GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-30 20:43:40 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9120822AS rev.3.ALC Running: qmiwudlb.exe; Driver: C:\Users\user\AppData\Local\Temp\kwldapob.sys ---- Kernel code sections - GMER 1.0.15 ---- .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x83330B2E] ---- User code sections - GMER 1.0.15 ---- ? C:\Windows\system32\services.exe[500] C:\Windows\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: MSWSOCK.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1860] ntdll.dll!LdrLoadDll 77879378 5 Bytes JMP 6D12B52A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1860] kernel32.dll!LockResource + C 76DF6B0B 7 Bytes JMP 6D3DB6D2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1860] kernel32.dll!VirtualAllocEx + 54 76DFAF70 7 Bytes JMP 6D3DB6F5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1860] USER32.dll!GetWindowInfo 7767428E 5 Bytes JMP 6D2B2BD4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1860] GDI32.dll!SetStretchBltMode + 256 7722745C 7 Bytes JMP 6D3DB653 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgPrintEx] 51EC8B55 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] 8B565351 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClose] FF560875 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationFile] FA510815 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenFile] 85D88B00 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationFile] C2840FDB IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 57000000 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 0068406A IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateHeap] FF000010 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeHeap] 006A5073 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetValueKey] 508415FF IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateKey] F88B00FA IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] 85FC7D89 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 9E840FFF IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreatePagingFile] 8B000000 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!_alldiv] A4F3544B IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 1443B70F IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!_allmul] 0653B70F IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] 1818448D IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 8B0CC083 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeStringEx] 08758B08 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] 03FC7D8B IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] 8BF903F1 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] C083FC48 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] A4F34A28 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryValueKey] [758BE975] C:\Windows\system32\CRYPT32.dll (Crypto API32/Microsoft Corporation) IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateFile] 443D8BFC IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenKey] 2B00FA51 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!_vsnwprintf] 458D0875 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 056A50F8 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] 75FF016A IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] 85D7FFFC IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] EB2574C0 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateAcl] 04488B1D IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] 56F84D29 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 8B08508D IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] FC450300 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtReadFile] 52F8C183 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!_chkstk] 5051E9D1 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNumberOfSetBitsUlongPtr] 514015FF IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 7D8300FA IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] DD7500F8 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] 50F8458D IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!qsort] 016A016A IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlRandomEx] FFFC75FF IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!memcpy] 74C085D7 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] 0C488D20 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] C085018B IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsicmp] F18B1774 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 03FC4D8B IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!iswspace] 15FF50C1 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] [00FA5080] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] 8B14C683 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 75C08506 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetSaclSecurityDescriptor] FC458BEB IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAddMandatoryAce] C95B5E5F IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlLengthSid] 560004C2 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlGetAce] 7140BF57 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 8B5700FA IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] 7C15FFF1 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] 6A00FA50 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] 3C83580F IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTimeToTimeFields] FA715885 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!memset] 09740000 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventWrite] 8548C88B IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventEnabled] EBEF75C9 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] 85348907 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtMapViewOfSection] [00FA7158] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateSection] 3415FF57 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 5F00FA50 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtResumeThread] 5756C35E IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] FA7140BF IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtTerminateProcess] F18B5700 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 507C15FF IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 0F6A00FA IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateProcessParametersEx] 85343958 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!_wcsupr] [00FA7158] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] C88B0974 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 75C98548 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!_stricmp] 8308EBF0 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksumEx] 71588524 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 570000FA IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] 503415FF IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDisplayString] 5E5F00FA IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWriteFile] 800068C3 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 006A0000 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 7815FF51 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetSystemInformation] 5000FA50 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetEvent] 513C15FF IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetCurrentEnvironment] 55C300FA IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDeleteValueKey] 5351EC8B IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] 35FF5756 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenEvent] [00FA7198] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCreatePort] 513815FF IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationProcess] 8D5900FA IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] E8400044 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlCreateUserThread] 00002B8C IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockExclusive] 75FFFC8B IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockExclusive] FC7D8908 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtSetInformationThread] 719835FF IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryInformationToken] EC6800FA IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtOpenThreadToken] 5700FA53 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcImpersonateClientOfPort] 513415FF IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleaseSRWLockShared] DB3300FA IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquireSRWLockShared] 3910C483 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcDisconnectPort] 6E7D085D IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeSRWLock] FFF63357 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtConnectPort] FA507415 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcGetMessageAttribute] 85F88B00 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcAcceptConnectPort] 8D3774FF IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcOpenSenderProcess] 6A500845 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcCancelMessage] FF575602 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlExitUserThread] FA513015 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtAlpcSendWaitReceivePort] 7CC08500 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!AlpcInitializeMessageAttribute] FF556A25 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] 15FFFC75 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] [00FA512C] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDuplicateObject] C9335959 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtCreateEvent] 08896657 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeConditionVariable] FFFE1FE8 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearBits] 85D88BFF IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlDeleteNoSplay] 8B0774DB IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtClearEvent] F72B0875 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSleepConditionVariableSRW] FF57F303 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlWakeAllConditionVariable] FA507015 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetBits] 74F68500 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlTestBit] FC4D8B53 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFindClearBits] FA7084BA IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlClearAllBits] 85D6FF00 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeBitMap] 684575C0 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlFreeSid] 00008000 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtRaiseHardError] 15FF5350 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] [00FA5078] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] 5D3936EB IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!EtwEventRegister] BB31740C IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSetHeapInformation] [00FA7140] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlInitializeConditionVariable] 7C15FF53 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtDelayExecution] BE00FA50 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] [00FA7194] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!NtQueryEvent] C085068B IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlReleasePrivilege] 4D8B0774 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlAcquirePrivilege] FFD78B08 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] 83C68BD0 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!wcstoul] 583D04EE IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] 7500FA71 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlUnwind] 15FF53E7 IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!DbgBreakPoint] [00FA5034] C:\Windows\system32\smss.exe (Windows Session Manager/Microsoft Corporation) IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] 5FF0658D IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlConnectToSm] C2C95B5E IAT C:\Windows\system32\services.exe[500] @ C:\Windows\system32\smss.exe [ntdll.dll!RtlSendMsgToSm] 8B550008 IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74657817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7469B4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7465BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7464F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7464E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [746873F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7465DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7464FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7464FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [746DCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7467C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7464D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74646853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7464687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1236] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74652AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu j¹dra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu j¹dra/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp tcpipBM.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedæer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Processes - GMER 1.0.15 ---- Library c:\windows\system32\n (*** hidden *** ) @ C:\Windows\Explorer.EXE [1236] 0x45670000 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0018f337f16b Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5C 0x21 0xE9 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB5 0x78 0xE3 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6E 0xB7 0x06 0x7F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8D 0xAB 0xA4 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x19 0xC2 0xD0 0x29 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE9 0xE8 0x03 0x74 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x97 0xBE 0x29 0x45 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0018f337f16b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5C 0x21 0xE9 0x67 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB5 0x78 0xE3 0x58 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6E 0xB7 0x06 0x7F ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8D 0xAB 0xA4 0x67 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x19 0xC2 0xD0 0x29 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xE9 0xE8 0x03 0x74 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x97 0xBE 0x29 0x45 ... Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0xB7 0x51 0xB2 0x90 ... ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\obrazki do t³mumaczenia MPS 0 bytes File C:\Documents and Settings\obrazki do t³mumaczenia MPS\obrazek 12.odt 720230 bytes File C:\Documents and Settings\obrazki do t³mumaczenia MPS\obrazek 22.odt 605235 bytes File C:\Documents and Settings\obrazki do t³mumaczenia MPS\obrazek 23.odt 798989 bytes File C:\Documents and Settings\obrazki do t³mumaczenia MPS\obrazek 29.odt 979922 bytes File C:\Documents and Settings\obrazki do t³mumaczenia MPS\obrazek s10.odt 225383 bytes File C:\Documents and Settings\obrazki do t³mumaczenia MPS\obrazek str 17.odt 630169 bytes File C:\Documents and Settings\obrazki do t³mumaczenia MPS\obrazeki s12.odt 1955297 bytes File C:\Documents and Settings\obrazki do t³mumaczenia MPS\obrazki 19 i 21.odt 1380322 bytes File C:\Documents and Settings\obrazki do t³mumaczenia MPS\obrazki 25.odt 852711 bytes File C:\Documents and Settings\obrazki do t³mumaczenia MPS\obrazki 27.odt 1381965 bytes File C:\Documents and Settings\obrazki do t³mumaczenia MPS\rysunki str 14.odt 1367726 bytes File C:\Documents and Settings\obrazki do t³mumaczenia MPS\zrzut_ekranu.png 141135 bytes ---- EOF - GMER 1.0.15 ----