GMER 2.1.19115 - http://www.gmer.net Rootkit scan 2013-03-01 23:01:07 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e Hitachi_HTS541612J9SA00 rev.SBDOC70P 111,79GB Running: pknhhtmy.exe; Driver: C:\DOCUME~1\Zbig\USTAWI~1\Temp\pwldypoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA9E444BA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA9F19C22] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xA9E44ED6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xA9E86811] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA9E4FFA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA9E4FFF4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA9E50176] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xA9E861C5] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA9E4FF16] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA9E50038] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA9E4FF5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xA9E4511C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA9E50130] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xA9E4593E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA9E44508] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xA9E86ED7] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xA9E8718D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xA9E491C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xA9E86D42] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xA9E86BAD] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA9F19CEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA9E44170] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA9E44556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA9E49534] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA9E463A6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA9E4FFD2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA9E50016] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA9E5019A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xA9E86521] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA9E4FF3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xA9E48C3E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA9E500BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA9E4FF86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xA9E48F14] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA9E50154] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA9F19E4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xA9E86A28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA9E46272] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xA9E8687A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xA9E45DD4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xA9F267D2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xA9E85838] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA9E445A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA9E445F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xA9E457BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA9E441FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA9E443AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xA9E86FDE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA9E44350] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xA9E45AF8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xA9E45C54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA9E4441A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xA9E454D4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xA9E45636] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0xA9F1841C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA9E44640] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xA9E44F1A] INT 0x62 ? 86FCFCC8 INT 0x63 ? 86DA7F00 INT 0x74 ? 86DA7F00 INT 0x82 ? 86FCFCC8 INT 0x84 ? 86DA7F00 INT 0x94 ? 86DA7F00 INT 0xA4 ? 86FCFCC8 Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA9F32E56] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 24B0 80501CD8 4 Bytes [EA, 9C, F1, A9] .text ntkrnlpa.exe!ZwCallbackReturn + 2540 80501D68 8 Bytes [21, 65, E8, A9, 3C, FF, E4, ...] {AND [EBP-0x18], ESP; TEST EAX, 0xa9e4ff3c} .text ntkrnlpa.exe!ZwCallbackReturn + 26B0 80501ED8 12 Bytes [A4, 45, E4, A9, F2, 45, E4, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2758 80501F80 12 Bytes [F8, 5A, E4, A9, 54, 5C, E4, ...] {CLC ; POP EDX; IN AL, 0xa9; PUSH ESP; POP ESP; IN AL, 0xa9; SBB AL, [ESP-0x57]} PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 8059B7C0 4 Bytes CALL A9E46A77 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805B1C60 5 Bytes JMP A9F2FCF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 805B8AD8 5 Bytes JMP A9F31810 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805C736A 7 Bytes JMP A9F32E5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF7462346] .text USBPORT.SYS!DllUnload F4A698AC 5 Bytes JMP 86DA7410 .text win32k.sys!EngFreeUserMem + 674 BF809FDF 5 Bytes JMP A9E4AB4C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFreeUserMem + 3625 BF80CF90 5 Bytes JMP A9E4AA3C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSurface + 45 BF8138FE 5 Bytes JMP A9E4A9F6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!BRUSHOBJ_pvAllocRbrush + 320C BF81E743 5 Bytes JMP A9E49688 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMulDiv + 199A BF820E6C 5 Bytes JMP A9E4A0A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngSetLastError + 7657 BF82868B 5 Bytes JMP A9E497C4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateBitmap + 698 BF838560 5 Bytes JMP A9E4ACB6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateBitmap + BB6 BF838A7E 5 Bytes JMP A9E4A8FC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateBitmap + 3605 BF83B4CD 5 Bytes JMP A9E4AEBE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateBitmap + D9AB BF845873 5 Bytes JMP A9E49834 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateBitmap + 113C6 BF84928E 5 Bytes JMP A9E4A090 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMultiByteToWideChar + 2E60 BF852720 5 Bytes JMP A9E4A16A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMultiByteToWideChar + 2F20 BF8527E0 5 Bytes JMP A9E49670 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMultiByteToWideChar + 84B4 BF857D74 5 Bytes JMP A9E4AE1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 23AD BF873983 5 Bytes JMP A9E4ABFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngStretchBlt + 37BB BF87882D 5 Bytes JMP A9E4AA86 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 3617 BF88FFB6 5 Bytes JMP A9E49CDE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 413A BF890AD9 5 Bytes JMP A9E49E9E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetLastError + 1606 BF8ADD61 5 Bytes JMP A9E4A182 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 4B52 BF8B3770 5 Bytes JMP A9E49C1E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 4BDD BF8B37FB 5 Bytes JMP A9E49EE4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + 9286 BF8C31E7 5 Bytes JMP A9E49944 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 19CE BF8ED991 5 Bytes JMP A9E4956A \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 9006 BF8F4FC9 5 Bytes JMP A9E4A0C0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + D4C6 BF8F9489 5 Bytes JMP A9E49A1C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + D746 BF8F9709 5 Bytes JMP A9E49B48 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 1994 BF912612 5 Bytes JMP A9E49760 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 2568 BF9131E6 5 Bytes JMP A9E498F0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 4F29 BF915BA7 5 Bytes JMP A9E49FFE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 1931 BF9438F8 5 Bytes JMP A9E4AD74 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ? C:\DOCUME~1\Zbig\USTAWI~1\Temp\mbr.sys Nazwa pliku, nazwa katalogu lub składnia etykiety woluminu jest niepoprawna. ! ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\Explorer.EXE[136] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[136] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[268] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[268] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[268] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[364] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[364] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[488] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[488] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[512] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[512] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[600] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[624] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[624] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Real\RealPlayer\RealPlay.exe[636] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Real\RealPlayer\RealPlay.exe[636] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\igfxpers.exe[652] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\igfxpers.exe[652] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[672] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 003D01F8 .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[672] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[672] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003D03FC .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[672] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[672] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00971014 .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[672] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00970804 .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[672] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00970A08 .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[672] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00970C0C .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[672] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00970E10 .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[672] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 009701F8 .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[672] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 009703FC .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[672] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00970600 .text C:\WINDOWS\system32\igfxtray.exe[704] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\igfxtray.exe[704] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[720] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[720] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\RayV\RayV\RayV.exe[764] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\RayV\RayV\RayV.exe[764] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\ipla\ipla.exe[772] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\ipla\ipla.exe[772] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\igfxsrvc.exe[820] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\igfxsrvc.exe[820] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[992] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[992] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1028] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1028] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1052] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1052] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1096] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1096] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1112] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1112] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[1268] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\PROGRA~1\ENIGMA~1\SPYHUN~1\SH4SER~1.EXE[1268] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1356] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1356] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1396] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1396] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1420] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1420] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1440] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1440] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1592] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1592] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1656] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1656] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\DOCUME~1\Zbig\USTAWI~1\Temp\RtkBtMnt.exe[1732] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\DOCUME~1\Zbig\USTAWI~1\Temp\RtkBtMnt.exe[1732] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 003D01F8 .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003D03FC .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 009E1014 .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 009E0804 .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 009E0A08 .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 009E0C0C .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 009E0E10 .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 009E01F8 .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 009E03FC .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 009E0600 .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 009F0804 .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 009F0A08 .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 009F0600 .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 009F01F8 .text C:\Documents and Settings\Zbig\Moje dokumenty\Downloads\pknhhtmy.exe[2684] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 009F03FC .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 003D01F8 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003D03FC .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00431014 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00430804 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00430A08 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00430C0C .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00430E10 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 004301F8 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 004303FC .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00430600 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] user32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 006C0804 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] user32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 006C0A08 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] user32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 006C0600 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] user32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 006C01F8 .text C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\jqs.exe[2696] user32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 006C03FC .text C:\WINDOWS\system32\svchost.exe[2748] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[2748] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2748] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\svchost.exe[2748] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2748] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00AC1014 .text C:\WINDOWS\system32\svchost.exe[2748] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00AC0804 .text C:\WINDOWS\system32\svchost.exe[2748] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00AC0A08 .text C:\WINDOWS\system32\svchost.exe[2748] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00AC0C0C .text C:\WINDOWS\system32\svchost.exe[2748] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00AC0E10 .text C:\WINDOWS\system32\svchost.exe[2748] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00AC01F8 .text C:\WINDOWS\system32\svchost.exe[2748] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 00AC03FC .text C:\WINDOWS\system32\svchost.exe[2748] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00AC0600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, F4, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtMapViewOfSection + 6 7C90D506 4 Bytes [28, F7, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtMapViewOfSection + B 7C90D50B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, F4, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, F5, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B9170F0 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, F6, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, F5, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, F6, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B917161 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, F4, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B91728F .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, F5, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, F6, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtUnmapViewOfSection + 6 7C90DEF6 4 Bytes [68, F7, 9A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!NtUnmapViewOfSection + B 7C90DEFB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00C901F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 00C903FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00FE1014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00FE0804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00FE0A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00FE0C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00FE0E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00FE01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 00FE03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00FE0600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 016C0804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 016C0A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 016C0600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 016C01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2920] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 016C03FC .text C:\WINDOWS\system32\svchost.exe[3152] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\svchost.exe[3152] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[3152] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\svchost.exe[3152] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[3152] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00C61014 .text C:\WINDOWS\system32\svchost.exe[3152] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00C60804 .text C:\WINDOWS\system32\svchost.exe[3152] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00C60A08 .text C:\WINDOWS\system32\svchost.exe[3152] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00C60C0C .text C:\WINDOWS\system32\svchost.exe[3152] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00C60E10 .text C:\WINDOWS\system32\svchost.exe[3152] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00C601F8 .text C:\WINDOWS\system32\svchost.exe[3152] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 00C603FC .text C:\WINDOWS\system32\svchost.exe[3152] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00C60600 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3800] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3800] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3800] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3800] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 003D01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003D03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] ADVAPI32.dll!SetServiceObjectSecurity 77E26D59 5 Bytes JMP 00F01014 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] ADVAPI32.dll!ChangeServiceConfigA 77E26E41 5 Bytes JMP 00F00804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] ADVAPI32.dll!ChangeServiceConfigW 77E26FD9 5 Bytes JMP 00F00A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] ADVAPI32.dll!ChangeServiceConfig2A 77E270D9 5 Bytes JMP 00F00C0C .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] ADVAPI32.dll!ChangeServiceConfig2W 77E27161 5 Bytes JMP 00F00E10 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] ADVAPI32.dll!CreateServiceA 77E271E9 5 Bytes JMP 00F001F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] ADVAPI32.dll!CreateServiceW 77E27381 5 Bytes JMP 00F003FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] ADVAPI32.dll!DeleteService 77E27489 5 Bytes JMP 00F00600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 011C0804 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 011C0A08 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] USER32.dll!SetWindowsHookExA 7E381211 5 Bytes JMP 011C0600 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] USER32.dll!SetWinEventHook 7E3817F7 5 Bytes JMP 011C01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3804] USER32.dll!UnhookWinEvent 7E3818AC 5 Bytes JMP 011C03FC .text C:\WINDOWS\System32\alg.exe[3908] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 003101F8 .text C:\WINDOWS\System32\alg.exe[3908] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[3908] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003103FC .text C:\WINDOWS\System32\alg.exe[3908] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[4028] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 003101F8 .text C:\WINDOWS\system32\wscntfy.exe[4028] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[4028] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003103FC .text C:\WINDOWS\system32\wscntfy.exe[4028] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F7368232] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F7367730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F7367F12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7367730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7367914] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7367856] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73680F0] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F7367F12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F737BF1E] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[268] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64C8F6D0] C:\Program Files\Alwil Software\Avast5\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\WINDOWS\system32\services.exe[1096] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1096] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\Ntfs \Ntfs 86FCE1F8 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\usbuhci \Device\USBPDO-0 86DA5430 Device \Driver\usbuhci \Device\USBPDO-1 86DA5430 Device \Driver\usbehci \Device\USBPDO-2 86DA6430 Device \Driver\usbehci \Device\USBPDO-3 86DA6430 Device \Driver\usbuhci \Device\USBPDO-4 86DA5430 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\usbuhci \Device\USBPDO-5 86DA5430 Device \Driver\usbuhci \Device\USBPDO-6 86DA5430 Device \Driver\Cdrom \Device\CdRom0 86DA4430 Device \Driver\atapi \Device\Ide\IdePort0 [F72B3B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F72B3B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F72B3B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [F72B3B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [F72B3B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [F72B3B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 867A11F8 Device \Driver\NetBT \Device\NetbiosSmb 867A11F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{4968384F-6E75-4FB9-8AC1-99DFB672EDE3} 867A11F8 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\usbuhci \Device\USBFDO-0 86DA5430 Device \Driver\usbuhci \Device\USBFDO-1 86DA5430 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 867411F8 Device \Driver\usbehci \Device\USBFDO-2 86DA6430 Device \FileSystem\MRxSmb \Device\LanmanRedirector 867411F8 Device \Driver\usbuhci \Device\USBFDO-3 86DA5430 Device \Driver\usbuhci \Device\USBFDO-4 86DA5430 Device \Driver\usbuhci \Device\USBFDO-5 86DA5430 Device \Driver\NetBT \Device\NetBT_Tcpip_{9D4897AA-393F-49D7-A22A-D538B01892D7} 867A11F8 Device \Driver\usbehci \Device\USBFDO-6 86DA6430 Device \FileSystem\Cdfs \Cdfs 8672C1F8 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 61 ! Disk \Device\Harddisk0\DR0 PE file @ sector 234420480 ! ---- EOF - GMER 2.1 ----