GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-26 16:02:28 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD800BB-00FRA0 rev.77.07W77 74,53GB Running: cgxfrddq.exe; Driver: C:\DOCUME~1\Ja\USTAWI~1\Temp\kwpyraow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF613C360, 0x3D46A5, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\svchost.exe[220] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 00604760 c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll .text C:\WINDOWS\Explorer.EXE[244] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 008F4760 c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll .text C:\WINDOWS\Explorer.EXE[244] SHELL32.dll!StrStrW 7C9CEEA0 8 Bytes [E0, 10, 60, 19, 00, 11, 60, ...] {LOOPNZ 0x12; PUSHA ; SBB [EAX], EAX; ADC [EAX+0x19], ESP} .text C:\Program Files\Desk 365\deskSvc.exe[416] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 00894760 c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll .text C:\Program Files\WinZipper\winzipersvc.exe[440] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 00894760 c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll .text C:\WINDOWS\system32\winlogon.exe[556] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 00524760 c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll .text C:\Program Files\Movies Toolbar\Datamngr\DatamngrCoordinator.exe[756] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 01E44760 c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll .text C:\documents and settings\ja\ustawienia lokalne\dane aplikacji\lollipop\lollipop.exe[776] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004760 C:\Documents and Settings\All Users\Dane aplikacji\BrowserDefender\2.6.1519.190\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserDefender.dll .text ... ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\svchost.exe[220] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [0060A190] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[220] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [0060A1F0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[220] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [0060E1D0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[220] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [0060E290] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\Explorer.EXE[244] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryExA] [008FA130] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\Explorer.EXE[244] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryExW] [008FA190] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\Explorer.EXE[244] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryA] [008FA1F0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\Explorer.EXE[244] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryW] [008FA240] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[556] @ C:\WINDOWS\system32\winlogon.exe [KERNEL32.dll!LoadLibraryW] [0052A240] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[556] @ C:\WINDOWS\system32\winlogon.exe [KERNEL32.dll!LoadLibraryExW] [0052A190] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[556] @ C:\WINDOWS\system32\winlogon.exe [KERNEL32.dll!LoadLibraryA] [0052A1F0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[556] @ C:\WINDOWS\system32\winlogon.exe [KERNEL32.dll!LoadLibraryExA] [0052A130] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[556] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtOpenFile] [0052A3B0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[556] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtOpenKey] [0052E1D0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[556] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtQueryValueKey] [0052E080] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[556] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtClose] [0052E290] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[556] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtSetValueKey] [0052E0F0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[556] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtCreateKey] [0052E160] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!LoadLibraryA] [0064A1F0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!LoadLibraryW] [0064A240] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtCreateKey] [0064E160] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryValueKey] [0064E080] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtSetValueKey] [0064E0F0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteValueKey] [0064E360] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtEnumerateKey] [0064DFA0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtOpenKey] [0064E1D0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteKey] [0064E310] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtSetInformationFile] [0064A560] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryInformationFile] [00649AB0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteFile] [0064A510] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtOpenFile] [0064A3B0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryKey] [00649A70] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[960] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtClose] [0064E290] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1196] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [0060A190] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1196] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [0060A1F0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1196] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [0060E1D0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1196] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [0060E290] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1264] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [0060A190] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1264] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [0060A1F0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1264] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [0060E1D0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1264] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [0060E290] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [0060A190] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [0060A1F0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] [0060E1D0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1616] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] [0060E290] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1660] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [0060A190] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1660] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [0060A1F0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1660] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [0060E1D0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1660] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [0060E290] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1800] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [0060A190] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1800] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [0060A1F0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1800] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [0060E1D0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1800] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [0060E290] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[2240] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [0060A190] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[2240] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [0060A1F0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[2240] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [0060E1D0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[2240] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [0060E290] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[2860] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [0060A190] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[2860] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [0060A1F0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[2860] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [0060E1D0] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[2860] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [0060E290] c:\docume~1\alluse~1\daneap~1\browse~2\261519~1.190\{c16c1~1\browse~1.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 4218 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B49C8D37-F2CA-4443-8C28-3F7BC52E0731}@LeaseObtainedTime 1377518792 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B49C8D37-F2CA-4443-8C28-3F7BC52E0731}@T1 1377520592 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B49C8D37-F2CA-4443-8C28-3F7BC52E0731}@T2 1377521942 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B49C8D37-F2CA-4443-8C28-3F7BC52E0731}@LeaseTerminatesTime 1377522392 Reg HKLM\SYSTEM\CurrentControlSet\Services\{B49C8D37-F2CA-4443-8C28-3F7BC52E0731}\Parameters\Tcpip@LeaseObtainedTime 1377518792 Reg HKLM\SYSTEM\CurrentControlSet\Services\{B49C8D37-F2CA-4443-8C28-3F7BC52E0731}\Parameters\Tcpip@T1 1377520592 Reg HKLM\SYSTEM\CurrentControlSet\Services\{B49C8D37-F2CA-4443-8C28-3F7BC52E0731}\Parameters\Tcpip@T2 1377521942 Reg HKLM\SYSTEM\CurrentControlSet\Services\{B49C8D37-F2CA-4443-8C28-3F7BC52E0731}\Parameters\Tcpip@LeaseTerminatesTime 1377522392 ---- EOF - GMER 2.1 ----