Client/TheGreenBow) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSH\Explorer.EXE[472] @ C:\WINDOWSH\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\RPCRT4.dll [ADVAPI32.dll!OpenServiceW] [594307BA] C:\WINDOWSH\AppPatch\AcGenral.DLL (Windows Compatibility DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\SHELL32.dll [ADVAPI32.dll!ControlService] [594307DD] C:\WINDOWSH\AppPatch\AcGenral.DLL (Windows Compatibility DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\SHELL32.dll [ADVAPI32.dll!OpenServiceW] [594307BA] C:\WINDOWSH\AppPatch\AcGenral.DLL (Windows Compatibility DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\CRYPT32.dll [ADVAPI32.dll!OpenServiceW] [594307BA] C:\WINDOWSH\AppPatch\AcGenral.DLL (Windows Compatibility DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\CRYPT32.dll [ADVAPI32.dll!ControlService] [594307DD] C:\WINDOWSH\AppPatch\AcGenral.DLL (Windows Compatibility DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\netapi32.dll [ADVAPI32.dll!OpenServiceA] [59430797] C:\WINDOWSH\AppPatch\AcGenral.DLL (Windows Compatibility DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\netapi32.dll [ADVAPI32.dll!ControlService] [594307DD] C:\WINDOWSH\AppPatch\AcGenral.DLL (Windows Compatibility DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\netapi32.dll [ADVAPI32.dll!OpenServiceW] [594307BA] C:\WINDOWSH\AppPatch\AcGenral.DLL (Windows Compatibility DLL/Microsoft Corporation) IAT C:\Program Files\Intel\Wireless\Bin\ZcfgSvc.exe[1812] @ C:\WINDOWSH\system32\netapi32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSH\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A5401F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \Driver\usbuhci \Device\USBPDO-0 8A46B1F8 Device \Driver\usbuhci \Device\USBPDO-1 8A46B1F8 Device \Driver\usbuhci \Device\USBPDO-2 8A46B1F8 Device \Driver\usbuhci \Device\USBPDO-3 8A46B1F8 Device \Driver\usbehci \Device\USBPDO-4 8A48B1F8 AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.sys (Bytemobile Kernel Network Provider/Bytemobile, Inc.) Device \Driver\Cdrom \Device\CdRom0 8A2CB1F8 Device \Driver\atapi \Device\Ide\IdePort0 [F71CFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F71CFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F71CFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBT_Tcpip_{CD527DB0-48EE-4BB9-BDB4-93CD94854FBE} 8920F1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{C4643C14-3AB0-43F8-B764-B5D4E835A35C} 8920F1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8920F1F8 Device \Driver\NetBT \Device\NetbiosSmb 8920F1F8 Device \Driver\usbuhci \Device\USBFDO-0 8A46B1F8 Device \Driver\usbuhci \Device\USBFDO-1 8A46B1F8 Device \Driver\PCI_PNP2398 \Device\0000006d sptd.sys Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 891ED1F8 Device \Driver\usbuhci \Device\USBFDO-2 8A46B1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 891ED1F8 Device \Driver\usbuhci \Device\USBFDO-3 8A46B1F8 Device \Driver\usbehci \Device\USBFDO-4 8A48B1F8 Device \Driver\avnzl79s \Device\Scsi\avnzl79s1 8A2AB1F8 Device \FileSystem\Cdfs \Cdfs 891CD430 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x71 0x8E 0xBD 0xAA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8F 0x4A 0xC1 0x46 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x71 0x8E 0xBD 0xAA ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8F 0x4A 0xC1 0x46 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0C 0x2E 0x0D 0xA6 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x8C 0x4B 0x17 0x34 ... Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWSH\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWSH\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWSH\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0xFF 0x7C 0x85 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWSH\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWSH\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWSH\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWSH\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWSH\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x83 0x6C 0x56 0x8B ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWSH\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWSH\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x37 0xA4 0xAA 0xC3 ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWSH\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWSH\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{27AD7900-2F95-29F6-9182-215ADE2B8211} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{27AD7900-2F95-29F6-9182-215ADE2B8211}@nalgkgdnbjijdajncjeoecpjdncb 0x6A 0x61 0x63 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{27AD7900-2F95-29F6-9182-215ADE2B8211}@oabgamafiffbbiclffmfabclbicnnk 0x6A 0x61 0x63 0x6C ... ---- EOF - GMER 1.0.15 ----