GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-12-19 01:58:12 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 SAMSUNG_SP0812N rev.TK100-30 Running: lbb5vjx1.exe; Driver: C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\kwtdipow.sys ---- System - GMER 1.0.15 ---- SSDT 89EE8EC0 ZwAlertResumeThread SSDT 8A22F4E8 ZwAlertThread SSDT 8A218638 ZwAllocateVirtualMemory SSDT 8996D468 ZwAssignProcessToJobObject SSDT 89FCE6F8 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAB950ED0] SSDT 8A307398 ZwCreateMutant SSDT 89FF01F0 ZwCreateSymbolicLinkObject SSDT 89EF8868 ZwCreateThread SSDT 8996D4C0 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAB951150] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAB951810] SSDT 8999F290 ZwDuplicateObject SSDT spbw.sys ZwEnumerateKey [0xF74F5CA2] SSDT spbw.sys ZwEnumerateValueKey [0xF74F6030] SSDT 89F6B390 ZwFreeVirtualMemory SSDT 8A303C50 ZwImpersonateAnonymousToken SSDT 8A303CA8 ZwImpersonateThread SSDT 89F81DF0 ZwLoadDriver SSDT 8A032220 ZwMapViewOfSection SSDT 8A2B66E0 ZwOpenEvent SSDT spbw.sys ZwOpenKey [0xF74D70C0] SSDT 89F724B8 ZwOpenProcess SSDT 8A063A50 ZwOpenProcessToken SSDT 8A294840 ZwOpenSection SSDT 89C74C30 ZwOpenThread SSDT 89FEF128 ZwProtectVirtualMemory SSDT spbw.sys ZwQueryKey [0xF74F6108] SSDT spbw.sys ZwQueryValueKey [0xF74F5F88] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwRenameKey [0xAB951D80] SSDT 8A2D1C70 ZwResumeThread SSDT 8A2302F0 ZwSetContextThread SSDT 89FB27C8 ZwSetInformationProcess SSDT 89FA8638 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAB951AA0] SSDT 8A2B6688 ZwSuspendProcess SSDT 89FF2A30 ZwSuspendThread SSDT 8A071308 ZwTerminateProcess SSDT 89FF0238 ZwTerminateThread SSDT 8A2A2890 ZwUnmapViewOfSection SSDT 89F89048 ZwWriteVirtualMemory INT 0x62 ? 8A7F8BF8 INT 0x63 ? 8A1FCF00 INT 0x73 ? 8A1FCF00 INT 0x73 ? 8A1FCF00 INT 0x82 ? 8A7F8BF8 INT 0xA4 ? 8A1FCF00 INT 0xB4 ? 8A1FCF00 ---- Kernel code sections - GMER 1.0.15 ---- ? spbw.sys Nie można odnaleźć określonego pliku. ! ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8727000, 0x1E2E6E, 0xE8000020] .text USBPORT.SYS!DllUnload B87068AC 5 Bytes JMP 8A1FC4E0 init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB8601F80] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Bonjour\mDNSResponder.exe[1148] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\Bonjour\mDNSResponder.exe[1148] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\Bonjour\mDNSResponder.exe[1148] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Program Files\Bonjour\mDNSResponder.exe[1148] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Program Files\Bonjour\mDNSResponder.exe[1148] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Program Files\Bonjour\mDNSResponder.exe[1148] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Program Files\Bonjour\mDNSResponder.exe[1148] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Program Files\Bonjour\mDNSResponder.exe[1148] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Program Files\Bonjour\mDNSResponder.exe[1148] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Program Files\Bonjour\mDNSResponder.exe[1148] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Program Files\Bonjour\mDNSResponder.exe[1148] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text C:\Program Files\Bonjour\mDNSResponder.exe[1148] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe[1220] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00950048 .text C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe[1220] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0083004C .text C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe[1220] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 0095020E .text C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe[1220] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 0095012A .text C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe[1220] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 00950682 .text C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe[1220] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 0095059E .text C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe[1220] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 009503D6 .text C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe[1220] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 009502F2 .text C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe[1220] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [B2, 88, EB, F9] {MOV DL, 0x88; JMP 0xfffffffffffffffd} .text C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe[1220] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 009504BA .text C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe[1220] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 00950766 .text C:\Program Files\Condusiv Technologies\Diskeeper\DkService.exe[1220] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 00950A0E .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1332] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1332] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1332] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1332] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1332] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1332] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1332] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1332] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1332] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1332] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1332] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[1332] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1608] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1608] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1608] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1608] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1608] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1608] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1608] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1608] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1608] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1608] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1608] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[1608] user32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text D:\lbb5vjx1.exe[2208] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text D:\lbb5vjx1.exe[2208] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text D:\lbb5vjx1.exe[2208] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text D:\lbb5vjx1.exe[2208] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text D:\lbb5vjx1.exe[2208] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text D:\lbb5vjx1.exe[2208] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text D:\lbb5vjx1.exe[2208] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text D:\lbb5vjx1.exe[2208] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text D:\lbb5vjx1.exe[2208] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text D:\lbb5vjx1.exe[2208] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text D:\lbb5vjx1.exe[2208] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text D:\lbb5vjx1.exe[2208] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[2804] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[2804] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[2804] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[2804] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[2804] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[2804] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[2804] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[2804] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[2804] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[2804] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[2804] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[2804] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 053F0048 .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] ntdll.dll!NtSetInformationProcess 7C90DC9E 5 Bytes JMP 053F012A .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0030004C .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 017D4470 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] kernel32.dll!VirtualProtectEx + 6E 7C801ACF 7 Bytes JMP 053F04B2 .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] kernel32.dll!ReadProcessMemory + 3E 7C80220E 7 Bytes JMP 053F020C .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 053F03D0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01A20459 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] kernel32.dll!GetVersionExA + D3 7C812C51 7 Bytes JMP 053F0594 .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] kernel32.dll!ValidateLocale + B130 7C844958 7 Bytes JMP 017DF972 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] kernel32.dll!GetProcessHandleCount + 35 7C86229F 7 Bytes JMP 053F02EE .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 0032012A .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01A203DA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003202F0 .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 0032020C .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 00320764 .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 00320680 .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003204B8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 7 Bytes JMP 003203D4 .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 0032059C .text C:\Program Files\Mozilla Firefox\firefox.exe[3568] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 00320848 .text C:\WINDOWS\system32\PnkBstrA.exe[3676] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003D0048 .text C:\WINDOWS\system32\PnkBstrA.exe[3676] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003B004C .text C:\WINDOWS\system32\PnkBstrA.exe[3676] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003D084A .text C:\WINDOWS\system32\PnkBstrA.exe[3676] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003D020E .text C:\WINDOWS\system32\PnkBstrA.exe[3676] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003D012A .text C:\WINDOWS\system32\PnkBstrA.exe[3676] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003D0682 .text C:\WINDOWS\system32\PnkBstrA.exe[3676] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003D059E .text C:\WINDOWS\system32\PnkBstrA.exe[3676] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003D03D6 .text C:\WINDOWS\system32\PnkBstrA.exe[3676] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003D02F2 .text C:\WINDOWS\system32\PnkBstrA.exe[3676] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5A, 88, EB, F9] {POP EDX; MOV BL, CH; STC } .text C:\WINDOWS\system32\PnkBstrA.exe[3676] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003D04BA .text C:\WINDOWS\system32\PnkBstrA.exe[3676] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003D0766 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[3892] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[3892] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[3892] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[3892] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[3892] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[3892] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[3892] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[3892] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[3892] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[3892] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[3892] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[3892] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A78A2D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7508C4C] spbw.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7508CA0] spbw.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D8040] spbw.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D813C] spbw.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D80BE] spbw.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D87FC] spbw.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D86D2] spbw.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A1FC5E0 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A7F71F8 AttachedDevice \FileSystem\Ntfs \Ntfs tdrpman.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\usbuhci \Device\USBPDO-0 8A1BD1F8 Device \Driver\usbuhci \Device\USBPDO-1 8A1BD1F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7881F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A7881F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A7881F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A7881F8 Device \Driver\usbuhci \Device\USBPDO-2 8A1BD1F8 Device \Driver\usbuhci \Device\USBPDO-3 8A1BD1F8 Device \Driver\usbehci \Device\USBPDO-4 8A1BB1F8 AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Ftdisk \Device\HarddiskVolume1 fltsrv.sys (Acronis Storage Filter Management Driver/Acronis) Device \Driver\Ftdisk \Device\HarddiskVolume2 fltsrv.sys (Acronis Storage Filter Management Driver/Acronis) Device \Driver\Cdrom \Device\CdRom0 8A1801F8 Device \Driver\atapi \Device\Ide\IdePort0 [F7832B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F7832B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7832B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F7832B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 [F7832B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 fltsrv.sys (Acronis Storage Filter Management Driver/Acronis) Device \Driver\Ftdisk \Device\HarddiskVolume4 fltsrv.sys (Acronis Storage Filter Management Driver/Acronis) Device \Driver\DKDFM \Device\DKDFMControl fltsrv.sys (Acronis Storage Filter Management Driver/Acronis) Device \Driver\NetBT \Device\NetBt_Wins_Export 8997D500 Device \Driver\NetBT \Device\NetbiosSmb 8997D500 AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Disk \Device\Harddisk0\DR0 fltsrv.sys (Acronis Storage Filter Management Driver/Acronis) Device \Driver\NetBT \Device\NetBT_Tcpip_{D8AA4231-029E-483D-9A1E-B7CD82BC324C} 8997D500 AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Disk \Device\Harddisk1\DR1 fltsrv.sys (Acronis Storage Filter Management Driver/Acronis) Device \Driver\usbuhci \Device\USBFDO-0 8A1BD1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{98DEB77C-80B3-4036-9289-92BFE7FB0793} 8997D500 Device \Driver\usbuhci \Device\USBFDO-1 8A1BD1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89F66500 Device \Driver\usbuhci \Device\USBFDO-2 8A1BD1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89F66500 Device \Driver\usbuhci \Device\USBFDO-3 8A1BD1F8 Device \Driver\usbehci \Device\USBFDO-4 8A1BB1F8 Device \Driver\Ftdisk \Device\FtControl fltsrv.sys (Acronis Storage Filter Management Driver/Acronis) Device \FileSystem\Cdfs \Cdfs 890E71F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9E 0xF2 0xB9 0xB0 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9E 0xF2 0xB9 0xB0 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{438842A3-6FBC-8636-7037-2F9CDD3BE985} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{81533800-A58B-0594-1F52-31EABEE00D23} ---- EOF - GMER 1.0.15 ----