GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-15 18:19:42 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\00000071 ST9100824AS rev.7.24 Running: vhisputz.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pxtdqpoc.sys ---- User code sections - GMER 1.0.15 ---- .text C:\WINNT\system32\winlogon.exe[240] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\winlogon.exe[240] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINNT\system32\winlogon.exe[240] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\winlogon.exe[240] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\winlogon.exe[240] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 10027DF0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\winlogon.exe[240] ntdll.dll!LdrUnloadDll 7C916C9B 5 Bytes JMP 1001D1A0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\winlogon.exe[240] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10024F30 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\winlogon.exe[240] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10025AC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\winlogon.exe[240] ADVAPI32.dll!CreateProcessAsUserW 77DDA8B1 5 Bytes JMP 10023A60 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\winlogon.exe[240] ADVAPI32.dll!CreateProcessAsUserA 77E00C08 5 Bytes JMP 10024390 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\winlogon.exe[240] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\winlogon.exe[240] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10029CC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\winlogon.exe[240] GDI32.dll!GetPixel 77F1B479 5 Bytes JMP 10028990 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\winlogon.exe[240] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10029BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINNT\system32\services.exe[284] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 10027DF0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] ntdll.dll!LdrUnloadDll 7C916C9B 5 Bytes JMP 1001D1A0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10024F30 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10025AC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] ADVAPI32.dll!CreateProcessAsUserW 77DDA8B1 5 Bytes JMP 10023A60 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] ADVAPI32.dll!CreateProcessAsUserA 77E00C08 5 Bytes JMP 10024390 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] RPCRT4.dll!RpcServerRegisterIfEx 77E90D13 5 Bytes JMP 1001F060 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10029CC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] GDI32.dll!GetPixel 77F1B479 5 Bytes JMP 10028990 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\services.exe[284] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10029BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\lsass.exe[296] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\lsass.exe[296] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINNT\system32\lsass.exe[296] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\lsass.exe[296] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\lsass.exe[296] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 10027DF0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\lsass.exe[296] ntdll.dll!LdrUnloadDll 7C916C9B 5 Bytes JMP 1001D1A0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\lsass.exe[296] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10024F30 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\lsass.exe[296] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10025AC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\lsass.exe[296] ADVAPI32.dll!CreateProcessAsUserW 77DDA8B1 5 Bytes JMP 10023A60 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\lsass.exe[296] ADVAPI32.dll!CreateProcessAsUserA 77E00C08 5 Bytes JMP 10024390 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\lsass.exe[296] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\lsass.exe[296] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10029CC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\lsass.exe[296] GDI32.dll!GetPixel 77F1B479 5 Bytes JMP 10028990 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\lsass.exe[296] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10029BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINNT\system32\svchost.exe[448] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 10027DF0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] ntdll.dll!LdrUnloadDll 7C916C9B 5 Bytes JMP 1001D1A0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10024F30 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10025AC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] ADVAPI32.dll!CreateProcessAsUserW 77DDA8B1 5 Bytes JMP 10023A60 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] ADVAPI32.dll!CreateProcessAsUserA 77E00C08 5 Bytes JMP 10024390 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] RPCRT4.dll!RpcServerRegisterIfEx 77E90D13 5 Bytes JMP 1001F060 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10029CC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] GDI32.dll!GetPixel 77F1B479 5 Bytes JMP 10028990 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[448] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10029BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINNT\system32\svchost.exe[508] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 10027DF0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] ntdll.dll!LdrUnloadDll 7C916C9B 5 Bytes JMP 1001D1A0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10024F30 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10025AC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] ADVAPI32.dll!CreateProcessAsUserW 77DDA8B1 5 Bytes JMP 10023A60 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] ADVAPI32.dll!CreateProcessAsUserA 77E00C08 5 Bytes JMP 10024390 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] RPCRT4.dll!RpcServerRegisterIfEx 77E90D13 5 Bytes JMP 1001F060 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10029CC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] GDI32.dll!GetPixel 77F1B479 5 Bytes JMP 10028990 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10029BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[508] rpcss.dll!WhichService 76A6423C 8 Bytes JMP ED501001 .text C:\WINNT\system32\svchost.exe[600] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[600] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINNT\system32\svchost.exe[600] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[600] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[600] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 10027DF0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[600] ntdll.dll!LdrUnloadDll 7C916C9B 5 Bytes JMP 1001D1A0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[600] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10024F30 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[600] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10025AC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[600] ADVAPI32.dll!CreateProcessAsUserW 77DDA8B1 5 Bytes JMP 10023A60 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[600] ADVAPI32.dll!CreateProcessAsUserA 77E00C08 5 Bytes JMP 10024390 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[600] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[600] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10029CC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[600] GDI32.dll!GetPixel 77F1B479 5 Bytes JMP 10028990 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\system32\svchost.exe[600] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10029BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINNT\System32\svchost.exe[652] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 10027DF0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] ntdll.dll!LdrUnloadDll 7C916C9B 5 Bytes JMP 1001D1A0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10024F30 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10025AC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] ADVAPI32.dll!CreateProcessAsUserW 77DDA8B1 5 Bytes JMP 10023A60 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] ADVAPI32.dll!CreateProcessAsUserA 77E00C08 5 Bytes JMP 10024390 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] RPCRT4.dll!RpcServerRegisterIfEx 77E90D13 5 Bytes JMP 1001F060 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10029CC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] GDI32.dll!GetPixel 77F1B479 5 Bytes JMP 10028990 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\System32\svchost.exe[652] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10029BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\Explorer.EXE[860] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\Explorer.EXE[860] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\WINNT\Explorer.EXE[860] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\Explorer.EXE[860] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\Explorer.EXE[860] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 10027DF0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\Explorer.EXE[860] ntdll.dll!LdrUnloadDll 7C916C9B 5 Bytes JMP 1001D1A0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\Explorer.EXE[860] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10024F30 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\Explorer.EXE[860] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10025AC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\Explorer.EXE[860] ADVAPI32.dll!CreateProcessAsUserW 77DDA8B1 5 Bytes JMP 10023A60 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\Explorer.EXE[860] ADVAPI32.dll!CreateProcessAsUserA 77E00C08 5 Bytes JMP 10024390 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\Explorer.EXE[860] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\Explorer.EXE[860] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10029CC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\Explorer.EXE[860] GDI32.dll!GetPixel 77F1B479 5 Bytes JMP 10028990 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINNT\Explorer.EXE[860] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10029BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\XO\vhisputz.exe[1132] ntdll.dll!NtClose 7C90CFEE 2 Bytes JMP 1001D080 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\XO\vhisputz.exe[1132] ntdll.dll!NtClose + 3 7C90CFF1 2 Bytes [71, 93] {JNO 0xffffffffffffff95} .text C:\XO\vhisputz.exe[1132] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 1002BB80 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\XO\vhisputz.exe[1132] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 1002B860 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\XO\vhisputz.exe[1132] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 10027DF0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\XO\vhisputz.exe[1132] ntdll.dll!LdrUnloadDll 7C916C9B 5 Bytes JMP 1001D1A0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\XO\vhisputz.exe[1132] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 10024F30 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\XO\vhisputz.exe[1132] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 10025AC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\XO\vhisputz.exe[1132] ADVAPI32.dll!CreateProcessAsUserW 77DDA8B1 5 Bytes JMP 10023A60 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\XO\vhisputz.exe[1132] ADVAPI32.dll!CreateProcessAsUserA 77E00C08 5 Bytes JMP 10024390 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\XO\vhisputz.exe[1132] GDI32.dll!DeleteDC 77F16E5F 5 Bytes JMP 10028BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\XO\vhisputz.exe[1132] GDI32.dll!CreateDCA 77F1B259 5 Bytes JMP 10029CC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\XO\vhisputz.exe[1132] GDI32.dll!GetPixel 77F1B479 5 Bytes JMP 10028990 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\XO\vhisputz.exe[1132] GDI32.dll!CreateDCW 77F1BE99 5 Bytes JMP 10029BC0 C:\WINNT\system32\guard32.dll (COMODO Internet Security/COMODO) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[860] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\111111111111 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\111111111111@a87b39a62e84 0xBB 0x5B 0xD4 0xD3 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\111111111111 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\111111111111@a87b39a62e84 0xBB 0x5B 0xD4 0xD3 ... ---- EOF - GMER 1.0.15 ----