GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-31 20:29:29 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-6 SAMSUNG_HD161HJ rev.JF100-19 Running: o0d79nb9.exe; Driver: C:\Users\Dagmarka\AppData\Local\Temp\ugrdipoc.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwSaveKeyEx + 13B1 820788E9 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 820983B2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 1.0.15 ---- .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtCreateFile + 6 77A84A16 4 Bytes [28, 00, 1B, 00] {SUB [EAX], AL; SBB EAX, [EAX]} .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtCreateFile + B 77A84A1B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtMapViewOfSection + 6 77A85076 1 Byte [28] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtMapViewOfSection + 6 77A85076 4 Bytes [28, 03, 1B, 00] {SUB [EBX], AL; SBB EAX, [EAX]} .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtMapViewOfSection + B 77A8507B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenFile + 6 77A85126 4 Bytes [68, 00, 1B, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenFile + B 77A8512B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenProcess + 6 77A851D6 4 Bytes [A8, 01, 1B, 00] {TEST AL, 0x1; SBB EAX, [EAX]} .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenProcess + B 77A851DB 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenProcessToken + 6 77A851E6 4 Bytes CALL 76A86CEC C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenProcessToken + B 77A851EB 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenProcessTokenEx + 6 77A851F6 4 Bytes [A8, 02, 1B, 00] {TEST AL, 0x2; SBB EAX, [EAX]} .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenProcessTokenEx + B 77A851FB 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenThread + 6 77A85256 4 Bytes [68, 01, 1B, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenThread + B 77A8525B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenThreadToken + 6 77A85266 4 Bytes [68, 02, 1B, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenThreadToken + B 77A8526B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenThreadTokenEx + 6 77A85276 4 Bytes CALL 76A86D7D C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtOpenThreadTokenEx + B 77A8527B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtQueryAttributesFile + 6 77A85386 4 Bytes [A8, 00, 1B, 00] {TEST AL, 0x0; SBB EAX, [EAX]} .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtQueryAttributesFile + B 77A8538B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtQueryFullAttributesFile + 6 77A85436 4 Bytes CALL 76A86F3B C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtQueryFullAttributesFile + B 77A8543B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtSetInformationFile + 6 77A85A86 4 Bytes [28, 01, 1B, 00] {SUB [ECX], AL; SBB EAX, [EAX]} .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtSetInformationFile + B 77A85A8B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtSetInformationThread + 6 77A85AE6 4 Bytes [28, 02, 1B, 00] {SUB [EDX], AL; SBB EAX, [EAX]} .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtSetInformationThread + B 77A85AEB 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtUnmapViewOfSection + 6 77A85E06 1 Byte [68] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtUnmapViewOfSection + 6 77A85E06 4 Bytes [68, 03, 1B, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[332] ntdll.dll!NtUnmapViewOfSection + B 77A85E0B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtCreateFile + 6 77A84A16 4 Bytes [28, 00, 36, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtCreateFile + B 77A84A1B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtMapViewOfSection + 6 77A85076 1 Byte [28] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtMapViewOfSection + 6 77A85076 4 Bytes [28, 03, 36, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtMapViewOfSection + B 77A8507B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenFile + 6 77A85126 4 Bytes [68, 00, 36, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenFile + B 77A8512B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenProcess + 6 77A851D6 4 Bytes [A8, 01, 36, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenProcess + B 77A851DB 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenProcessToken + 6 77A851E6 4 Bytes CALL 76A887EC C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenProcessToken + B 77A851EB 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenProcessTokenEx + 6 77A851F6 4 Bytes [A8, 02, 36, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenProcessTokenEx + B 77A851FB 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenThread + 6 77A85256 4 Bytes [68, 01, 36, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenThread + B 77A8525B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenThreadToken + 6 77A85266 4 Bytes [68, 02, 36, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenThreadToken + B 77A8526B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenThreadTokenEx + 6 77A85276 4 Bytes CALL 76A8887D C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtOpenThreadTokenEx + B 77A8527B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtQueryAttributesFile + 6 77A85386 4 Bytes [A8, 00, 36, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtQueryAttributesFile + B 77A8538B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtQueryFullAttributesFile + 6 77A85436 4 Bytes CALL 76A88A3B C:\Windows\system32\SHELL32.dll (Wsp鏊na biblioteka DLL Pow這ki systemu Windows/Microsoft Corporation) .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtQueryFullAttributesFile + B 77A8543B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtSetInformationFile + 6 77A85A86 4 Bytes [28, 01, 36, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtSetInformationFile + B 77A85A8B 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtSetInformationThread + 6 77A85AE6 4 Bytes [28, 02, 36, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtSetInformationThread + B 77A85AEB 1 Byte [E2] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtUnmapViewOfSection + 6 77A85E06 1 Byte [68] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtUnmapViewOfSection + 6 77A85E06 4 Bytes [68, 03, 36, 00] .text C:\Users\Dagmarka\AppData\Local\Google\Chrome\Application\chrome.exe[1916] ntdll.dll!NtUnmapViewOfSection + B 77A85E0B 1 Byte [E2] ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000043 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Mened瞠r filtr闚 systemu plik闚 firmy Microsoft/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----