GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-13 15:17:31 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3320418AS rev.CC38 298,09GB Running: gujd39ej.exe; Driver: C:\DOCUME~1\Admin\USTAWI~1\Temp\ffndakoc.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\svchost.exe[856] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 015FADCD .text C:\WINDOWS\System32\svchost.exe[856] NETAPI32.dll!NetpwPathCanonicalize 6FF4A3A9 5 Bytes JMP 015FAD64 .text C:\WINDOWS\system32\svchost.exe[900] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 0097ADCD ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip arcawfp.sys AttachedDevice \Driver\Tcpip \Device\Tcp arcawfp.sys AttachedDevice \Driver\Tcpip \Device\Udp arcawfp.sys AttachedDevice \Driver\Tcpip \Device\RawIp arcawfp.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Services - GMER 2.1 ---- Service C:\WINDOWS\system32\cljtj.dll (*** hidden *** ) [AUTO] fkczmzlrw <-- ROOTKIT !!! Service C:\WINDOWS\system32\cljtj.dll (*** hidden *** ) [AUTO] jrndnunlg <-- ROOTKIT !!! Service C:\WINDOWS\system32\cljtj.dll (*** hidden *** ) [AUTO] stxqdgyoo <-- ROOTKIT !!! Service C:\Program Files\Movie Maker\cljtj.dll (*** hidden *** ) [AUTO] vesmabzas <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\fkczmzlrw@DisplayName Network Support Reg HKLM\SYSTEM\CurrentControlSet\Services\fkczmzlrw@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\fkczmzlrw@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\fkczmzlrw@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\fkczmzlrw@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\fkczmzlrw@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\fkczmzlrw@Description Konserwuje ??cza mi?dzy plikami systemu NTFS w komputerze lub komputerach w domenie sieciowej. Reg HKLM\SYSTEM\CurrentControlSet\Services\fkczmzlrw\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\fkczmzlrw\Parameters@ServiceDll C:\WINDOWS\system32\cljtj.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\fkczmzlrw Reg HKLM\SYSTEM\CurrentControlSet\Services\jrndnunlg@DisplayName Security Windows Reg HKLM\SYSTEM\CurrentControlSet\Services\jrndnunlg@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\jrndnunlg@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\jrndnunlg@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\jrndnunlg@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\jrndnunlg@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\jrndnunlg@Description Tworzy i zachowuje po??czenia sieciowe klient?w z serwerami zdalnymi. Je?li ta us?uga zostanie zatrzymana, po??czenia te stan? si? niedost?pne. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\CurrentControlSet\Services\jrndnunlg\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\jrndnunlg\Parameters@ServiceDll C:\WINDOWS\system32\cljtj.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\jrndnunlg Reg HKLM\SYSTEM\CurrentControlSet\Services\stxqdgyoo@DisplayName Shell System Reg HKLM\SYSTEM\CurrentControlSet\Services\stxqdgyoo@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\stxqdgyoo@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\stxqdgyoo@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\stxqdgyoo@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\stxqdgyoo@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\stxqdgyoo@Description Zapewnia chroniony magazyn dla wra?liwych danych, takich jak klucze prywatne, w celu ich ochrony przed dost?pem niepowo?anych us?ug, proces?w lub u?ytkownik?w. Reg HKLM\SYSTEM\CurrentControlSet\Services\stxqdgyoo\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\stxqdgyoo\Parameters@ServiceDll C:\WINDOWS\system32\cljtj.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\stxqdgyoo Reg HKLM\SYSTEM\CurrentControlSet\Services\vesmabzas@DisplayName Task Monitor Reg HKLM\SYSTEM\CurrentControlSet\Services\vesmabzas@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\vesmabzas@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\vesmabzas@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\vesmabzas@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\vesmabzas@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\vesmabzas@Description Zapewnia us?ugi pozyskiwania obraz?w dla skaner?w i aparat?w fotograficznych. Reg HKLM\SYSTEM\CurrentControlSet\Services\vesmabzas\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\vesmabzas\Parameters@ServiceDll C:\Program Files\Movie Maker\cljtj.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\vesmabzas Reg HKLM\SYSTEM\ControlSet002\Services\fkczmzlrw@DisplayName Network Support Reg HKLM\SYSTEM\ControlSet002\Services\fkczmzlrw@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\fkczmzlrw@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\fkczmzlrw@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\fkczmzlrw@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\fkczmzlrw@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\fkczmzlrw@Description Konserwuje ??cza mi?dzy plikami systemu NTFS w komputerze lub komputerach w domenie sieciowej. Reg HKLM\SYSTEM\ControlSet002\Services\fkczmzlrw\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\fkczmzlrw\Parameters@ServiceDll C:\WINDOWS\system32\cljtj.dll Reg HKLM\SYSTEM\ControlSet002\Services\jrndnunlg@DisplayName Security Windows Reg HKLM\SYSTEM\ControlSet002\Services\jrndnunlg@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\jrndnunlg@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\jrndnunlg@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\jrndnunlg@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\jrndnunlg@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\jrndnunlg@Description Tworzy i zachowuje po??czenia sieciowe klient?w z serwerami zdalnymi. Je?li ta us?uga zostanie zatrzymana, po??czenia te stan? si? niedost?pne. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\ControlSet002\Services\jrndnunlg\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\jrndnunlg\Parameters@ServiceDll C:\WINDOWS\system32\cljtj.dll Reg HKLM\SYSTEM\ControlSet002\Services\stxqdgyoo@DisplayName Shell System Reg HKLM\SYSTEM\ControlSet002\Services\stxqdgyoo@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\stxqdgyoo@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\stxqdgyoo@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\stxqdgyoo@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\stxqdgyoo@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\stxqdgyoo@Description Zapewnia chroniony magazyn dla wra?liwych danych, takich jak klucze prywatne, w celu ich ochrony przed dost?pem niepowo?anych us?ug, proces?w lub u?ytkownik?w. Reg HKLM\SYSTEM\ControlSet002\Services\stxqdgyoo\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\stxqdgyoo\Parameters@ServiceDll C:\WINDOWS\system32\cljtj.dll Reg HKLM\SYSTEM\ControlSet002\Services\vesmabzas@DisplayName Task Monitor Reg HKLM\SYSTEM\ControlSet002\Services\vesmabzas@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\vesmabzas@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\vesmabzas@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\vesmabzas@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\vesmabzas@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\vesmabzas@Description Zapewnia us?ugi pozyskiwania obraz?w dla skaner?w i aparat?w fotograficznych. Reg HKLM\SYSTEM\ControlSet002\Services\vesmabzas\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\vesmabzas\Parameters@ServiceDll C:\Program Files\Movie Maker\cljtj.dll ---- EOF - GMER 2.1 ----