GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-12 12:46:21 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000037 WDC_WD5000BPVT-35HXZT1 rev.01.01A01 465,76GB Running: h1gh8p2z.exe; Driver: C:\Users\Nikodem\AppData\Local\Temp\pxldqpow.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\dca9711a3c4e Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -101981874 Reg HKLM\SYSTEM\CurrentControlSet\Control@LastBootShutdown 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\bthserv\Parameters\BluetoothControlPanelTasks@State 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherRequestBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 0 ---- User code sections - GMER 2.1 ---- ? C:\Windows\System32\EhStorAPI.dll [3556] entry point in ".rsrc" section 00007ffba58275c0 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffbb0352124 7 bytes JMP 00007ffcb02f00d8 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffbb03550e8 5 bytes JMP 00007ffcb02f0180 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffbb03552a0 5 bytes JMP 00007ffcb02f0148 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffbb035a9b0 5 bytes JMP 00007ffcb02f0110 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffbb1ec30e0 7 bytes JMP 00007ffcb02f02d0 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffbb1ec4478 7 bytes JMP 00007ffcb02f0308 .text C:\WINDOWS\system32\wininit.exe[772] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\winlogon.exe[804] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\services.exe[860] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\lsass.exe[868] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[936] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[968] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\nvvsvc.exe[424] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[452] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\nvvsvc.exe[536] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\System32\svchost.exe[668] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\System32\svchost.exe[768] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[572] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1080] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1272] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\System32\spoolsv.exe[1676] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[1716] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\Program Files\Bonjour\mDNSResponder.exe[1916] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\Program Files\Intel\iCLS Client\HeciServer.exe[1960] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[1492] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[2068] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\rundll32.exe[2132] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\svchost.exe[2192] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3368] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\Explorer.EXE[3556] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\taskeng.exe[3800] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\taskhostex.exe[3808] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamsvc.exe[3920] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\conhost.exe[3984] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\SearchIndexer.exe[1496] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\Windows\System32\skydrive.exe[2448] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[3084] C:\WINDOWS\system32\KERNEL32.DLL!GetBinaryTypeW + 165 00007ffbb1ed977d 1 byte [62] .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffbb1f711a8 7 bytes JMP 00007ffcb02f0340 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffbb1f7121c 7 bytes JMP 00007ffcb02f03b0 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffbb1f71668 7 bytes JMP 00007ffcb02f0378 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffbb1f772d0 7 bytes JMP 00007ffcb02f0260 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffbb1f9d5a4 7 bytes JMP 00007ffcb02f0228 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffbb1f9d614 7 bytes JMP 00007ffcb02f0298 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffbb26e7b64 10 bytes JMP 00007ffcb02f0490 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffbb2702910 5 bytes JMP 00007ffcb02f0420 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffbb2704578 5 bytes JMP 00007ffcb02f0458 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffbb2704980 9 bytes JMP 00007ffcb02f03e8 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffbb2861500 8 bytes JMP 00007ffcb02f01b8 .text C:\WINDOWS\system32\dwm.exe[420] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffbb2861750 8 bytes JMP 00007ffcb02f01f0 .text C:\WINDOWS\system32\nvvsvc.exe[536] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffbb2c0169a 4 bytes [C0, B2, FB, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[536] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffbb2c016a2 4 bytes [C0, B2, FB, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[536] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffbb2c0181a 4 bytes [C0, B2, FB, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[536] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffbb2c01832 4 bytes [C0, B2, FB, 7F] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager\Defrag@LastRun 01:09:2014 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh 0x0E 0x4B 0x1E 0x65 ... Reg HKCU\Software\Microsoft\Windows\Windows Error Reporting@LastRateLimitedDumpGenerationTime 0x15 0x14 0xBC 0x2A ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x1B 0xD4 0x35 0xBC ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x2B 0x4A 0x2C 0xBC ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x3A 0x7E 0xED 0xC9 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastStoreActivity 0x54 0xB7 0xDB 0x02 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\2@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\3@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x68 0x74 0xE3 0x13 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x74 0x78 0xCF 0x42 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList@BannedAppsLastModified 0x80 0x3E 0x55 0x26 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\dca9711a3c4e@d0c1b1db54c0 0xA2 0x9A 0x41 0xAE ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStopTime 0xBB 0x66 0xEE 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\SEC54410_00_07DB_5A^56954C975DBE7FADFA039B131D2B5E17@Timestamp 0xBD 0x0D 0xDB 0xF6 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xDF 0x7A 0xEB 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{D83B5AF8-365C-4E88-A038-5712862347BE}@DefunctTimestamp 0xF6 0x71 0xD2 0x52 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0xF7 0x8A 0x86 0x1C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0xF7 0x8A 0x86 0x1C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0xF7 0x8A 0x86 0x1C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0xF7 0x8A 0x86 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\PnP@DisableLKG 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@BootCounter 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 10 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 12 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 13 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{519e6394-0586-49de-8d81-8751cdfd66d0}@LastProbeTime 1389459906 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{907E04CF-E5A2-46B6-AC68-3CBCD0134E4D}@LeaseObtainedTime 1389518182 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{907E04CF-E5A2-46B6-AC68-3CBCD0134E4D}@T1 1389561382 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{907E04CF-E5A2-46B6-AC68-3CBCD0134E4D}@T2 1389593782 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{907E04CF-E5A2-46B6-AC68-3CBCD0134E4D}@LeaseTerminatesTime 1389604582 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{907E04CF-E5A2-46B6-AC68-3CBCD0134E4D}@DhcpIPAddress 192.168.1.5 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@GlassSessionId 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{D83B5AF8-365C-4E88-A038-5712862347BE}@ReusableType 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\TrustedInstaller@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 2366 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID 2449de5e-a63d-47e9-82cf-4bdb7a3 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WcesLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 365 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 4 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 401512706 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 4312 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 4682565 Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 856 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?N?, ?sty ?12 ?14, 10:55:26???????????????????????????????????? ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\drprov.dll[ntdll.dll!RtlInitUnicodeString] [0] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\drprov.dll[WINSTA.dll!WinStationIsSessionRemoteable] [0] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\DAVHLPR.dll[msvcrt.dll!malloc] [0] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\DAVHLPR.dll[msvcrt.dll!_amsg_exit] [0] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\DAVHLPR.dll[msvcrt.dll!_wcsnicmp] [0] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\DAVHLPR.dll[ntdll.dll!RtlLookupFunctionEntry] [0] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\DAVHLPR.dll[ntdll.dll!NtCreateFile] [0] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\DAVHLPR.dll[ntdll.dll!NtFsControlFile] [0] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\DAVHLPR.dll[KERNEL32.dll!LocalAlloc] [0] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentThreadId] [0] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\DAVHLPR.dll[KERNEL32.dll!GetCurrentProcess] [0] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\DAVHLPR.dll[KERNEL32.dll!DelayLoadFailureHook] [0] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiOpenDeviceInterfaceW] [10c18348cccccccc] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[USER32.dll!AllowSetForegroundWindow] [217ae8000003088b] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetProcAddress] [2444894c00000004] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!DisableThreadLibraryCalls] [2444c74830ec8348] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!memset] [244c8948cccccccc] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiGetClassDevsW] [244c8948cccccccc] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!??_U@YAPEAX_K@Z] [25158b4c00009d2c] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[WTSAPI32.dll!WTSQueryUserToken] [2841c60a74002879] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!calloc] [28b60d8d4817508d] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!free] [2b74d03b4c00009d] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!CreateProcessW] [2bba41c9854d00] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!??2@YAPEAX_K@Z] [3026058d4c20245c] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegSetValueExW] [318b78948104089] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[USER32.dll!UnregisterClassA] [3208b8d4890] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegOpenKeyExW] [320b789660000] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegEnumKeyExW] [328b7894800] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!??_V@YAXPEAX@Z] [33247203197a8041] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!FreeLibrary] [382444c748004024] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_unlock] [40245c8b48ffff53] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_errno] [412b74d83b4c0000] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetTickCount] [4130c48348c68b3e] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!malloc] [41c033455c740039] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetCurrentThreadId] [41cf8b4800000001] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegCreateKeyExW] [4800000310878b48] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegQueryInfoKeyW] [4800000330b78948] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!ExpandEnvironmentStringsW] [48f67500113c8041] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiEnumDeviceInterfaces] [48fffffffe202444] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!__dllonexit] [49000003508b8d4c] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!realloc] [4c00003fb1e80574] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!RtlVirtualUnwind] [4cdb3310eb70247c] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!Sleep] [5024748b4848245c] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!memcpy] [5489440000000bba] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!HeapDestroy] [5741564157565308] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!GetUserNameW] [58778900000388b7] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!mbstowcs] [58d48d88b4446eb] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!WTSGetActiveConsoleSessionId] [5ba05ebc2ff] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetModuleHandleW] [648348c1450f49ff] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!UnhandledExceptionFilter] [6824748b6024748b] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!MultiByteToWideChar] [7000ebe19894800] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!TerminateProcess] [78c085f08bffff4f] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\DAVHLPR.dll[KERNEL32.dll!DisableThreadLibraryCalls] [7ffba5b933ac] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\DAVHLPR.dll[KERNEL32.dll!Sleep] [7ffba5b93600] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\DAVHLPR.dll[KERNEL32.dll!GetLastError] [7ffba5b936bc] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\WINDOWS\System32\drprov.dll[KERNEL32.dll!Sleep] [8000] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!WaitForSingleObject] [8024848d4c0000] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!SizeofResource] [82e980004003] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_wcsicmp] [8349000003588b8d] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_CxxThrowException] [89440000000abac8] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegCloseKey] [894800000338b789] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!CreateProcessAsUserW] [894800000380b789] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!RtlLookupFunctionEntry] [8948fb8b4803ebf8] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [8949fb8b486850ff] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!lstrcmpiW] [8b480d74c0854878] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_purecall] [8b4830ec83485308] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!RtlCaptureContext] [8b48fffffe86e8c8] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!__CxxFrameHandler3] [8b4c0000247ae8c9] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[USER32.dll!CharNextW] [8d4890ffffcb0fe8] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!LoadLibraryExW] [8d4c282454894830] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!memcpy_s] [9cb61d8b4c00009c] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_onexit] [a1840f003983] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_XcptFilter] [a508d41c0334500] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!LoadResource] [b80a75c98548db33] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetCurrentProcessId] [ba078b4c1274f685] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [bd058d483e79c085] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!memmove_s] [bd3815ffffff] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!SetEnvironmentVariableW] [c2ff48ffca834813] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiGetDeviceInterfaceDetailW] [c74830ec83485308] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!??3@YAXPEAX@Z] [c88b4c0000240be8] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!wcsrchr] [c933247203197b80] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!wcsncpy_s] [c9854860498b48d9] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!OutputDebugStringA] [ccc35b5e5f5e415f] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiCreateDeviceInfoList] [cccccc000021dfe9] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiGetDeviceInterfaceAlias] [ccccccccc358c483] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!HeapFree] [cccccccccccccccc] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetLastError] [ccccccccccccccff] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!CloseHandle] [ccccccccccccccff] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiGetCustomDevicePropertyW] [cd058d48018948ff] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_initterm] [d08b4c0000bccb15] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetCurrentProcess] [dde8184f8d482c74] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!RaiseException] [e8000004b0b97024] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiDestroyDeviceInfoList] [e808418948ffff30] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!FindResourceExW] [f18b4cfffffffe20] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_lock] [f1e8104a8b49ffff] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!QueryPerformanceCounter] [f3490f014047c604] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetExitCodeProcess] [fee07b058d480000] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetProcessHeap] [ff018b480000aedc] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[SETUPAPI.dll!SetupDiGetClassDevsExW] [ff3067058d48d98b] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[ADVAPI32.dll!RegDeleteValueW] [ff30e7058d480789] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [ff854870247c8b48] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!GetModuleFileNameW] [ffa627e908e98348] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!DeviceIoControl] [fff6d3e908e98348] IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[KERNEL32.dll!CreateFileW] [fff73be908e98348] ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\System32\drivers\pci.sys[ntoskrnl.exe!IofCallDriver] [fffff800006b7dac] \SystemRoot\System32\Drivers\sptd.sys [.text] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\Explorer.EXE[3556] @ C:\Windows\System32\EhStorAPI.dll[msvcrt.dll!_amsg_exit] [ffffff28490d8d48] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Program Files\AVAST Software\Avast\setup\Reboot.txt??\??\C:\Program Files\AVAST Software\Avast\setup\Reboot.txt??\??\C:\Program Files\AVAST Software\Avast\setup\Reboot.txt??\??\C:\Program Files\AVAST Software\Avast\setup\Reboot.txt??\??\C:\Program Files\AVAST Software\Avast\setup\Reboot.txt??\??\C:\Users\Nikodem\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\Nikodem\AppData\Local\Temp\~nsu.tmp\Bu_.exe??\??\C:\Users\Nikodem\AppData\Local\Temp\~nsu.tmp\Cu_.exe??\??\C:\Users\Nikodem\AppData\Local\Temp\~nsu.tmp\Du_.exe??\??\C:\Users\Nikodem\AppData\Local\Temp\~nsu.tmp\Eu_.exe??\??\C:\Users\Nikodem\AppData\Local\Temp\~nsu.tmp\Fu_.exe??\??\C:\Users\Nikodem\AppData\Local\Temp\~nsu.tmp\Gu_.exe??\??\C:\Users\Nikodem\AppData\Local\Temp\~nsu.tmp\Hu_.exe??\??\C:\Users\Nikodem\AppData\Local\Temp\~nsu.tmp\Iu_.exe??\??\C:\Users\Nikodem\AppData\Local\Temp\~nsu.tmp\Ju_.exe??\??\C:\Users\Nikodem\AppData\Local\Temp\~nsu.tmp\Ku_.exe??\??\C:\Users\Nikodem\AppData\Local\Temp\~nsu.tmp\Lu_.exe??\??\C:\Users\Nikodem\AppDat Reg HKLM\SYSTEM\CurrentControlSet\Control\Winlogon\Notifications\Components\TrustedInstaller@Events CreateSession ---- Devices - GMER 2.1 ---- Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl ffffe000004842c0 Device \Driver\cdrom \Device\CdRom0 ffffe0000048e2c0 Device \Driver\storahci \Device\RaidPort0 ffffe000004902c0 Device \Driver\storahci \Device\00000037 ffffe000004902c0 Device \Driver\storahci \Device\ScsiPort0 ffffe000004902c0 Device \Driver\storahci \Device\00000038 ffffe000004902c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xffffe000004902c0]<< sptd.sys storport.sys hal.dll storahci.sys ffffe000004902c0 Trace \Driver\storahci[0xffffe000010326e0] -> IRP_MJ_CREATE -> 0xffffe000004902c0 ffffe000004902c0 Trace 3 CLASSPNP.SYS[fffff80000201abb] -> nt!IofCallDriver -> \Device\00000037[0xffffe0000102e5f0] ffffe0000102e5f0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe0000225f060] ffffe0000225f060 ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff9600013b700 15 bytes [00, EA, 0F, 02, 00, 7F, 6F, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff9600013b710 11 bytes [00, 1F, FC, FF, 80, 52, DE, ...] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [764:784] fffff960008f04d0 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@RoamingSyncToken LM%3d63525054786317%3bID%3d3E2961DE96289DC8!104%3bLR%3d63525115047270%3bEP%3d4%3bTD%3dTrue Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{D83B5AF8-365C-4E88-A038-5712862347BE}\Connection@Name Reusable ISATAP Interface {D83B5AF8-365C-4E88-A038-5712862347BE} Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Parameters\Isatap\{D83B5AF8-365C-4E88-A038-5712862347BE}@InterfaceName Reusable ISATAP Interface {D83B5AF8-365C-4E88-A038-5712862347BE} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SkyDrive@MoSkyQuotaStateChange WLS_SubscriptionId_49e8a1df-5d84-40d1-bf7b-daa077dc3b76 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SkyDrive@MoSkyFileSync WLS_SubscriptionId_5371e408-c930-42a3-99b8-9ca4d7b77741 ---- EOF - GMER 2.1 ----