GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-11 13:22:45 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600JS-55NCB1 rev.10.02E01 149,05GB Running: 13h3ynwh.exe; Driver: C:\DOCUME~1\Admin\USTAWI~1\Temp\uwtyipog.sys ---- User code sections - GMER 2.0 ---- .text C:\WINDOWS\System32\svchost.exe[1124] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes JMP 026FADCD .text C:\WINDOWS\System32\svchost.exe[1124] NETAPI32.dll!NetpwPathCanonicalize 6FF4A3A9 5 Bytes JMP 026FAD64 .text C:\WINDOWS\system32\svchost.exe[1176] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes JMP 0097ADCD .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 80, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 83, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 80, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 81, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED9A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 82, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 81, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 82, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EE0B .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 80, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EF39 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 81, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 82, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 83, 17, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2060] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, D0, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, D3, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, D0, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, D1, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90F4EA .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, D2, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, D1, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, D2, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90F55B .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, D0, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90F689 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, D1, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, D2, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, D3, 1E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2644] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 94, A0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 97, A0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 94, A0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 95, A0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B9176AE .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 96, A0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 95, A0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 96, A0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91771F .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 94, A0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91784D .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 95, A0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 96, A0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 97, A0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3912] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Google\Chrome\Application\chrome.exe[2060] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002E0010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[2644] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00350010 IAT C:\Program Files\Google\Chrome\Application\chrome.exe[3912] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00B60010 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\ControlSet003\Services\mkgnqesox@DisplayName Shell Image Reg HKLM\SYSTEM\ControlSet003\Services\mkgnqesox@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\mkgnqesox@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\mkgnqesox@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\mkgnqesox@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\mkgnqesox@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\mkgnqesox@Description Monitoruje ustawienia zabezpiecze? i konfiguracje systemu. Reg HKLM\SYSTEM\ControlSet003\Services\mkgnqesox\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\mkgnqesox\Parameters@ServiceDll C:\WINDOWS\system32\cjuhh.dll Reg HKLM\SYSTEM\ControlSet003\Services\weqbn@DisplayName Helper Support Reg HKLM\SYSTEM\ControlSet003\Services\weqbn@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\weqbn@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\weqbn@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\weqbn@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\weqbn@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\weqbn@Description ArcaBit packages tasks module Reg HKLM\SYSTEM\ControlSet003\Services\weqbn\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\weqbn\Parameters@ServiceDll C:\Program Files\Movie Maker\cjuhh.dll Reg HKLM\SYSTEM\ControlSet003\Services\yodky@DisplayName Monitor Driver Reg HKLM\SYSTEM\ControlSet003\Services\yodky@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\yodky@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\yodky@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\yodky@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\yodky@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\yodky@Description Wykrywa i monitoruje nowe dyski twarde i wysy?a informacje o woluminach do us?ugi administracyjnej Mened?era dysk?w logicznych w celu konfiguracji. Je?li ta us?uga zostanie zatrzymana, informacje o stanie i konfiguracji dysk?w dynamicznych mog? sta? si? nieaktualne. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\ControlSet003\Services\yodky\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\yodky\Parameters@ServiceDll C:\Documents and Settings\NetworkService\Dane aplikacji\cjuhh.dll Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\BITS@StateIndex 1 ---- EOF - GMER 2.0 ----