GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-21 16:54:44 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e WDC_WD2500BEVS-75UST0 rev.01.01A01 232,89GB Running: zeincv8n.exe; Driver: C:\DOCUME~1\Damia\USTAWI~1\Temp\uxtdapod.sys ---- System - GMER 2.1 ---- SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB7221AD0] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB72225AE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwClose [0xB72667D0] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateEvent [0xB722E5E0] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB722E62C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB722E7C6] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateKey [0xB7266184] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateMutant [0xB722E54E] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateSection [0xB722E670] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB722E596] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateThread [0xB7222AE4] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateTimer [0xB722E780] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB722339C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB7221B36] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDeleteKey [0xB7266E96] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB726714C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB7226B32] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB7266D01] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB7266B6C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwLoadDriver [0xB722171E] SSDT \??\C:\WINDOWS\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB7571466] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB7221B9C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB7226F28] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB7223E2C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenEvent [0xB722E60A] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB722E64E] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB722E7EA] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenKey [0xB72664E0] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenMutant [0xB722E574] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenProcess [0xB722642C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenSection [0xB722E6FE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB722E5BE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenThread [0xB7226814] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenTimer [0xB722E7A4] SSDT \??\C:\WINDOWS\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB757120A] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueryKey [0xB72669E7] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueryObject [0xB7223CF8] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB7266839] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB722384E] SSDT \??\C:\WINDOWS\system32\drivers\aswSP.sys ZwRenameKey [0xB757F1EA] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwRestoreKey [0xB72657CA] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB7221C02] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB7221C68] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetContextThread [0xB7223216] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB72217B8] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB722198E] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetValueKey [0xB7266F9D] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB722191C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB7223566] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSuspendThread [0xB72236C8] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB7221A16] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB7223054] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwTerminateThread [0xB72231F6] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwVdmControl [0xB7221CCE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB722260A] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D15 805045FD 7 Bytes [E5, 22, B7, 2C, E6, 22, B7] .text ntkrnlpa.exe!ZwCallbackReturn + 2E5C 80504744 4 Bytes [EA, E7, 22, B7] .text ntkrnlpa.exe!ZwCallbackReturn + 2F88 80504870 4 Bytes [EA, F1, 57, B7] .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [02, 1C, 22, B7, 68, 1C, 22, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [66, 35, 22, B7, C8, 36, 22, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL B72244FD \??\C:\WINDOWS\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8E5E360, 0x30A247, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\ctfmon.exe[112] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[112] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[196] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[196] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[280] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[280] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[344] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[344] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[420] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe[420] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[588] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Windows Desktop Search\WindowsSearch.exe[588] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Documents and Settings\All Users\Dane aplikacji\IBUpdaterService\ibsvc.exe[636] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\All Users\Dane aplikacji\IBUpdaterService\ibsvc.exe[636] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Documents and Settings\Damia\Dane aplikacji\Dropbox\bin\Dropbox.exe[744] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Damia\Dane aplikacji\Dropbox\bin\Dropbox.exe[744] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[768] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[768] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[776] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[776] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\OEM02Mon.exe[780] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\OEM02Mon.exe[780] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[788] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[788] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Dell\QuickSet\quickset.exe[796] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Dell\QuickSet\quickset.exe[796] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[832] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[836] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[836] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[868] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[868] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[872] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[872] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[896] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[896] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[900] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[900] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[928] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[928] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe[940] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\DELL\DELL Webcam Manager\DellWMgr.exe[940] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\services.exe[976] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[976] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[988] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[988] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\ScreenShooter\screenshooter.exe[1184] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\ScreenShooter\screenshooter.exe[1184] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Skype\Phone\Skype.exe[1196] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Skype\Phone\Skype.exe[1196] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[1212] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Intel\Wireless\Bin\Dot1XCfg.exe[1212] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1232] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1232] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1272] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1272] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1368] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1368] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1420] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1420] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Documents and Settings\Damia\Moje dokumenty\Pobrane\zeincv8n.exe[1612] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Damia\Moje dokumenty\Pobrane\zeincv8n.exe[1612] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1620] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1620] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1680] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1680] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1708] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Intel\Wireless\Bin\RegSrvc.exe[1708] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1792] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1792] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1864] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1864] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Bonjour\mDNSResponder.exe[1960] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Bonjour\mDNSResponder.exe[1960] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2068] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2068] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[2164] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Intel\Wireless\Bin\WLKeeper.exe[2164] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\SearchIndexer.exe[2400] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\SearchIndexer.exe[2400] kernel32.dll!WriteFile 7C8112FF 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL .text C:\WINDOWS\system32\SearchIndexer.exe[2400] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 019BB8D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 019B7B07 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 019B7820 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 019B7A00 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 0220CCC0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 019BBFE0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 0220CC6F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00461EAE C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 004503FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] KERNEL32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 021D9E88 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 021D9E65 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] KERNEL32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 019B8236 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] user32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 020E7585 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2912] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 021D9DE6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\WINDOWS\system32\NOTEPAD.EXE[3240] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\NOTEPAD.EXE[3240] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[3576] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[3576] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3612] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3612] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[976] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[976] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys Device \FileSystem\Fastfat \Fat B346ED20 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 42483 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3D 0x99 0xC3 0xA9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90794772-1AD9-4AD4-89D7-EEBD863D3AB0}@LeaseObtainedTime 1405937696 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90794772-1AD9-4AD4-89D7-EEBD863D3AB0}@T1 1405939496 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90794772-1AD9-4AD4-89D7-EEBD863D3AB0}@T2 1405940846 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90794772-1AD9-4AD4-89D7-EEBD863D3AB0}@LeaseTerminatesTime 1405941296 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{90794772-1AD9-4AD4-89D7-EEBD863D3AB0}@DhcpRetryTime 1798 Reg HKLM\SYSTEM\CurrentControlSet\Services\{90794772-1AD9-4AD4-89D7-EEBD863D3AB0}\Parameters\Tcpip@LeaseObtainedTime 1405937696 Reg HKLM\SYSTEM\CurrentControlSet\Services\{90794772-1AD9-4AD4-89D7-EEBD863D3AB0}\Parameters\Tcpip@T1 1405939496 Reg HKLM\SYSTEM\CurrentControlSet\Services\{90794772-1AD9-4AD4-89D7-EEBD863D3AB0}\Parameters\Tcpip@T2 1405940846 Reg HKLM\SYSTEM\CurrentControlSet\Services\{90794772-1AD9-4AD4-89D7-EEBD863D3AB0}\Parameters\Tcpip@LeaseTerminatesTime 1405941296 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3D 0x99 0xC3 0xA9 ...