GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-25 15:31:16 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.892C 74,53GB Running: 1fp36chm.exe; Driver: C:\DOCUME~1\admin\USTAWI~1\Temp\awtdqpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xA7793BA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xA7794684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xA77D8D80] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xA77A06F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xA77A0744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xA77A08DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xA77D8734] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xA77A0666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xA77A0788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xA77A06AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xA7794BBA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xA77A0898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xA7795472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xA7793C0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xA77D9446] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xA77D96FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xA7798C68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xA77D92B1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xA77D911C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xA77937F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xA7AB3ED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xA7793C72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xA779905E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xA7795F5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xA77A0722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xA77A0766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xA77A0902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xA77D8A90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xA77A068C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xA7798560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xA77A0816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xA77A06D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xA779894C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xA77A08BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xA7AB3C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xA77D8F97] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xA7795DCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xA77D8DE9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xA7795924] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xA7AC1E1A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xA77D7D77] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xA7793CD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xA7793D3E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xA77952EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xA7793892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xA7793A64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xA77D954D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xA77939F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xA779563C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xA779579E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xA7793AEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xA779512A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xA77952CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xA7793DA4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xA77946E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2F4C 80504834 4 Bytes [E9, 8D, 7D, A7] .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [D8, 3C, 79, A7, 3E, 3D, 79, ...] {FDIVR DWORD [ECX+EDI*2]; CMPSD ; CMP EAX, 0x52eca779; JNS 0xffffffb3} .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [3C, 56, 79, A7, 9E, 57, 79, ...] {CMP AL, 0x56; JNS 0xffffffab; SAHF ; PUSH EDI; JNS 0xffffffaf; IN AL, DX; CMP BH, [ECX-0x59]} PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL A779662B \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Documents and Settings\All Users\Dane aplikacji\IePluginServices\PluginService.exe[212] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\All Users\Dane aplikacji\IePluginServices\PluginService.exe[212] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsMangerProtect\ProtectWindowsManager.exe[260] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsMangerProtect\ProtectWindowsManager.exe[260] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[360] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[360] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[496] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[496] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wdfmgr.exe[616] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wdfmgr.exe[616] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[664] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[664] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[680] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[680] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE[740] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\HPQ\HP ProtectTools Security Manager\PTHOSTTR.EXE[740] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[772] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[772] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[832] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[832] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[864] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\igfxtray.exe[896] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\igfxtray.exe[896] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[916] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[916] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[920] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[920] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[940] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[940] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\services.exe[984] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[984] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[996] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[996] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1108] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1108] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1176] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1292] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1292] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[1324] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[1324] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Google\Update\GoogleUpdate.exe[1376] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Google\Update\GoogleUpdate.exe[1376] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\RCP\RegCleanPro.exe[1436] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\RCP\RegCleanPro.exe[1436] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1452] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1452] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[1500] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[1500] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\igfxpers.exe[1520] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\igfxpers.exe[1520] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1572] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1572] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1624] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1624] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\HPQ\IAM\bin\asghost.exe[1692] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\HPQ\IAM\bin\asghost.exe[1692] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\DllHost.exe[1704] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\DllHost.exe[1704] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1872] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1872] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\igfxsrvc.exe[1880] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\igfxsrvc.exe[1880] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1924] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1924] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1924] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2016] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2016] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[2032] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[2032] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[2056] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[2056] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Google\Update\1.3.24.15\GoogleCrashHandler.exe[2072] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Google\Update\1.3.24.15\GoogleCrashHandler.exe[2072] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[2256] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[2256] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Documents and Settings\admin\Pulpit\1fp36chm.exe[2276] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\admin\Pulpit\1fp36chm.exe[2276] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2504] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2504] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\SMINST\Scheduler.exe[2516] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\SMINST\Scheduler.exe[2516] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\SMINST\Scheduler.exe[2516] USER32.dll!GetSysColor 7E368E78 5 Bytes JMP 00418ED0 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[2516] USER32.dll!GetSysColorBrush 7E368EAB 5 Bytes JMP 00418F40 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[2516] USER32.dll!SetScrollInfo 7E369056 7 Bytes JMP 00418DC0 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[2516] USER32.dll!GetScrollInfo 7E37DFE2 7 Bytes JMP 00418D10 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[2516] USER32.dll!ShowScrollBar 7E37F2F2 5 Bytes JMP 00418E90 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[2516] USER32.dll!GetScrollPos 7E37F704 5 Bytes JMP 00418D50 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[2516] USER32.dll!SetScrollPos 7E37F750 5 Bytes JMP 00418E00 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[2516] USER32.dll!GetScrollRange 7E37F787 5 Bytes JMP 00418D80 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[2516] USER32.dll!SetScrollRange 7E37F99B 5 Bytes JMP 00418E40 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[2516] USER32.dll!EnableScrollBar 7E3B8005 7 Bytes JMP 00418CD0 C:\WINDOWS\SMINST\Scheduler.exe .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2572] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2572] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2572] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\AGRSMMSG.exe[2636] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\AGRSMMSG.exe[2636] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2704] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2704] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[2724] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[2724] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[984] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[984] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----