GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-21 19:15:53 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000066 Hitachi_ rev.PB4O 465,76GB Running: 1yqdun4z.exe; Driver: C:\Users\leszek\AppData\Local\Temp\aftcraog.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwReplaceKey + 1525 82A59B55 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A93BB2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x8A6DCFEE] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\lsm.exe[528] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 001E000C .text C:\Windows\system32\lsm.exe[528] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 001E100C .text C:\Windows\system32\lsm.exe[528] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 001E200C .text C:\Windows\system32\lsm.exe[528] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 001EC00C .text C:\Windows\system32\lsm.exe[528] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 001EA00C .text C:\Windows\system32\lsm.exe[528] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 001ED00C .text C:\Windows\system32\svchost.exe[660] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0044000C .text C:\Windows\system32\svchost.exe[660] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0044100C .text C:\Windows\system32\svchost.exe[660] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0044200C .text C:\Windows\system32\svchost.exe[660] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 0044E00C .text C:\Windows\system32\svchost.exe[660] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 0044C00C .text C:\Windows\system32\svchost.exe[660] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 0044F00C .text C:\Windows\system32\svchost.exe[660] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 0044400C .text C:\Windows\system32\svchost.exe[660] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 0044300C .text C:\Windows\system32\winlogon.exe[680] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 008E000C .text C:\Windows\system32\winlogon.exe[680] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 008E100C .text C:\Windows\system32\winlogon.exe[680] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 008E200C .text C:\Windows\system32\winlogon.exe[680] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 008EE00C .text C:\Windows\system32\winlogon.exe[680] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 008EC00C .text C:\Windows\system32\winlogon.exe[680] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 008EF00C .text C:\Windows\system32\winlogon.exe[680] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 008E400C .text C:\Windows\system32\winlogon.exe[680] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 008E300C .text C:\Users\leszek\Desktop\1yqdun4z.exe[716] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0002000C .text C:\Users\leszek\Desktop\1yqdun4z.exe[716] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0002100C .text C:\Users\leszek\Desktop\1yqdun4z.exe[716] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0002200C .text C:\Windows\system32\nvvsvc.exe[752] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0039000C .text C:\Windows\system32\nvvsvc.exe[752] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0039100C .text C:\Windows\system32\nvvsvc.exe[752] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0039200C .text C:\Windows\system32\nvvsvc.exe[752] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 0039E00C .text C:\Windows\system32\nvvsvc.exe[752] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 0039C00C .text C:\Windows\system32\nvvsvc.exe[752] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 0039F00C .text C:\Windows\system32\nvvsvc.exe[752] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 0039400C .text C:\Windows\system32\nvvsvc.exe[752] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 0039300C .text C:\Windows\system32\svchost.exe[792] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 001C000C .text C:\Windows\system32\svchost.exe[792] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 001C100C .text C:\Windows\system32\svchost.exe[792] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 001C200C .text C:\Windows\system32\svchost.exe[792] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 001CE00C .text C:\Windows\system32\svchost.exe[792] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 001CC00C .text C:\Windows\system32\svchost.exe[792] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 001CF00C .text C:\Windows\system32\svchost.exe[792] user32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 001C400C .text C:\Windows\system32\svchost.exe[792] user32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 001C300C .text C:\Windows\System32\svchost.exe[876] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 00C1000C .text C:\Windows\System32\svchost.exe[876] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 00C1100C .text C:\Windows\System32\svchost.exe[876] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 00C1200C .text C:\Windows\System32\svchost.exe[876] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 00C1E00C .text C:\Windows\System32\svchost.exe[876] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 00C1C00C .text C:\Windows\System32\svchost.exe[876] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 00C1F00C .text C:\Windows\System32\svchost.exe[876] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 00C1400C .text C:\Windows\System32\svchost.exe[876] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 00C1300C .text C:\Windows\System32\svchost.exe[916] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 00A4000C .text C:\Windows\System32\svchost.exe[916] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 00A4100C .text C:\Windows\System32\svchost.exe[916] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 00A4200C .text C:\Windows\System32\svchost.exe[916] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 00A4E00C .text C:\Windows\System32\svchost.exe[916] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 00A4C00C .text C:\Windows\System32\svchost.exe[916] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 00A4F00C .text C:\Windows\System32\svchost.exe[916] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 00A4400C .text C:\Windows\System32\svchost.exe[916] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 00A4300C .text C:\Windows\system32\svchost.exe[944] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 00A4000C .text C:\Windows\system32\svchost.exe[944] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 00A4100C .text C:\Windows\system32\svchost.exe[944] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 00A4200C .text C:\Windows\system32\svchost.exe[944] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 00A4E00C .text C:\Windows\system32\svchost.exe[944] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 00A4C00C .text C:\Windows\system32\svchost.exe[944] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 00A4F00C .text C:\Windows\system32\svchost.exe[944] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 00A4400C .text C:\Windows\system32\svchost.exe[944] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 00A4300C .text C:\Windows\system32\svchost.exe[968] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 00B5000C .text C:\Windows\system32\svchost.exe[968] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 00B5100C .text C:\Windows\system32\svchost.exe[968] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 00B5200C .text C:\Windows\system32\svchost.exe[968] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 00B5E00C .text C:\Windows\system32\svchost.exe[968] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 00B5C00C .text C:\Windows\system32\svchost.exe[968] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 00B5F00C .text C:\Windows\system32\svchost.exe[968] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 00B5400C .text C:\Windows\system32\svchost.exe[968] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 00B5300C .text C:\Windows\system32\svchost.exe[1172] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0029000C .text C:\Windows\system32\svchost.exe[1172] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0029100C .text C:\Windows\system32\svchost.exe[1172] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0029200C .text C:\Windows\system32\svchost.exe[1172] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 0029E00C .text C:\Windows\system32\svchost.exe[1172] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 0029C00C .text C:\Windows\system32\svchost.exe[1172] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 0029F00C .text C:\Windows\system32\svchost.exe[1172] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 0029400C .text C:\Windows\system32\svchost.exe[1172] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 0029300C .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 004B000C .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 004B100C .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 004B200C .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 004BE00C .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 004BC00C .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 004BF00C .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 004B400C .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[1356] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 004B300C .text C:\Windows\system32\nvvsvc.exe[1364] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 00B2000C .text C:\Windows\system32\nvvsvc.exe[1364] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 00B2100C .text C:\Windows\system32\nvvsvc.exe[1364] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 00B2200C .text C:\Windows\system32\nvvsvc.exe[1364] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 00B2E00C .text C:\Windows\system32\nvvsvc.exe[1364] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 00B2C00C .text C:\Windows\system32\nvvsvc.exe[1364] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 00B2F00C .text C:\Windows\system32\nvvsvc.exe[1364] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 00B2400C .text C:\Windows\system32\nvvsvc.exe[1364] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 00B2300C .text C:\Windows\system32\svchost.exe[1512] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 00E8000C .text C:\Windows\system32\svchost.exe[1512] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 00E8100C .text C:\Windows\system32\svchost.exe[1512] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 00E8200C .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 00E8E00C .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 00E8C00C .text C:\Windows\system32\svchost.exe[1512] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 00E8F00C .text C:\Windows\system32\svchost.exe[1512] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 00E8400C .text C:\Windows\system32\svchost.exe[1512] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 00E8300C .text C:\Windows\System32\svchost.exe[1624] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0099000C .text C:\Windows\System32\svchost.exe[1624] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0099100C .text C:\Windows\System32\svchost.exe[1624] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0099200C .text C:\Windows\system32\svchost.exe[1656] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0013000C .text C:\Windows\system32\svchost.exe[1656] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0013100C .text C:\Windows\system32\svchost.exe[1656] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0013200C .text C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[2016] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0193000C .text C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[2016] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0193100C .text C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[2016] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0193200C .text C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[2016] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 0193E00C .text C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[2016] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 0193C00C .text C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[2016] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 0193F00C .text C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[2016] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 0193400C .text C:\Program Files\Common Files\Nero\Nero BackItUp 4\NBService.exe[2016] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 0193300C .text C:\Program Files\Internet Explorer\iexplore.exe[2096] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0009000C .text C:\Program Files\Internet Explorer\iexplore.exe[2096] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0009100C .text C:\Program Files\Internet Explorer\iexplore.exe[2096] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0009200C .text C:\Program Files\Internet Explorer\iexplore.exe[2096] shell32.DLL!RealDriveType + 173D 767BFD10 4 Bytes [40, C3, 58, 71] .text C:\Program Files\Internet Explorer\iexplore.exe[2096] shell32.DLL!RealDriveType + 1745 767BFD18 8 Bytes [80, 12, 58, 71, 10, C4, 58, ...] {ADC BYTE [EDX], 0x58; JNO 0x15; LES EBX, [EAX+0x71]} .text C:\Windows\system32\taskhost.exe[2896] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0068000C .text C:\Windows\system32\taskhost.exe[2896] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0068100C .text C:\Windows\system32\taskhost.exe[2896] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0068200C .text C:\Windows\system32\taskhost.exe[2896] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 0068E00C .text C:\Windows\system32\taskhost.exe[2896] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 0068C00C .text C:\Windows\system32\taskhost.exe[2896] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 0068F00C .text C:\Windows\system32\taskhost.exe[2896] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 0068400C .text C:\Windows\system32\taskhost.exe[2896] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 0068300C .text C:\Windows\system32\Dwm.exe[3088] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0085000C .text C:\Windows\system32\Dwm.exe[3088] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0085100C .text C:\Windows\system32\Dwm.exe[3088] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0085200C .text C:\Windows\system32\Dwm.exe[3088] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 0085E00C .text C:\Windows\system32\Dwm.exe[3088] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 0085C00C .text C:\Windows\system32\Dwm.exe[3088] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 0085F00C .text C:\Windows\system32\Dwm.exe[3088] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 0085400C .text C:\Windows\system32\Dwm.exe[3088] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 0085300C .text C:\Windows\Explorer.EXE[3108] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0078000C .text C:\Windows\Explorer.EXE[3108] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0078100C .text C:\Windows\Explorer.EXE[3108] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0078200C .text C:\Windows\Explorer.EXE[3108] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 0078E00C .text C:\Windows\Explorer.EXE[3108] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 0078C00C .text C:\Windows\Explorer.EXE[3108] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 0078F00C .text C:\Windows\Explorer.EXE[3108] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 0078400C .text C:\Windows\Explorer.EXE[3108] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 0078300C .text C:\Windows\System32\rundll32.exe[3196] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0011000C .text C:\Windows\System32\rundll32.exe[3196] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0011100C .text C:\Windows\System32\rundll32.exe[3196] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0011200C .text C:\Windows\System32\rundll32.exe[3196] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 0011E00C .text C:\Windows\System32\rundll32.exe[3196] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 0011C00C .text C:\Windows\System32\rundll32.exe[3196] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 0011F00C .text C:\Windows\System32\rundll32.exe[3196] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 0011400C .text C:\Windows\System32\rundll32.exe[3196] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 0011300C .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3548] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0021000C .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3548] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0021100C .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3548] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0021200C .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3548] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 0021E00C .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3548] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 0021C00C .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3548] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 0021F00C .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3548] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 0021400C .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3548] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 0021300C .text C:\Windows\System32\MsSpellCheckingFacility.exe[5968] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 0032000C .text C:\Windows\System32\MsSpellCheckingFacility.exe[5968] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 0032100C .text C:\Windows\System32\MsSpellCheckingFacility.exe[5968] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 0032200C .text C:\Windows\System32\MsSpellCheckingFacility.exe[5968] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 0032E00C .text C:\Windows\System32\MsSpellCheckingFacility.exe[5968] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 0032C00C .text C:\Windows\System32\MsSpellCheckingFacility.exe[5968] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 0032F00C .text C:\Windows\System32\MsSpellCheckingFacility.exe[5968] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 0032400C .text C:\Windows\System32\MsSpellCheckingFacility.exe[5968] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 0032300C .text C:\Windows\system32\Macromed\Flash\FlashUtil32_19_0_0_245_ActiveX.exe[6088] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 001D000C .text C:\Windows\system32\Macromed\Flash\FlashUtil32_19_0_0_245_ActiveX.exe[6088] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 001D100C .text C:\Windows\system32\Macromed\Flash\FlashUtil32_19_0_0_245_ActiveX.exe[6088] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 001D200C .text C:\Windows\system32\Macromed\Flash\FlashUtil32_19_0_0_245_ActiveX.exe[6088] kernel32.dll!CopyFileExW 7760B390 5 Bytes JMP 001DE00C .text C:\Windows\system32\Macromed\Flash\FlashUtil32_19_0_0_245_ActiveX.exe[6088] kernel32.dll!OpenMutexA 77610522 5 Bytes JMP 001DC00C .text C:\Windows\system32\Macromed\Flash\FlashUtil32_19_0_0_245_ActiveX.exe[6088] kernel32.dll!CreateDirectoryExW 77657D89 5 Bytes JMP 001DF00C .text C:\Windows\system32\Macromed\Flash\FlashUtil32_19_0_0_245_ActiveX.exe[6088] USER32.dll!SetWindowsHookExW 774FE30C 5 Bytes JMP 001D400C .text C:\Windows\system32\Macromed\Flash\FlashUtil32_19_0_0_245_ActiveX.exe[6088] USER32.dll!SetWindowsHookExA 77526D0C 5 Bytes JMP 001D300C .text C:\Program Files\Internet Explorer\iexplore.exe[6124] ntdll.dll!NtCreateProcess 77875780 5 Bytes JMP 002D000C .text C:\Program Files\Internet Explorer\iexplore.exe[6124] ntdll.dll!NtCreateProcessEx 77875790 5 Bytes JMP 002D100C .text C:\Program Files\Internet Explorer\iexplore.exe[6124] ntdll.dll!NtCreateUserProcess 77875860 5 Bytes JMP 002D200C ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 84FAA1F8 Device \Driver\usbohci \Device\USBPDO-0 863071F8 Device \Driver\usbehci \Device\USBPDO-1 86308440 Device \Driver\usbohci \Device\USBPDO-2 863071F8 Device \Driver\usbehci \Device\USBPDO-3 86308440 Device \Driver\cdrom \Device\CdRom0 8627C1F8 Device \Driver\nvstor32 \Device\00000066 84FA81F8 Device \Driver\nvstor32 \Device\00000067 84FA81F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 862B83D8 Device \Driver\NetBT \Device\NetBT_Tcpip_{C8FF50AD-A18E-40D0-B296-81D230E915B7} 862B83D8 Device \Driver\nvstor32 \Device\RaidPort0 84FA81F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{F956D40F-FD87-4C84-8717-4B5BE82C0DA4} 862B83D8 Device \Driver\usbohci \Device\USBFDO-0 863071F8 Device \Driver\usbehci \Device\USBFDO-1 86308440 Device \Driver\usbohci \Device\USBFDO-2 863071F8 Device \Driver\usbehci \Device\USBFDO-3 86308440 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x84fa81f8]<< 84fa81f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85f5da58] 85f5da58 Trace 3 CLASSPNP.SYS[8adc359e] -> nt!IofCallDriver -> [0x85d879e8] 85d879e8 Trace 5 ACPI.sys[8a70a3d4] -> nt!IofCallDriver -> \Device\00000066[0x85e8b030] 85e8b030 Trace \Driver\nvstor32[0x85d30ed0] -> IRP_MJ_CREATE -> 0x84fa81f8 84fa81f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@8A6E1CE0 97 ---- EOF - GMER 2.1 ----