GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-10 05:12:01 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916031 rev.0002 149,05GB Running: 6urqxryv.exe; Driver: C:\DOCUME~1\dd\USTAWI~1\Temp\fgtdapob.sys ---- System - GMER 2.1 ---- SSDT 8561CC10 ZwAlertResumeThread SSDT 8561CCA8 ZwAlertThread SSDT 8561D620 ZwAllocateVirtualMemory SSDT 8561C688 ZwAssignProcessToJobObject SSDT 85A49220 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey [0xA52B3ED0] SSDT 8561CA38 ZwCreateMutant SSDT 8561C538 ZwCreateSymbolicLinkObject SSDT 855B8C00 ZwCreateThread SSDT 8561C720 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey [0xA52B4150] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey [0xA52B4810] SSDT 8561D760 ZwDuplicateObject SSDT 8561D4B0 ZwFreeVirtualMemory SSDT 8561CAE0 ZwImpersonateAnonymousToken SSDT 8561CB78 ZwImpersonateThread SSDT 85A6C440 ZwLoadDriver SSDT 8561D3F8 ZwMapViewOfSection SSDT 8561C9A0 ZwOpenEvent SSDT 856284C0 ZwOpenProcess SSDT 8561D6C8 ZwOpenProcessToken SSDT 8561C870 ZwOpenSection SSDT 85628418 ZwOpenThread SSDT 8561C5E0 ZwProtectVirtualMemory SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwRenameKey [0xA52B4D70] SSDT 8561CD40 ZwResumeThread SSDT 8561CF08 ZwSetContextThread SSDT 8561CF80 ZwSetInformationProcess SSDT 8561C7B8 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey [0xA52B4A90] SSDT 8561C908 ZwSuspendProcess SSDT 8561CDD8 ZwSuspendThread SSDT 85613A08 ZwTerminateProcess SSDT 8561CE70 ZwTerminateThread SSDT 8561D360 ZwUnmapViewOfSection SSDT 8561D558 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D34 8050461C 2 Bytes [38, CA] {CMP DL, CL} .text ntkrnlpa.exe!ZwCallbackReturn + 308D 80504975 7 Bytes [3A, 61, 85, 70, CE, 61, 85] ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\drivers\oreans32.sys section is writeable [0xA85B3280, 0x7B1C, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\RTHDCPL.EXE[236] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 04642180; RET .text C:\WINDOWS\RTHDCPL.EXE[236] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 046426B0; RET .text C:\WINDOWS\RTHDCPL.EXE[236] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 04642970; RET .text C:\WINDOWS\RTHDCPL.EXE[236] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 04642910; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[248] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 01172180; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[248] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 011726B0; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[248] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 01172970; RET .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[248] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 01172910; RET .text C:\Program Files\EeePC\ACPI\AsEPCMon.exe[512] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, AC] .text C:\Program Files\EeePC\ACPI\AsEPCMon.exe[512] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\Program Files\EeePC\ACPI\AsEPCMon.exe[512] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, AC] .text C:\Program Files\EeePC\ACPI\AsEPCMon.exe[512] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\Program Files\EeePC\ACPI\AsEPCMon.exe[512] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, AC] .text C:\Program Files\EeePC\ACPI\AsEPCMon.exe[512] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\Program Files\EeePC\ACPI\AsEPCMon.exe[512] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00AC2910; RET .text C:\Program Files\EeePC\ACPI\AsTray.exe[524] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, B1] .text C:\Program Files\EeePC\ACPI\AsTray.exe[524] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\Program Files\EeePC\ACPI\AsTray.exe[524] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, B1] .text C:\Program Files\EeePC\ACPI\AsTray.exe[524] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\Program Files\EeePC\ACPI\AsTray.exe[524] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, B1] .text C:\Program Files\EeePC\ACPI\AsTray.exe[524] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\Program Files\EeePC\ACPI\AsTray.exe[524] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00B12910; RET .text C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe[600] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, D7] .text C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe[600] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe[600] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, D7] .text C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe[600] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe[600] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, D7] .text C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe[600] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe[600] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00D72910; RET .text C:\Program Files\Asus\LiveUpdate\LiveUpdate.exe[600] ws2_32.dll!send 71A54C27 6 Bytes PUSH 00D73A90; RET .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[692] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, BF] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[692] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[692] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, BF] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[692] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[692] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, BF] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[692] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[692] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00BF2910; RET .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[768] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, 9E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[768] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[768] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, 9E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[768] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[768] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, 9E] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[768] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\Program Files\HP\HP Software Update\HPWuSchd2.exe[768] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 009E2910; RET .text C:\WINDOWS\system32\ctfmon.exe[780] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, B1] .text C:\WINDOWS\system32\ctfmon.exe[780] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\WINDOWS\system32\ctfmon.exe[780] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, B1] .text C:\WINDOWS\system32\ctfmon.exe[780] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\WINDOWS\system32\ctfmon.exe[780] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, B1] .text C:\WINDOWS\system32\ctfmon.exe[780] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\WINDOWS\system32\ctfmon.exe[780] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00B12910; RET .text C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe[1124] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, EC] .text C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe[1124] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe[1124] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, EC] .text C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe[1124] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe[1124] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, EC] .text C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe[1124] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\Program Files\EeePC\ACPI\AsAcpiSvr.exe[1124] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00EC2910; RET .text C:\WINDOWS\system32\igfxext.exe[1340] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 01202180; RET .text C:\WINDOWS\system32\igfxext.exe[1340] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 012026B0; RET .text C:\WINDOWS\system32\igfxext.exe[1340] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 01202970; RET .text C:\WINDOWS\system32\igfxext.exe[1340] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 01202910; RET .text C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe[1392] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 01192180; RET .text C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe[1392] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 011926B0; RET .text C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe[1392] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 01192970; RET .text C:\Program Files\ASUS\EeePC\Super Hybrid Engine\SuperHybridEngine.exe[1392] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 01192910; RET .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00750048 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, 2B] .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, 2B] .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, 2B] .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 00610050 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 002B2910; RET .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 0075020E .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 0075012A .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 00750682 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 0075059E .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 007503D6 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 007502F2 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [92, 88, EB, F9] {XCHG EDX, EAX; MOV BL, CH; STC } .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 007504BA .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 00750766 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] USER32.dll!CreateSystemThreads + 10A 7E3817F2 7 Bytes JMP 0075092C .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[1448] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 0075084A .text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 02742180; RET .text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 027426B0; RET .text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 02742970; RET .text C:\WINDOWS\Explorer.EXE[1656] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 02742910; RET .text C:\WINDOWS\Explorer.EXE[1656] WS2_32.dll!send 71A54C27 6 Bytes PUSH 02743A90; RET .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1868] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 01822180; RET .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1868] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 018226B0; RET .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1868] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 01822970; RET .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1868] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 01822910; RET .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[1868] WS2_32.dll!send 71A54C27 6 Bytes PUSH 01823A90; RET .text C:\WINDOWS\system32\igfxtray.exe[1972] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 013B2180; RET .text C:\WINDOWS\system32\igfxtray.exe[1972] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 013B26B0; RET .text C:\WINDOWS\system32\igfxtray.exe[1972] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 013B2970; RET .text C:\WINDOWS\system32\igfxtray.exe[1972] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 013B2910; RET .text C:\WINDOWS\system32\hkcmd.exe[1996] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 01082180; RET .text C:\WINDOWS\system32\hkcmd.exe[1996] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 010826B0; RET .text C:\WINDOWS\system32\hkcmd.exe[1996] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 01082970; RET .text C:\WINDOWS\system32\hkcmd.exe[1996] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 01082910; RET .text C:\WINDOWS\system32\igfxsrvc.exe[2032] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 01492180; RET .text C:\WINDOWS\system32\igfxsrvc.exe[2032] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 014926B0; RET .text C:\WINDOWS\system32\igfxsrvc.exe[2032] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 01492970; RET .text C:\WINDOWS\system32\igfxsrvc.exe[2032] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 01492910; RET .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2836] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, 97] .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2836] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2836] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, 97] .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2836] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2836] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, 97] .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2836] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2836] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00972910; RET .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2836] WS2_32.dll!send 71A54C27 6 Bytes PUSH 00973A90; RET .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[3148] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 013C2180; RET .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[3148] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 013C26B0; RET .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[3148] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 013C2970; RET .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[3148] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 013C2910; RET .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[3356] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, AE] .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[3356] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[3356] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, AE] .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[3356] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[3356] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, AE] .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[3356] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[3356] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00AE2910; RET .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[3356] ws2_32.dll!send 71A54C27 6 Bytes PUSH 00AE3A90; RET .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00610048 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, 16] .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, 16] .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, 16] .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003E0050 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00162910; RET .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 0061020E .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 0061012A .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 00610682 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 0061059E .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 006103D6 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 006102F2 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [7E, 88, EB, F9] {JLE 0xffffff8a; JMP 0xfffffffd} .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 006104BA .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 00610766 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] USER32.dll!CreateSystemThreads + 10A 7E3817F2 7 Bytes JMP 0061092C .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3828] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 0061084A ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys Device mrxsmb.sys Device A31B8D20 AttachedDevice fltMgr.sys ---- Files - GMER 2.1 ---- File C:\Documents and Settings\dd\Dane aplikacji\{13994f74-0a97-191d-f75e-92e913994f74} 0 bytes File C:\Documents and Settings\dd\Menu Start\Programy\Autostart\{13994f74-0a97-191d-f75e-92e913994f74}.exe 190976 bytes executable ---- EOF - GMER 2.1 ----