GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-12 19:05:21 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000035 WDC_WD10JPVT-75A1YT0 rev.01.01A01 931,51GB Running: gmer.exe; Driver: C:\Users\PATRYK~1\AppData\Local\Temp\ufldipow.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffb48dd28c0 7 bytes JMP 00007ffc46c202d0 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffb48dd43d8 7 bytes JMP 00007ffc46c20308 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffb48e81f20 7 bytes JMP 00007ffc46c20378 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffb48e840b4 7 bytes JMP 00007ffc46c203b0 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffb48e84510 7 bytes JMP 00007ffc46c20340 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffb48e84af0 7 bytes JMP 00007ffc46c20260 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffb48eacea0 7 bytes JMP 00007ffc46c20228 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffb48eacf10 7 bytes JMP 00007ffc46c20298 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffb46c3299c 7 bytes JMP 00007ffc46c200d8 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffb46c354c8 5 bytes JMP 00007ffc46c20180 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffb46c355b0 5 bytes JMP 00007ffc46c20148 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffb46c35e58 5 bytes JMP 00007ffc46c20110 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffb47077834 10 bytes JMP 00007ffc46c20490 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffb4707b4d0 5 bytes JMP 00007ffc46c20420 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffb4707c6d8 5 bytes JMP 00007ffc46c20458 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffb4707e39c 9 bytes JMP 00007ffc46c203e8 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffb49051500 8 bytes JMP 00007ffc46c201b8 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffb49051750 8 bytes JMP 00007ffc46c201f0 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory1 00007ffb42f77a88 5 bytes JMP 00007ffc42ba0110 .text C:\WINDOWS\system32\dwm.exe[996] C:\WINDOWS\system32\dxgi.dll!CreateDXGIFactory 00007ffb42f84990 5 bytes JMP 00007ffc42ba00d8 .text C:\WINDOWS\system32\nvvsvc.exe[664] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffb491a169a 4 bytes [1A, 49, FB, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[664] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffb491a16a2 4 bytes [1A, 49, FB, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[664] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffb491a181a 4 bytes [1A, 49, FB, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[664] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffb491a1832 4 bytes [1A, 49, FB, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1756] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffb491a169a 4 bytes [1A, 49, FB, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1756] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffb491a16a2 4 bytes [1A, 49, FB, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1756] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffb491a181a 4 bytes [1A, 49, FB, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1756] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffb491a1832 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1380] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffb491a169a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1380] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffb491a16a2 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1380] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffb491a181a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1380] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffb491a1832 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1380] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ffb3d6d1f6a 4 bytes [6D, 3D, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1380] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ffb3d6d1f82 4 bytes [6D, 3D, FB, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1584] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffb491a169a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1584] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffb491a16a2 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1584] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffb491a181a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[1584] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffb491a1832 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1768] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffb491a169a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1768] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffb491a16a2 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1768] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 118 00007ffb491a181a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Microsoft SQL Server\90\Shared\sqlwriter.exe[1768] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 142 00007ffb491a1832 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[2692] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffb491a169a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[2692] C:\WINDOWS\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffb491a16a2 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[2692] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 118 00007ffb491a181a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[2692] C:\WINDOWS\system32\psapi.dll!QueryWorkingSet + 142 00007ffb491a1832 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2816] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffb491a169a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2816] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffb491a16a2 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2816] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffb491a181a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2816] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffb491a1832 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\DellTPad\Apoint.exe[4020] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffb491a169a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\DellTPad\Apoint.exe[4020] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffb491a16a2 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\DellTPad\Apoint.exe[4020] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffb491a181a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\DellTPad\Apoint.exe[4020] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffb491a1832 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\DellTPad\ApMsgFwd.exe[2732] C:\WINDOWS\system32\PSAPI.dll!GetModuleBaseNameA + 506 00007ffb491a169a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\DellTPad\ApMsgFwd.exe[2732] C:\WINDOWS\system32\PSAPI.dll!GetModuleBaseNameA + 514 00007ffb491a16a2 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\DellTPad\ApMsgFwd.exe[2732] C:\WINDOWS\system32\PSAPI.dll!QueryWorkingSet + 118 00007ffb491a181a 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\DellTPad\ApMsgFwd.exe[2732] C:\WINDOWS\system32\PSAPI.dll!QueryWorkingSet + 142 00007ffb491a1832 4 bytes [1A, 49, FB, 7F] .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\KERNEL32.dll!K32GetModuleInformation 00007ffb48dd28c0 7 bytes JMP 00007ffc46c203b0 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\KERNEL32.dll!RegQueryValueExW 00007ffb48dd43d8 7 bytes JMP 00007ffc46c203e8 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\KERNEL32.dll!RegSetValueExA 00007ffb48e81f20 7 bytes JMP 00007ffc46c20458 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\KERNEL32.dll!RegSetValueExW 00007ffb48e840b4 7 bytes JMP 00007ffc46c20490 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\KERNEL32.dll!RegDeleteValueW 00007ffb48e84510 7 bytes JMP 00007ffc46c20420 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\KERNEL32.dll!K32GetModuleFileNameExW 00007ffb48e84af0 7 bytes JMP 00007ffc46c20340 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\KERNEL32.dll!K32EnumProcessModulesEx 00007ffb48eacea0 7 bytes JMP 00007ffc46c20308 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\KERNEL32.dll!K32GetMappedFileNameW 00007ffb48eacf10 7 bytes JMP 00007ffc46c20378 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffb46c3299c 7 bytes JMP 00007ffc46c200d8 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffb46c354c8 5 bytes JMP 00007ffc46c20180 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffb46c355b0 5 bytes JMP 00007ffc46c20148 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffb46c35e58 5 bytes JMP 00007ffc46c20110 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket 00007ffb48789318 3 bytes JMP 00007ffc46c20260 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\SYSTEM32\combase.dll!CoSetProxyBlanket + 4 00007ffb4878931c 3 bytes [FE, CC, CC] .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\SYSTEM32\combase.dll!CoCreateInstance 00007ffb4878cbe0 7 bytes JMP 00007ffc46c20228 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffb47077834 10 bytes JMP 00007ffc46c20570 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffb4707b4d0 5 bytes JMP 00007ffc46c20500 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffb4707c6d8 5 bytes JMP 00007ffc46c20538 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffb4707e39c 9 bytes JMP 00007ffc46c204c8 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffb49051500 8 bytes JMP 00007ffc46c201b8 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffb49051750 8 bytes JMP 00007ffc46c201f0 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\SYSTEM32\d3d9.dll!Direct3DCreate9Ex 00007ffb3025a204 5 bytes JMP 00007ffb46c202d0 .text C:\Program Files\Intel\TurboBoost\SignalIslandUi.exe[4188] C:\WINDOWS\SYSTEM32\d3d9.dll!Direct3DCreate9 00007ffb302722cc 6 bytes JMP 00007ffb46c20298 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4936] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffb491a169a 4 bytes [1A, 49, FB, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4936] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffb491a16a2 4 bytes [1A, 49, FB, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4936] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffb491a181a 4 bytes [1A, 49, FB, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[4936] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffb491a1832 4 bytes [1A, 49, FB, 7F] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!??3@YAXPEAX@Z] [ffc9335024548b48] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!vswprintf_s] [4823eb0000326315] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!_vscwprintf] [8b480000114a058b] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!memcpy_s] [11a005894800] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!_vsnwprintf] [4800001139058b48] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!??2@YAPEAX_K@Z] [112e05894808c083] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!memcmp] [1187058b480000] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!_CxxThrowException] [ff805894800] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!wcsrchr] [9024848b48] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!free] [c7000010f9058948] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!malloc] [40900000fcf05] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!wcstoul] [100000fc905c7c0] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!_amsg_exit] [fd305c7000000] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!_initterm] [8b80000000300] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [8d4800c06b480000] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!_lock] [4c74800000fcb0d] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!_unlock] [8b80000000201] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!__dllonexit] [8d4801c06b480000] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!_onexit] [158b4800000fb30d] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!_XcptFilter] [114894800000f64] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!__CxxFrameHandler3] [c06b4800000008b8] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!memcpy] [f980d8d4802] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!memmove_s] [4800000f51158b48] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!_wcsicmp] [8b8011489] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!??_V@YAXPEAX@Z] [350d8b4800c06b48] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!memset] [68044c894800000f] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[msvcrt.dll!wcscmp] [c06b4800000008b8] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[KERNEL32.dll!RegEnumValueW] [4cf175d33b4d1b84] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[KERNEL32.dll!DelayLoadFailureHook] [8245c8b4c24148b] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[KERNEL32.dll!RegOpenCurrentUser] [5540cccccccccccc] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[KERNEL32.dll!RegDeleteValueW] [48ea8b4820ec8348] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[KERNEL32.dll!UnregisterWait] [8b48000001008d89] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[KERNEL32.dll!LocalFree] [a89589108b01] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[KERNEL32.dll!LocalAlloc] [f88d894800] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[KERNEL32.dll!lstrcmpW] [633d50458b505589] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[KERNEL32.dll!GetSystemPowerStatus] [958b481475e06d73] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[KERNEL32.dll!WTSGetActiveConsoleSessionId] [e8504d8b000000f8] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[USER32.dll!RegisterDeviceNotificationW] [3045c707] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[USER32.dll!UnregisterDeviceNotification] [5d20c4834830458b] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[USER32.dll!MsgWaitForMultipleObjectsEx] [20ec83485540ccc3] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[USER32.dll!PeekMessageW] [1108d8948ea8b48] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[USER32.dll!DispatchMessageW] [89108b018b480000] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[USER32.dll!UnregisterClassA] [8d89480000009895] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[ADVAPI32.dll!AuditFree] [75e06d73633d7045] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[ADVAPI32.dll!SetEntriesInAclW] [d0958b4814] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[ADVAPI32.dll!AuditQueryPerUserPolicy] [fffffc60e8704d8b] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[ADVAPI32.dll!EnableTrace] [3845c707eb384589] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[ADVAPI32.dll!SetSecurityInfo] [4838458b00000000] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[ADVAPI32.dll!RegDeleteKeyW] [5540ccc35d20c483] IAT C:\WINDOWS\System32\svchost.exe[536] @ c:\windows\system32\wpdbusenum.dll[ADVAPI32.dll!AuditQuerySystemPolicy] [48ea8b4820ec8348] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [672:696] fffff9600091ab90 Thread C:\WINDOWS\Explorer.EXE [2520:2300] 00007ffb2978d73c ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----