GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-06 11:24:57 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FB2O Running: wu5h5iin.exe; Driver: C:\Users\robert\AppData\Local\Temp\kgdiqpow.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8CC01320, 0x3E4E87, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtCreateFile + 6 7744424A 4 Bytes [28, 00, 2A, 00] {SUB [EAX], AL; SUB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtCreateFile + B 7744424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtMapViewOfSection + 6 7744499A 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtMapViewOfSection + 6 7744499A 4 Bytes [28, 03, 2A, 00] {SUB [EBX], AL; SUB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtMapViewOfSection + B 7744499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtOpenFile + 6 77444A2A 4 Bytes [68, 00, 2A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtOpenFile + B 77444A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtOpenProcess + 6 77444AAA 4 Bytes [A8, 01, 2A, 00] {TEST AL, 0x1; SUB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtOpenProcess + B 77444AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtOpenProcessToken + B 77444ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtOpenProcessTokenEx + 6 77444ACA 4 Bytes [A8, 02, 2A, 00] {TEST AL, 0x2; SUB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtOpenProcessTokenEx + B 77444ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtOpenThread + 6 77444B1A 4 Bytes [68, 01, 2A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtOpenThread + B 77444B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtOpenThreadToken + 6 77444B2A 4 Bytes [68, 02, 2A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtOpenThreadToken + B 77444B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtOpenThreadTokenEx + B 77444B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtQueryAttributesFile + 6 77444BCA 4 Bytes [A8, 00, 2A, 00] {TEST AL, 0x0; SUB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtQueryAttributesFile + B 77444BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtQueryFullAttributesFile + B 77444C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtSetInformationFile + 6 7744515A 4 Bytes [28, 01, 2A, 00] {SUB [ECX], AL; SUB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtSetInformationFile + B 7744515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtSetInformationThread + 6 774451AA 4 Bytes [28, 02, 2A, 00] {SUB [EDX], AL; SUB AL, [EAX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtSetInformationThread + B 774451AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtUnmapViewOfSection + 6 7744544A 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtUnmapViewOfSection + 6 7744544A 4 Bytes [68, 03, 2A, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1472] ntdll.dll!NtUnmapViewOfSection + B 7744544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtCreateFile + 6 7744424A 4 Bytes [28, 00, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtCreateFile + B 7744424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtMapViewOfSection + 6 7744499A 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtMapViewOfSection + 6 7744499A 4 Bytes [28, 03, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtMapViewOfSection + B 7744499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenFile + 6 77444A2A 4 Bytes [68, 00, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenFile + B 77444A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenProcess + 6 77444AAA 4 Bytes [A8, 01, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenProcess + B 77444AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenProcessToken + B 77444ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenProcessTokenEx + 6 77444ACA 4 Bytes [A8, 02, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenProcessTokenEx + B 77444ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenThread + 6 77444B1A 4 Bytes [68, 01, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenThread + B 77444B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenThreadToken + 6 77444B2A 4 Bytes [68, 02, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenThreadToken + B 77444B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtOpenThreadTokenEx + B 77444B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtQueryAttributesFile + 6 77444BCA 4 Bytes [A8, 00, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtQueryAttributesFile + B 77444BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtQueryFullAttributesFile + B 77444C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtSetInformationFile + 6 7744515A 4 Bytes [28, 01, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtSetInformationFile + B 7744515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtSetInformationThread + 6 774451AA 4 Bytes [28, 02, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtSetInformationThread + B 774451AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtUnmapViewOfSection + 6 7744544A 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtUnmapViewOfSection + 6 7744544A 4 Bytes [68, 03, 2F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1592] ntdll.dll!NtUnmapViewOfSection + B 7744544F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtCreateFile + 6 7744424A 4 Bytes [28, 00, 25, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtCreateFile + B 7744424F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtMapViewOfSection + 6 7744499A 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtMapViewOfSection + 6 7744499A 4 Bytes [28, 03, 25, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtMapViewOfSection + B 7744499F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtOpenFile + 6 77444A2A 4 Bytes [68, 00, 25, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtOpenFile + B 77444A2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtOpenProcess + 6 77444AAA 4 Bytes [A8, 01, 25, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtOpenProcess + B 77444AAF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtOpenProcessToken + B 77444ABF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtOpenProcessTokenEx + 6 77444ACA 4 Bytes [A8, 02, 25, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtOpenProcessTokenEx + B 77444ACF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtOpenThread + 6 77444B1A 4 Bytes [68, 01, 25, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtOpenThread + B 77444B1F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtOpenThreadToken + 6 77444B2A 4 Bytes [68, 02, 25, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtOpenThreadToken + B 77444B2F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtOpenThreadTokenEx + B 77444B3F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtQueryAttributesFile + 6 77444BCA 4 Bytes [A8, 00, 25, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtQueryAttributesFile + B 77444BCF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtQueryFullAttributesFile + B 77444C7F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtSetInformationFile + 6 7744515A 4 Bytes [28, 01, 25, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtSetInformationFile + B 7744515F 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtSetInformationThread + 6 774451AA 4 Bytes [28, 02, 25, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtSetInformationThread + B 774451AF 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtUnmapViewOfSection + 6 7744544A 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtUnmapViewOfSection + 6 7744544A 4 Bytes [68, 03, 25, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1716] ntdll.dll!NtUnmapViewOfSection + B 7744544F 1 Byte [E2] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73DE7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73E2B4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73DEBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73DDF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73DE75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73DDE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73E173F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73DEDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73DDFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73DDFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73DD71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73E6CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73E0C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73DDD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73DD6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73DD687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1336] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73DE2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Program Files\Google\Chrome\Application\chrome.exe[1472] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00010010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[1592] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00010010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[1716] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00010010 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186c830d0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186c830d0@c87e75e0d557 0x8A 0x1E 0xA9 0xC8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186c830d0@d45d42ff7817 0x60 0x2A 0x0B 0x76 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186c830d0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186c830d0@c87e75e0d557 0x8A 0x1E 0xA9 0xC8 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186c830d0@d45d42ff7817 0x60 0x2A 0x0B 0x76 ... ---- EOF - GMER 1.0.15 ----