GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-13 11:25:37 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 Running: fzihiu35.exe; Driver: C:\Users\sandoz\AppData\Local\Temp\uwldypob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwAdjustPrivilegesToken [0xAC936E36] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwAlpcConnectPort [0xAC939074] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwAlpcCreatePort [0xAC9392EE] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwAlpcSendWaitReceivePort [0xAC939564] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwClose [0xAC93774A] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwConnectPort [0xAC93857E] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwCreateEvent [0xAC938AC8] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwCreateFile [0xAC937A26] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwCreateMutant [0xAC9389AE] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwCreateNamedPipeFile [0xAC936A24] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwCreatePort [0xAC938882] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwCreateSection [0xAC936BCC] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwCreateSemaphore [0xAC938BE8] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwCreateThread [0xAC9373D0] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwCreateWaitablePort [0xAC938918] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwDebugActiveProcess [0xAC93A2D6] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwDeviceIoControlFile [0xAC937EA8] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwDuplicateObject [0xAC93B4E4] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwFsControlFile [0xAC937CB6] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwLoadDriver [0xAC93A3C8] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwMapViewOfSection [0xAC93AB30] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwOpenEvent [0xAC938B5E] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwOpenFile [0xAC9377CC] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwOpenMutant [0xAC938A3E] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwOpenProcess [0xAC937074] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwOpenSection [0xAC93A8CA] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwOpenSemaphore [0xAC938C7E] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwOpenThread [0xAC936F64] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwQueryDirectoryObject [0xAC939868] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwQuerySection [0xAC93AE6A] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwQueueApcThread [0xAC93A75C] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwReplaceKey [0xAC9356DE] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwReplyPort [0xAC938FE2] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwReplyWaitReceivePort [0xAC938EA8] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwRequestWaitReplyPort [0xAC93A070] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwRestoreKey [0xAC935A56] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwResumeThread [0xAC93B386] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwSaveKey [0xAC935676] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwSecureConnectPort [0xAC9382C4] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwSetContextThread [0xAC9375EC] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwSetInformationToken [0xAC93990A] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwSetSecurityObject [0xAC93A566] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwSetSystemInformation [0xAC93AFBA] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwSuspendProcess [0xAC93B0AC] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwSuspendThread [0xAC93B1E6] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwSystemDebugControl [0xAC93A1FA] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwTerminateProcess [0xAC93721A] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwTerminateThread [0xAC937170] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwUnmapViewOfSection [0xAC93AD0E] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwWriteVirtualMemory [0xAC937306] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwCreateThreadEx [0xAC9374CE] SSDT \SystemRoot\system32\DRIVERS\9596485drv.sys ZwCreateUserProcess [0xAC9397AE] INT 0x52 ? 882B4F00 INT 0x72 ? 882B4F00 INT 0x82 ? 882B4F00 INT 0xA2 ? 882B4F00 INT 0xA2 ? 882B4F00 INT 0xB2 ? 8618CCB8 INT 0xB2 ? 882B4F00 INT 0xB2 ? 882B4F00 INT 0xB2 ? 882B4F00 INT 0xB2 ? 8618CCB8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 119 82EAE7DC 4 Bytes [36, 6E, 93, AC] {OUTS DX, BYTE SS:[ESI]; XCHG EBX, EAX; LODSB } .text ntkrnlpa.exe!KeSetEvent + 13D 82EAE800 8 Bytes [74, 90, 93, AC, EE, 92, 93, ...] {JZ 0xffffffffffffff92; XCHG EBX, EAX; LODSB ; OUT DX, AL ; XCHG EDX, EAX; XCHG EBX, EAX; LODSB } .text ntkrnlpa.exe!KeSetEvent + 181 82EAE844 4 Bytes [64, 95, 93, AC] .text ntkrnlpa.exe!KeSetEvent + 1A9 82EAE86C 4 Bytes [4A, 77, 93, AC] {DEC EDX; JA 0xffffffffffffff96; LODSB } .text ntkrnlpa.exe!KeSetEvent + 1C1 82EAE884 4 Bytes [7E, 85, 93, AC] {JLE 0xffffffffffffff87; XCHG EBX, EAX; LODSB } .text ... .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x80785B2E] .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x90405340, 0x3FC377, 0xE8000020] .text USBPORT.SYS!DllUnload 8C19241B 5 Bytes JMP 882B4410 ? C:\Windows\System32\Drivers\ac67a2n4.SYS suspicious PE modification ? system32\DRIVERS\9596485drv.sys System nie może odnaleźć określonej ścieżki. ! ? system32\DRIVERS\74975063.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtCreateFile + 6 7711424A 4 Bytes [28, 00, 48, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtCreateFile + B 7711424F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtMapViewOfSection + 6 7711499A 1 Byte [28] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtMapViewOfSection + 6 7711499A 4 Bytes [28, 03, 48, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtMapViewOfSection + B 7711499F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenFile + 6 77114A2A 4 Bytes [68, 00, 48, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenFile + B 77114A2F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenProcess + 6 77114AAA 4 Bytes [A8, 01, 48, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenProcess + B 77114AAF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenProcessToken + 6 77114ABA 4 Bytes CALL 761192C0 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenProcessToken + B 77114ABF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenProcessTokenEx + 6 77114ACA 4 Bytes [A8, 02, 48, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenProcessTokenEx + B 77114ACF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenThread + 6 77114B1A 4 Bytes [68, 01, 48, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenThread + B 77114B1F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenThreadToken + 6 77114B2A 4 Bytes [68, 02, 48, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenThreadToken + B 77114B2F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenThreadTokenEx + 6 77114B3A 4 Bytes CALL 76119341 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtOpenThreadTokenEx + B 77114B3F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtQueryAttributesFile + 6 77114BCA 4 Bytes [A8, 00, 48, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtQueryAttributesFile + B 77114BCF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtQueryFullAttributesFile + 6 77114C7A 4 Bytes CALL 7611947F C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtQueryFullAttributesFile + B 77114C7F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtSetInformationFile + 6 7711515A 4 Bytes [28, 01, 48, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtSetInformationFile + B 7711515F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtSetInformationThread + 6 771151AA 4 Bytes [28, 02, 48, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtSetInformationThread + B 771151AF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtUnmapViewOfSection + 6 7711544A 1 Byte [68] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtUnmapViewOfSection + 6 7711544A 4 Bytes [68, 03, 48, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] ntdll.dll!NtUnmapViewOfSection + B 7711544F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtCreateFile + 6 7711424A 4 Bytes [28, 00, 21, 00] {SUB [EAX], AL; AND [EAX], EAX} .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtCreateFile + B 7711424F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtMapViewOfSection + 6 7711499A 1 Byte [28] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtMapViewOfSection + 6 7711499A 4 Bytes [28, 03, 21, 00] {SUB [EBX], AL; AND [EAX], EAX} .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtMapViewOfSection + B 7711499F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenFile + 6 77114A2A 4 Bytes [68, 00, 21, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenFile + B 77114A2F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenProcess + 6 77114AAA 4 Bytes [A8, 01, 21, 00] {TEST AL, 0x1; AND [EAX], EAX} .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenProcess + B 77114AAF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenProcessToken + 6 77114ABA 4 Bytes CALL 76116BC0 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenProcessToken + B 77114ABF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenProcessTokenEx + 6 77114ACA 4 Bytes [A8, 02, 21, 00] {TEST AL, 0x2; AND [EAX], EAX} .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenProcessTokenEx + B 77114ACF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenThread + 6 77114B1A 4 Bytes [68, 01, 21, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenThread + B 77114B1F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenThreadToken + 6 77114B2A 4 Bytes [68, 02, 21, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenThreadToken + B 77114B2F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenThreadTokenEx + 6 77114B3A 4 Bytes CALL 76116C41 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtOpenThreadTokenEx + B 77114B3F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtQueryAttributesFile + 6 77114BCA 4 Bytes [A8, 00, 21, 00] {TEST AL, 0x0; AND [EAX], EAX} .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtQueryAttributesFile + B 77114BCF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtQueryFullAttributesFile + 6 77114C7A 4 Bytes CALL 76116D7F C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtQueryFullAttributesFile + B 77114C7F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtSetInformationFile + 6 7711515A 4 Bytes [28, 01, 21, 00] {SUB [ECX], AL; AND [EAX], EAX} .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtSetInformationFile + B 7711515F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtSetInformationThread + 6 771151AA 4 Bytes [28, 02, 21, 00] {SUB [EDX], AL; AND [EAX], EAX} .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtSetInformationThread + B 771151AF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtUnmapViewOfSection + 6 7711544A 1 Byte [68] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtUnmapViewOfSection + 6 7711544A 4 Bytes [68, 03, 21, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] ntdll.dll!NtUnmapViewOfSection + B 7711544F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtCreateFile + 6 7711424A 4 Bytes [28, 00, 42, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtCreateFile + B 7711424F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtMapViewOfSection + 6 7711499A 1 Byte [28] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtMapViewOfSection + 6 7711499A 4 Bytes [28, 03, 42, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtMapViewOfSection + B 7711499F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenFile + 6 77114A2A 4 Bytes [68, 00, 42, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenFile + B 77114A2F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenProcess + 6 77114AAA 4 Bytes [A8, 01, 42, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenProcess + B 77114AAF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenProcessToken + 6 77114ABA 4 Bytes CALL 76118CC0 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenProcessToken + B 77114ABF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenProcessTokenEx + 6 77114ACA 4 Bytes [A8, 02, 42, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenProcessTokenEx + B 77114ACF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenThread + 6 77114B1A 4 Bytes [68, 01, 42, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenThread + B 77114B1F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenThreadToken + 6 77114B2A 4 Bytes [68, 02, 42, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenThreadToken + B 77114B2F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenThreadTokenEx + 6 77114B3A 4 Bytes CALL 76118D41 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtOpenThreadTokenEx + B 77114B3F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtQueryAttributesFile + 6 77114BCA 4 Bytes [A8, 00, 42, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtQueryAttributesFile + B 77114BCF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtQueryFullAttributesFile + 6 77114C7A 4 Bytes CALL 76118E7F C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtQueryFullAttributesFile + B 77114C7F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtSetInformationFile + 6 7711515A 4 Bytes [28, 01, 42, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtSetInformationFile + B 7711515F 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtSetInformationThread + 6 771151AA 4 Bytes [28, 02, 42, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtSetInformationThread + B 771151AF 1 Byte [E2] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtUnmapViewOfSection + 6 7711544A 1 Byte [68] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtUnmapViewOfSection + 6 7711544A 4 Bytes [68, 03, 42, 00] .text C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] ntdll.dll!NtUnmapViewOfSection + B 7711544F 1 Byte [E2] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [80690F12] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [80691232] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80690730] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [806910F0] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [80690856] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [80690914] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A4EB0] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[316] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00010010 IAT C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4724] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00010010 IAT C:\Users\sandoz\AppData\Local\Google\Chrome\Application\chrome.exe[4896] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00010010 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 861901E8 AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo) Device \FileSystem\fastfat \FatCdrom 864B8228 Device \Driver\netbt \Device\NetBT_Tcpip_{44C77159-5609-4109-A3C8-22241BCA364F} 921C01E8 Device \FileSystem\fastfat \Fat 864B8228 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat tvtumon.sys (Windows Update Monitor Driver/Lenovo) Device \FileSystem\cdfs \Cdfs A44F0430 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c6076d89f08 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c6076d89f08@0021ab3cc642 0x29 0x22 0x40 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2B 0xA6 0xB2 0xF6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x28 0xD6 0xA1 0x4F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x11 0xF1 0x99 0x7E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0xEB 0x10 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x08 0x9F 0xF4 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x94 0x8C 0x67 0xC9 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0c6076d89f08 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0c6076d89f08@0021ab3cc642 0x29 0x22 0x40 0x50 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2B 0xA6 0xB2 0xF6 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x28 0xD6 0xA1 0x4F ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x11 0xF1 0x99 0x7E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0xEB 0x10 0x47 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x08 0x9F 0xF4 0x1C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x94 0x8C 0x67 0xC9 ... ---- EOF - GMER 1.0.15 ----