GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-25 11:15:46 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e SAMSUNG_HD320KJ rev.CP100-12 Running: ug5b3046.exe; Driver: E:\DOCUME~1\ADMINI~1.DDD\USTAWI~1\Temp\pxtdapow.sys ---- Kernel code sections - GMER 1.0.15 ---- .text netbt.sys BA3A2304 1 Byte [40] .text netbt.sys BA3A2307 387 Bytes [42, 00, 00, 00, 00, 00, 00, ...] .text netbt.sys BA3A248B 719 Bytes [FF, 55, 8B, EC, 53, 56, 57, ...] .text netbt.sys BA3A275B 278 Bytes [F4, 90, 90, 90, 90, 90, 8B, ...] .text netbt.sys BA3A2872 91 Bytes [15, 90, D0, 3B, BA, 88, 45, ...] .text ... .INIT E:\WINDOWS\system32\DRIVERS\netbt.sys entry point in ".INIT" section [0xBA3B0422] ? E:\WINDOWS\system32\DRIVERS\netbt.sys suspicious PE modification ---- User code sections - GMER 1.0.15 ---- .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 20, 00] {SUB [EAX], AL; AND [EAX], AL} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 20, 00] {SUB [EBX], AL; AND [EAX], AL} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 20, 00] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 20, 00] {TEST AL, 0x1; AND [EAX], AL} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90F61A .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 20, 00] {TEST AL, 0x2; AND [EAX], AL} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 20, 00] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 20, 00] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90F68B .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 20, 00] {TEST AL, 0x0; AND [EAX], AL} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90F7B9 .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 20, 00] {SUB [ECX], AL; AND [EAX], AL} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 20, 00] {SUB [EDX], AL; AND [EAX], AL} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 20, 00] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1036] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 2C, 00] {SUB [EAX], AL; SUB AL, 0x0} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 2C, 00] {SUB [EBX], AL; SUB AL, 0x0} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 2C, 00] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 2C, 00] {TEST AL, 0x1; SUB AL, 0x0} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91021A .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 2C, 00] {TEST AL, 0x2; SUB AL, 0x0} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 2C, 00] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 2C, 00] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91028B .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 2C, 00] {TEST AL, 0x0; SUB AL, 0x0} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9103B9 .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 2C, 00] {SUB [ECX], AL; SUB AL, 0x0} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 2C, 00] {SUB [EDX], AL; SUB AL, 0x0} .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 2C, 00] .text E:\Program Files\Google\Chrome\Application\chrome.exe[1700] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!MmPageEntireDriver] 0FCF8B0F IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoFreeWorkItem] 00664984 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!ExInitializeNPagedLookasideList] 9586C600 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoAllocateWorkItem] 00000000 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCreateDevice] 75FFD3FF IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!RtlDecompressBuffer] F075FF18 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!DbgBreakPoint] 3AB16968 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeReadStateEvent] 75FF56BA IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KePulseEvent] E475FFF4 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!MmAdvanceMdl] 006A006A IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeBugCheckEx] FFF3C8E8 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!ExInterlockedFlushSList] 89C085FF IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!ExInterlockedAddLargeStatistic] 8D0FF845 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeSetTimerEx] FFFFF36E IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeInitializeDpc] 0065E7E9 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeInitializeTimer] 64438B00 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!MmLockPagableDataSection] 4589C085 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeSetTimer] 37840FEC IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!MmUnlockPagableImageSection] 8DFFFFF2 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeRemoveQueueDpc] 4D892448 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeCancelTimer] 8BD6FFE8 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!_alldiv] FA811055 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!RtlEqualUnicodeString] 7F000000 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!ExAllocatePoolWithQuota] 4D8B0C74 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!MmUnmapLockedPages] 3841F6F4 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoCancelIrp] 89037402 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!ExQueueWorkItem] 4D8B1451 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!FsRtlMdlReadComplete] 83D233EC IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeDetachProcess] F0420CC1 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!FsRtlMdlRead] 8B11C10F IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeAttachProcess] 1D8BE84D IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoGetRequestorProcess] [BA3BD080] \SystemRoot\system32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation) IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!FsRtlCopyRead] D3FFD08A IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoQueryFileInformation] BF0F558A IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!_aullrem] [BA3BD98C] \SystemRoot\system32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation) IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!PsGetCurrentProcessId] D3FFCF8B IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!ObFindHandleForObject] 001C7D83 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!ObCloseHandle] 458B1474 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!ObOpenObjectByName] 6470FFF4 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoThreadToProcess] FF1C75FF IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeTickCount] 47E81875 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeInitializeApc] 89000141 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeInsertQueueApc] 358BF845 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeAcquireInStackQueuedSpinLockAtDpcLevel] [BA3BD090] \SystemRoot\system32\DRIVERS\netbt.sys (MBT Transport driver/Microsoft Corporation) IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!KeReleaseInStackQueuedSpinLockFromDpcLevel] D6FFCF8B IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!ObfReferenceObject] 88E84D8B IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoAcquireCancelSpinLock] D6FF0F45 IAT \SystemRoot\system32\DRIVERS\netbt.sys[ntoskrnl.exe!IoReleaseCancelSpinLock] 00F87D83 ---- User IAT/EAT - GMER 1.0.15 ---- IAT E:\Program Files\Google\Chrome\Application\chrome.exe[1036] @ E:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00370010 IAT E:\Program Files\Google\Chrome\Application\chrome.exe[1700] @ E:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 003F0010 ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) F7576000-F7585000 (61440 bytes) ---- Threads - GMER 1.0.15 ---- Thread System [4:484] 89F73540 Thread System [4:488] 89F73540 Thread System [4:492] 89F73540 Thread System [4:496] 89F73540 Thread services.exe [672:968] 00BFEE96 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost@netsvcs 6to4?AppMgmt?AudioSrv?Browser?CryptSvc?DMServer?DHCP?ERSvc?EventSystem?FastUserSwitchingCompatibility?HidServ?Ias?Iprip?Irmon?LanmanServer?LanmanWorkstation?Messenger?Netman?Nla?Ntmssvc?NWCWorkstation?Nwsapagent?Rasauto?ibmsmbus?syntp?actser?cpqarry2?svcwmu?se2Cunic?AEADIFilters?nvport?LHidKe?StickyMesger?svv?Intels51?UMPass?twotrack?megamonitorsrv?sit_prt?USR1806V?rimmptsk?pktfilter?webupdate?bobo?venturi2?PSSdk21?vmnetuserif?s116bus?mdc8021x?cusrvc?s716obex?cpucoolserver?acprfmgrsvc?winpowerrmi?IntelC51?sfsync02?aegisp?lgsnd_filter?mr7910?SWUMX51?usnsvc?SQLWriter?proxyhostdriver?cwafreportscheduler?raidmagt?tandpl?EpmShd?ntcharge?filterservice?NETGEAR_MA111?SECYPUSB?F700isw?hclinetd?wlancig?ICAM5USB?epsonstatusagent2?w70n51?emproxy?NMSCFG?AN983?ssrvc?vpcnets2?WmUsbHid?procexp111?USA49W2KP?vclone?wacomvhid?vpctcom?idebusdr?backuplauncher?TCtrlIO?ROCKEYNT?kservice?lktimesync?arkbcfltr?CTSYN?SRTSPL?nod32krn?risdptsk?acermemusagecheckservice?AdobeActiveFileMonitor6.0?dashsvc?SaiClass?VAIOMediaPlatform-VideoSer ---- Files - GMER 1.0.15 ---- File E:\Documents and Settings\Administrator.DDD\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Cache\f_000105 21971 bytes File E:\WINDOWS\system32\was.dll 5120 bytes executable File E:\WINDOWS\system32\bthport.dll 5120 bytes executable File E:\WINDOWS\system32\Pnp680r.dll 5120 bytes executable File E:\WINDOWS\system32\racsvc.dll 5120 bytes executable File E:\WINDOWS\system32\PAC7302.dll 5120 bytes executable File E:\WINDOWS\$NtUninstallKB41119$\3531138153 0 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209 0 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209\@ 2048 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209\L 0 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209\L\qeonqdku 162816 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209\loader.tlb 2632 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209\U 0 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209\U\@00000001 45968 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209\U\@000000c0 2560 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209\U\@000000cb 3072 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209\U\@000000cf 1536 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209\U\@80000000 73728 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209\U\@800000c0 43008 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209\U\@800000cb 25600 bytes File E:\WINDOWS\$NtUninstallKB41119$\967403209\U\@800000cf 31232 bytes ---- EOF - GMER 1.0.15 ----