GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-20 14:04:23 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.ES2O 298,09GB Running: ft99tspx.exe; Driver: C:\Users\Anna\AppData\Local\Temp\kwldrpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8AF4959C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x8BE38388] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8AF4A02E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8AF557F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8AF5583E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8AF559D8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8AF55760] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x8682BB60] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x8682BE28] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x8BE38720] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8AF557A8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8AF4A52C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8AF4A748] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8AF55992] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x8682C124] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8AF4ADE4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8AF49602] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0x8AF4E5C2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x8BE38450] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x8BE369B4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8AF49668] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8AF4E98C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8AF4B874] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8AF5581C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8AF55860] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8AF559FC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8AF55786] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0x8AF4DEA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8AF55910] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8AF557D0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0x8AF4E29A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8AF559B6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x8BE385B0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8AF4B740] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x8AF4B44E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8AF496CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8AF49734] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8AF4AC5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8AF49284] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8AF4945A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8AF493E8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8AF4AFAE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8AF4B110] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8AF494E2] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x8682B75E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8AF4AC3E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x8BE369E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8AF4979A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x8BE384FC] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 81C46A49 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81C804D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 81C87500 4 Bytes [9C, 95, F4, 8A] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 81C87528 2 Bytes [88, 83] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F6 81C8752B 1 Byte [8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 81C87588 4 Bytes [2E, A0, F4, 8A] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 81C875DC 8 Bytes [F2, 57, F5, 8A, 3E, 58, F5, ...] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 81E15C88 5 Bytes JMP 8BE4EA3A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 81E2E2B0 5 Bytes JMP 8BE5056C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 81E433F7 4 Bytes CALL 8AF4BF37 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 81E5D20E 4 Bytes CALL 8AF4BF4D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ? \Device\Harddisk0\Partition2\Windows\system32\drivers\PctWfpFilter.sys System nie może odnaleźć określonej ścieżki. ! PAGE peauth.sys A916C02D 101 Bytes JMP 8577158A PAGE spsys.sys!?SPRevision@@3PADA + 4F90 ACEDA000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 ACEDA123 629 Bytes [55, ED, AC, FE, 05, 34, 55, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 ACEDA399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F ACEDA3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE spsys.sys!?SPRevision@@3PADA + 543B ACEDA4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...] PAGE ... .text sechost.dll!SetServiceObjectSecurity 777B5181 5 Bytes [E9, 8E, BE, 9C, 88] {JMP 0x889cbe93} .text sechost.dll!ChangeServiceConfigA 777B5254 5 Bytes [E9, AB, B5, 9C, 88] {JMP 0x889cb5b0} .text sechost.dll!ChangeServiceConfigW 777B53D5 5 Bytes [E9, 2E, B6, 9C, 88] {JMP 0x889cb633} .text sechost.dll!ChangeServiceConfig2A 777B54C2 5 Bytes [E9, 45, B7, 9C, 88] {JMP 0x889cb74a} .text sechost.dll!ChangeServiceConfig2W 777B55E2 5 Bytes [E9, 29, B8, 9C, 88] {JMP 0x889cb82e} .text sechost.dll!CreateServiceA 777B567C 5 Bytes [E9, 77, AB, 9C, 88] {JMP 0x889cab7c} .text sechost.dll!CreateServiceW 777B589F 5 Bytes [E9, 58, AB, 9C, 88] {JMP 0x889cab5d} .text sechost.dll!DeleteService 777B5A22 5 Bytes [E9, D9, AB, 9C, 88] {JMP 0x889cabde} .text user32.dll!UnhookWindowsHookEx 76A2ADF9 5 Bytes [E9, 0A, 5C, 76, 89] {JMP 0x89765c0f} .text user32.dll!UnhookWinEvent 76A2B750 5 Bytes [E9, A7, 4C, 76, 89] {JMP 0x89764cac} .text user32.dll!SetWindowsHookExW 76A2E30C 5 Bytes [E9, F3, 24, 76, 89] {JMP 0x897624f8} .text user32.dll!SetWinEventHook 76A324DC 5 Bytes [E9, 17, DD, 75, 89] {JMP 0x8975dd1c} .text user32.dll!SetWindowsHookExA 76A56D0C 5 Bytes [E9, EF, 98, 73, 89] {JMP 0x897398f4} .text kernel32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[132] kernel32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[656] kernel32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[660] kernel32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[716] kernel32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text ... .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2252] ntdll.dll!LdrUnloadDll 7765C86E 5 Bytes JMP 000E03FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2252] ntdll.dll!LdrLoadDll 7766223E 5 Bytes JMP 000E01F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2252] KERNEL32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2252] USER32.dll!UnhookWindowsHookEx 76A2ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2252] USER32.dll!UnhookWinEvent 76A2B750 5 Bytes JMP 001003FC .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2252] USER32.dll!SetWindowsHookExW 76A2E30C 5 Bytes JMP 00100804 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2252] USER32.dll!SetWinEventHook 76A324DC 5 Bytes JMP 001001F8 .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2252] USER32.dll!SetWindowsHookExA 76A56D0C 5 Bytes JMP 00100600 .text C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe[2272] kernel32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2372] kernel32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2380] kernel32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2496] kernel32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\14.2.0\ToolbarUpdater.exe[2600] kernel32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text ... .text C:\Windows\System32\svchost.exe[2716] ntdll.dll!LdrUnloadDll 7765C86E 5 Bytes JMP 000703FC .text C:\Windows\System32\svchost.exe[2716] ntdll.dll!LdrLoadDll 7766223E 5 Bytes JMP 000701F8 .text C:\Windows\System32\svchost.exe[2716] KERNEL32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[2716] USER32.dll!UnhookWindowsHookEx 76A2ADF9 5 Bytes JMP 00140A08 .text C:\Windows\System32\svchost.exe[2716] USER32.dll!UnhookWinEvent 76A2B750 5 Bytes JMP 001403FC .text C:\Windows\System32\svchost.exe[2716] USER32.dll!SetWindowsHookExW 76A2E30C 5 Bytes JMP 00140804 .text C:\Windows\System32\svchost.exe[2716] USER32.dll!SetWinEventHook 76A324DC 5 Bytes JMP 001401F8 .text C:\Windows\System32\svchost.exe[2716] USER32.dll!SetWindowsHookExA 76A56D0C 5 Bytes JMP 00140600 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3476] ntdll.dll!LdrUnloadDll 7765C86E 5 Bytes JMP 001E03FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3476] ntdll.dll!LdrLoadDll 7766223E 5 Bytes JMP 001E01F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3476] KERNEL32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3476] USER32.dll!UnhookWindowsHookEx 76A2ADF9 5 Bytes JMP 001F0A08 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3476] USER32.dll!UnhookWinEvent 76A2B750 5 Bytes JMP 001F03FC .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3476] USER32.dll!SetWindowsHookExW 76A2E30C 5 Bytes JMP 001F0804 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3476] USER32.dll!SetWinEventHook 76A324DC 5 Bytes JMP 001F01F8 .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3476] USER32.dll!SetWindowsHookExA 76A56D0C 5 Bytes JMP 001F0600 .text C:\Windows\system32\SearchIndexer.exe[3872] ntdll.dll!LdrUnloadDll 7765C86E 5 Bytes JMP 000B03FC .text C:\Windows\system32\SearchIndexer.exe[3872] ntdll.dll!LdrLoadDll 7766223E 5 Bytes JMP 000B01F8 .text C:\Windows\system32\SearchIndexer.exe[3872] KERNEL32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[3872] USER32.dll!UnhookWindowsHookEx 76A2ADF9 5 Bytes JMP 000D0A08 .text C:\Windows\system32\SearchIndexer.exe[3872] USER32.dll!UnhookWinEvent 76A2B750 5 Bytes JMP 000D03FC .text C:\Windows\system32\SearchIndexer.exe[3872] USER32.dll!SetWindowsHookExW 76A2E30C 5 Bytes JMP 000D0804 .text C:\Windows\system32\SearchIndexer.exe[3872] USER32.dll!SetWinEventHook 76A324DC 5 Bytes JMP 000D01F8 .text C:\Windows\system32\SearchIndexer.exe[3872] USER32.dll!SetWindowsHookExA 76A56D0C 5 Bytes JMP 000D0600 .text C:\Windows\system32\svchost.exe[3940] ntdll.dll!LdrUnloadDll 7765C86E 5 Bytes JMP 000E03FC .text C:\Windows\system32\svchost.exe[3940] ntdll.dll!LdrLoadDll 7766223E 5 Bytes JMP 000E01F8 .text C:\Windows\system32\svchost.exe[3940] KERNEL32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[3940] USER32.dll!UnhookWindowsHookEx 76A2ADF9 5 Bytes JMP 00110A08 .text C:\Windows\system32\svchost.exe[3940] USER32.dll!UnhookWinEvent 76A2B750 5 Bytes JMP 001103FC .text C:\Windows\system32\svchost.exe[3940] USER32.dll!SetWindowsHookExW 76A2E30C 5 Bytes JMP 00110804 .text C:\Windows\system32\svchost.exe[3940] USER32.dll!SetWinEventHook 76A324DC 5 Bytes JMP 001101F8 .text C:\Windows\system32\svchost.exe[3940] USER32.dll!SetWindowsHookExA 76A56D0C 5 Bytes JMP 00110600 .text C:\Windows\servicing\TrustedInstaller.exe[4004] ntdll.dll!LdrUnloadDll 7765C86E 5 Bytes JMP 000D03FC .text C:\Windows\servicing\TrustedInstaller.exe[4004] ntdll.dll!LdrLoadDll 7766223E 5 Bytes JMP 000D01F8 .text C:\Windows\servicing\TrustedInstaller.exe[4004] KERNEL32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Windows\servicing\TrustedInstaller.exe[4004] USER32.dll!UnhookWindowsHookEx 76A2ADF9 5 Bytes JMP 000F0A08 .text C:\Windows\servicing\TrustedInstaller.exe[4004] USER32.dll!UnhookWinEvent 76A2B750 5 Bytes JMP 000F03FC .text C:\Windows\servicing\TrustedInstaller.exe[4004] USER32.dll!SetWindowsHookExW 76A2E30C 5 Bytes JMP 000F0804 .text C:\Windows\servicing\TrustedInstaller.exe[4004] USER32.dll!SetWinEventHook 76A324DC 5 Bytes JMP 000F01F8 .text C:\Windows\servicing\TrustedInstaller.exe[4004] USER32.dll!SetWindowsHookExA 76A56D0C 5 Bytes JMP 000F0600 .text C:\Users\Anna\Downloads\ft99tspx.exe[4228] ntdll.dll!LdrUnloadDll 7765C86E 5 Bytes JMP 001703FC .text C:\Users\Anna\Downloads\ft99tspx.exe[4228] ntdll.dll!LdrLoadDll 7766223E 5 Bytes JMP 001701F8 .text C:\Users\Anna\Downloads\ft99tspx.exe[4228] KERNEL32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Users\Anna\Downloads\ft99tspx.exe[4228] USER32.dll!UnhookWindowsHookEx 76A2ADF9 5 Bytes JMP 00190A08 .text C:\Users\Anna\Downloads\ft99tspx.exe[4228] USER32.dll!UnhookWinEvent 76A2B750 5 Bytes JMP 001903FC .text C:\Users\Anna\Downloads\ft99tspx.exe[4228] USER32.dll!SetWindowsHookExW 76A2E30C 5 Bytes JMP 00190804 .text C:\Users\Anna\Downloads\ft99tspx.exe[4228] USER32.dll!SetWinEventHook 76A324DC 5 Bytes JMP 001901F8 .text C:\Users\Anna\Downloads\ft99tspx.exe[4228] USER32.dll!SetWindowsHookExA 76A56D0C 5 Bytes JMP 00190600 .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[4428] kernel32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4904] ntdll.dll!LdrUnloadDll 7765C86E 5 Bytes JMP 000E03FC .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4904] ntdll.dll!LdrLoadDll 7766223E 5 Bytes JMP 000E01F8 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4904] KERNEL32.dll!GetBinaryTypeW + 70 75AF69F4 1 Byte [62] .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4904] USER32.dll!UnhookWindowsHookEx 76A2ADF9 5 Bytes JMP 00100A08 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4904] USER32.dll!UnhookWinEvent 76A2B750 5 Bytes JMP 001003FC .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4904] USER32.dll!SetWindowsHookExW 76A2E30C 5 Bytes JMP 00100804 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4904] USER32.dll!SetWinEventHook 76A324DC 5 Bytes JMP 001001F8 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4904] USER32.dll!SetWindowsHookExA 76A56D0C 5 Bytes JMP 00100600 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [743324CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [7431562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [743156EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74332546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [743285AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74324D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74325105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [743251DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74326707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74328301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74328850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [743290B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7432E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[132] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74324C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1712] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [7193FC70] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe[2272] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [756CFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe[2272] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [756CFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe[2272] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [756CFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe[2272] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [756CFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\PC Tools\PC Tools Security\BDT\BDTUpdateService.exe[2272] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [756CFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Alwil Software\Avast5\AvastUI.exe[4428] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [7193FC70] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \Driver\PCTBD \Device\PCTBDDevice ACF4C422 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) Device \Driver\BTHUSB \Device\0000008a bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \Driver\BTHUSB \Device\0000008c bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Threads - GMER 2.1 ---- Thread System [4:5552] ACEE7F2E ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74de2baf29f1 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74de2baf29f1 (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers@AliveServerCount 1 Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\5C8DB8F0-2439-4B40-B3B5-DEC192AB89C6@IPAddress fe80::60b6:e632:c536:44d1 Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\5C8DB8F0-2439-4B40-B3B5-DEC192AB89C6@Alive 0 Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\94BC6E80-4348-4FE5-8D9E-BE51B48DE8B7@IPAddress 192.168.0.12 ---- EOF - GMER 2.1 ----