GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-20 02:34:22 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST3250310AS rev.3.AAC 232,89GB Running: m57g1hli.exe; Driver: C:\DOCUME~1\Sonic\USTAWI~1\Temp\pwairfob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB71733C0, 0x9B091A, 0xE8000020] ? C:\WINDOWS\SYSTEM32\DRIVERS\NETBT.SYS suspicious PE modification .text C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl section is writeable [0xAD90A000, 0x2892, 0xE8000020] .vmp2 C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0xAD92D050] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, A4, CD, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, A7, CD, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, A4, CD, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, A5, CD, 00] {TEST AL, 0xa5; INT 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91A3BE .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, A6, CD, 00] {TEST AL, 0xa6; INT 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, A5, CD, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, A6, CD, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91A42F .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, A4, CD, 00] {TEST AL, 0xa4; INT 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B91A55D .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, A5, CD, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, A6, CD, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, A7, CD, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, F4, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, F7, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, F4, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, F5, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED0E .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, F6, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, F5, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, F6, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED7F .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, F4, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EEAD .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, F5, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, F6, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, F7, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2632] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3120] CRYPT32.dll!CryptMsgCountersignEncoded + 27A 77A82F42 4 Bytes JMP 08A2F630 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3120] CRYPT32.dll!CertGetCertificateChain 77A82F47 2 Bytes [EB, F9] {JMP 0xfffffffb} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3120] CRYPT32.dll!CertComparePublicKeyInfo + 1E8 77A8B761 4 Bytes JMP 08A2F6A0 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3120] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A8B766 2 Bytes [EB, F9] {JMP 0xfffffffb} .text C:\WINDOWS\System32\svchost.exe[3624] USER32.dll!DialogBoxIndirectParamAorW 7E3749D0 5 Bytes JMP 0093000A .text C:\WINDOWS\System32\svchost.exe[3624] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 0092000A .text C:\WINDOWS\System32\svchost.exe[3624] ole32.dll!CoCreateInstance 774EF1BC 5 Bytes JMP 0091000A ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x899ed698]<< 899ed698 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a435ab8] 8a435ab8 Trace 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x89a04278] 89a04278 Trace \Driver\00004065[0x898ef890] -> IRP_MJ_CREATE -> 0x899ed698 899ed698 ---- Modules - GMER 2.1 ---- Module (noname) (*** hidden *** ) B3EAF000-B3EC7000 (98304 bytes) ---- Processes - GMER 2.1 ---- Process C:\WINDOWS\System32\svchost.exe (*** hidden *** ) 3624 ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL 08692E143D8F61C2BE466AF6A5AC838A98F25A64CAFD8D9586D614393C7F9FCC734101A9087988DF879369202FAAB5654576CEA3E58D0110EE9E9C5923213DEBBEA51F0601C91EB8F3EF56306FC16C4525238BC430928965ED2A4557AB2944F3E2CFFE6710EF7E65DF65B33EC07E9FE91972BF57995C5B9E0A830D5D7A484455AB7C09302D1AB25FFA00F886143576F45664110FA6FD5BA89E3C6336C9F10265B86C1E6568BFFD844CD191FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808A6171C11EC38DE3DC038D530D6EB34525D575E7D6A3B9808D720B8555F9F0F8B6A85A1F1071B8448E455781A9EDBF0966054BCD292B71284D2BB6939CF8A60015ED5962ADA80B66B2AECA5336F2C846BCA117F5C32739822BEA265B777C4F4A379B6CBC58F9E35C47DC6CCAEAFED87B7052FA241602DB078BE84B9CB8065230718AE4F3F59F3A8F7965B9A203F2091CC413F9252458803259EA736A57E584AB5BD58F0C153CE3F1ACE3B02D2E19BC3EDD0E503166C04C2B949656FA867DDC82F8FE0C5AD7D552B39A70AB9C33E8840D22ED9EBC848EC2139502B3CEB928983E3D68CA99938002251427D3C2560E4AC2974E988D62DE4569F68783A3C3F4364B982AF37CB4B1C5CD7E5E246DB3702B48E62F357E4D0641E576A65C9978 ---- Files - GMER 2.1 ---- File C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\4S2SL0YO\stCAVICJTJ 0 bytes File C:\Program Files\Microsoft Security Client\Backup\EppManifest.dll 182224 bytes executable File C:\Program Files\Microsoft Security Client\Backup\pl-pl 0 bytes File C:\Program Files\Microsoft Security Client\Backup\pl-pl\EULA.RTF 171322 bytes File C:\Program Files\Microsoft Security Client\Backup\pl-pl\setupres.dll.mui 49208 bytes executable File C:\Program Files\Microsoft Security Client\Backup\setupres.dll 8760 bytes executable File C:\Program Files\Microsoft Security Client\Backup\x86 0 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\dw20shared.msi 1850368 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\epp.msi 7106560 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\LegitLib.dll 707448 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\setup.exe 847920 bytes executable File C:\Program Files\Microsoft Security Client\Backup\x86\sqmapi.dll 196416 bytes executable File C:\Program Files\Microsoft Security Client\Backup\x86\Windows6.0-KB981889-v2.msu 1241780 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\Windows6.1-KB981889.msu 907883 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.cat 7679 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.inf 3137 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.sys 195296 bytes executable File C:\Program Files\Microsoft Security Client\en-us\EULA.RTF 143927 bytes File C:\Program Files\Microsoft Security Client\en-us\MpAsDesc.dll.mui 47672 bytes executable File C:\Program Files\Microsoft Security Client\en-us\mpevmsg.dll.mui 37968 bytes executable File C:\Program Files\Microsoft Security Client\en-us\MsMpRes.dll.mui 93752 bytes executable File C:\Program Files\Microsoft Security Client\en-us\setupres.dll.mui 43088 bytes executable File C:\Program Files\Microsoft Security Client\en-us\shellext.dll.mui 9296 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\EULA.RTF 171322 bytes File C:\Program Files\Microsoft Security Client\pl-pl\MsMpRes.dll.mui 107600 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\setupres.dll.mui 49208 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\shellext.dll.mui 9296 bytes executable File C:\WINDOWS\$NtUninstallKB30729$\1623554698 0 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924 0 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\@ 2048 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\Desktop.ini 4608 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\L 0 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\L\00000004.@ 804 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\L\201d3dde 236 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\L\6715e287 107 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\L\76603ac3 2416 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\L\exspopvu 162816 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\U 0 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\U\00000004.@ 2048 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\U\00000008.@ 1024 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\U\000000cb.@ 1632 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\U\80000000.@ 11776 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\U\80000032.@ 90624 bytes ---- EOF - GMER 2.1 ----