GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-06 03:39:57 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk1\DR1 -> \Device\Ide\IdePort2 SAMSUNG_HD322HJ rev.1AC01118 298,09GB Running: 6lqpdurz.exe; Driver: C:\Temp\ugdcqpoc.sys ---- System - GMER 2.1 ---- SSDT B8797974 ZwClose SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xB03AA2F4] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xB03A45CA] SSDT B879792E ZwCreateKey SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xB03AAA80] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcess [0xB03BDE4E] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateProcessEx [0xB03BE23C] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateSection [0xB03C76F6] SSDT B8797924 ZwCreateThread SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xB03AABB6] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xB03A51E0] SSDT B8797933 ZwDeleteKey SSDT B879793D ZwDeleteValueKey SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDuplicateObject [0xB03BCD8A] SSDT B8797942 ZwLoadKey SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xB03C599C] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xB03A4DF2] SSDT \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys (Chameleon protection driver/MalwareBytes) ZwOpenProcess [0xAE850A24] SSDT \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys (Chameleon protection driver/MalwareBytes) ZwOpenThread [0xAE850B70] SSDT B8797997 ZwQueryValueKey SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xB03C672A] SSDT B879794C ZwReplaceKey SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xB03A9EC4] SSDT B8797947 ZwRestoreKey SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSecureConnectPort [0xB03AA59C] SSDT B8797983 ZwSetContextThread SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xB03A55A4] SSDT B879798D ZwSetSecurityObject SSDT B8797938 ZwSetValueKey SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSystemDebugControl [0xB03BEEA4] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwTerminateProcess [0xB03BEC20] INT 0x62 ? 8AC80CC8 INT 0x63 ? 8AC80CC8 INT 0x63 ? 8AC80CC8 INT 0x63 ? 8AA4AF00 INT 0x63 ? 8AC80CC8 INT 0x73 ? 8AA4AF00 INT 0x73 ? 8AA4AF00 INT 0x83 ? 8AA4AF00 INT 0x83 ? 8AA4AF00 INT 0x83 ? 8AA4AF00 INT 0xA4 ? 8AC80CC8 INT 0xA4 ? 8AC80CC8 Code \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys (Chameleon protection driver/MalwareBytes) KeInsertQueueApc ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeInsertQueueApc 804FC4EA 2 Bytes JMP AE851A9A \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys (Chameleon protection driver/MalwareBytes) .text ntkrnlpa.exe!KeInsertQueueApc + 3 804FC4ED 2 Bytes [35, 2E] .text ntkrnlpa.exe!ZwCallbackReturn + 2D40 80504628 12 Bytes [80, AA, 3A, B0, 4E, DE, 3B, ...] .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xB7F8D346] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB2FED380, 0x8D6CD5, 0xE8000020] .text USBPORT.SYS!DllUnload B2F888AC 5 Bytes JMP 8AA4A410 ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1964] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1964] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 5 Bytes JMP 7C9225C8 C:\WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 016EDFF0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01E79796 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01E79773 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] kernel32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 016F5F1A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 00FC8131 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] USER32.dll!DrawTextExW 7E37B415 5 Bytes JMP 00FC96DD .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] USER32.dll!DrawTextW 7E37D7E2 5 Bytes JMP 00FC951B .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] USER32.dll!SetClipboardData 7E380F9E 5 Bytes JMP 00FC9191 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] USER32.dll!DrawTextA 7E38C702 5 Bytes JMP 00FC9440 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] USER32.dll!DrawTextExA 7E38C739 5 Bytes JMP 00FC95F6 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 00FC9374 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 00FC98A8 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01E796F4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 00FC92A8 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 00FC97C4 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 00FC9C68 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 00FC9D35 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] WS2_32.dll!getaddrinfo 71A52A6F 5 Bytes JMP 00FC7CA4 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00FC90D7 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] WS2_32.dll!send 71A54C27 5 Bytes JMP 00FC8C0B .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00FC8E5A .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] WS2_32.dll!gethostbyname 71A55355 5 Bytes JMP 00FC7BE3 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00FC8CC4 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00FC8D86 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] WS2_32.dll!WSAAsyncGetHostByName 71A5E99D 5 Bytes JMP 00FC8052 .text C:\Program Files\Mozilla Firefox\firefox.exe[5280] WININET.dll!InternetCrackUrlW 3FCF40C0 5 Bytes JMP 00FC9FFB .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5512] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 10609DDF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5512] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 10603789 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 2.1 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B7E93232] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B7E92730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B7E92F12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7E92730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7E92914] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7E92856] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7E930F0] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7E92F12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EA6F1E] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B03AF3F6] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B03AF24C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B03AFA3E] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B03AD9A6] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B03AD9A6] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B03AF3F6] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B03AF24C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B03AFA3E] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B03AF3F6] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B03AD9A6] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B03AFA3E] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B03AF24C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B03AFA3E] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B03AF24C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B03AF3F6] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B03AD9A6] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B03AF3F6] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B03AF24C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B03AFA3E] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B03AF3F6] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B03AD9A6] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B03AFA3E] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B03AF24C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[468] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [10003E90] C:\Program Files\CheckPoint\ZoneAlarm\vsinit.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[468] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [10004380] C:\Program Files\CheckPoint\ZoneAlarm\vsinit.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[468] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetModuleHandleA] [10004340] C:\Program Files\CheckPoint\ZoneAlarm\vsinit.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[468] @ C:\WINDOWS\system32\ADVAPI32.dll [KERNEL32.dll!CreateThread] [10009EF0] C:\Program Files\CheckPoint\ZoneAlarm\vsinit.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[468] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [10009EF0] C:\Program Files\CheckPoint\ZoneAlarm\vsinit.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[468] @ C:\WINDOWS\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [100020F0] C:\Program Files\CheckPoint\ZoneAlarm\vsinit.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[468] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [10009EF0] C:\Program Files\CheckPoint\ZoneAlarm\vsinit.dll (TrueVector Service/Check Point Software Technologies LTD) IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[468] @ C:\WINDOWS\system32\iphlpapi.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C88425D] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[468] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!CreateThread] [7C88426C] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[468] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleA] [7C884262] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[468] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!GetModuleHandleW] [7C884267] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) IAT C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[468] @ C:\WINDOWS\system32\WININET.dll [KERNEL32.dll!SetUnhandledExceptionFilter] [7C88425D] C:\WINDOWS\system32\kernel32.dll (Biblioteka DLL klienta Windows NT BASE API/Microsoft Corporation) ---- Devices - GMER 2.1 ---- Device 8AC7F1F8 Device Ntfs.sys (NT File System Driver/Microsoft Corporation) Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\usbohci \Device\USBPDO-0 8AA4B1F8 Device \Driver\usbohci \Device\USBPDO-1 8AA4B1F8 Device \Driver\usbehci \Device\USBPDO-2 8AA2A1F8 Device \Driver\usbohci \Device\USBPDO-3 8AA4B1F8 Device \Driver\usbohci \Device\USBPDO-4 8AA4B1F8 Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\usbehci \Device\USBPDO-5 8AA2A1F8 Device \Driver\atapi -> DriverStartIo \Device\Dev_ffffffff8ac45d98 889AB864 Device \Driver\atapi \Device\Dev_ffffffff8ac45d98 889AE6F2 Device \Driver\usbohci \Device\USBPDO-6 8AA4B1F8 Device \Driver\Cdrom \Device\CdRom0 8A9FD1F8 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 889AB864 Device \Driver\atapi \Device\Ide\IdePort0 [B7DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T0L0-3 889AB864 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 889AB864 Device \Driver\atapi \Device\Ide\IdePort1 [B7DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 889AB864 Device \Driver\atapi \Device\Ide\IdePort2 [B7DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 889AB864 Device \Driver\atapi \Device\Ide\IdePort3 [B7DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T0L0-24 889AB864 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-24 [B7DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 889AB864 Device \Driver\atapi \Device\Ide\IdePort4 [B7DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 889AB864 Device \Driver\atapi \Device\Ide\IdePort5 [B7DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP4T0L0-31 889AB864 Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-31 [B7DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP2T0L0-19 889AB864 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-19 [B7DC9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi -> DriverStartIo \Device\Dev_ffffffff8ac19d98 889AB864 Device \Driver\atapi \Device\Dev_ffffffff8ac19d98 889AE6F2 Device \Driver\NetBT \Device\NetBt_Wins_Export 8998F1F8 Device \Driver\NetBT \Device\NetbiosSmb 8998F1F8 Device \Driver\atapi -> DriverStartIo \Device\Dev_ffffffff8abf1940 889AB864 Device \Driver\atapi \Device\Dev_ffffffff8abf1940 889AE6F2 Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\NetBT \Device\NetBT_Tcpip_{B29EE1CC-8855-43E9-8C49-B902D1318A75} 8998F1F8 Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\usbohci \Device\USBFDO-0 8AA4B1F8 Device \Driver\usbohci \Device\USBFDO-1 8AA4B1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 897C01F8 Device \Driver\usbehci \Device\USBFDO-2 8AA2A1F8 Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device 897C01F8 Device \Driver\usbohci \Device\USBFDO-3 8AA4B1F8 Device \Driver\usbohci \Device\USBFDO-4 8AA4B1F8 Device \Driver\usbehci \Device\USBFDO-5 8AA2A1F8 Device \Driver\usbohci \Device\USBFDO-6 8AA4B1F8 Device \FileSystem\Cdfs \Cdfs 8979E1F8 ---- Modules - GMER 2.1 ---- Module (noname) (*** hidden *** ) 889A4000-889BB900 (96512 bytes) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x57 0x01 0x32 0xC0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x57 0x01 0x32 0xC0 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00004109110000000000000000F01FEC\Usage@ProductFiles 1128598364 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 169 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 108 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Canon MP250 series Printer@ChangeID 8775375 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Canon MP250 series Printer@Attributes 3592 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Canon MP250 series Printer\PrinterDriverData@CnmLM_DeviceIDCacheTime 0x1D 0xBA 0x4D 0x52 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Canon MP250 series Printer\PrinterDriverData@CnmSLM_TimeLastUpdated 7432250 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Canon MP250 series Printer\PrinterDriverData@CnmLM_ReadCacheTime 0x1D 0xBA 0x4D 0x52 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Canon MP250 series Printer\PrinterDriverData@CnmSLM_CartridgeDetectID 7432281 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x6B 0x65 0x49 0x6A ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xB0 0x18 0xED 0xA7 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0xFA 0xEA 0x66 0x7F ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk1\DR1 Device \Driver\atapi -> DriverStartIo 889ab864 ---- EOF - GMER 2.1 ----