GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-18 19:39:19 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-10 TOSHIBA_MQ01ABD050 rev.AX001U 465,76GB Running: 61n08p1b.exe; Driver: C:\DOCUME~1\Vision\USTAWI~1\Temp\kwayrpod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF49E4000, 0x2C8F24, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 02122180; RET .text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 021226B0; RET .text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 02122970; RET .text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 02122910; RET .text C:\WINDOWS\Explorer.EXE[588] WS2_32.dll!send 71A54C27 6 Bytes PUSH 02123A90; RET .text D:\61n08p1b.exe[1008] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, 15] .text D:\61n08p1b.exe[1008] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text D:\61n08p1b.exe[1008] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, 15] .text D:\61n08p1b.exe[1008] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text D:\61n08p1b.exe[1008] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, 15] .text D:\61n08p1b.exe[1008] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text D:\61n08p1b.exe[1008] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00152910; RET .text D:\61n08p1b.exe[1008] ws2_32.dll!send 71A54C27 6 Bytes PUSH 00153A90; RET .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1152] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 04732180; RET .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1152] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 047326B0; RET .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1152] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 04732970; RET .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[1152] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 04732910; RET .text C:\Program Files\Mobogenie\DaemonProcess.exe[1360] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, DD] .text C:\Program Files\Mobogenie\DaemonProcess.exe[1360] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\Program Files\Mobogenie\DaemonProcess.exe[1360] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, DD] .text C:\Program Files\Mobogenie\DaemonProcess.exe[1360] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\Program Files\Mobogenie\DaemonProcess.exe[1360] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, DD] .text C:\Program Files\Mobogenie\DaemonProcess.exe[1360] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\Program Files\Mobogenie\DaemonProcess.exe[1360] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00DD2910; RET .text C:\Program Files\Mobogenie\DaemonProcess.exe[1360] WS2_32.dll!send 71A54C27 6 Bytes PUSH 00DD3A90; RET .text C:\WINDOWS\RTHDCPL.EXE[1440] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 02C82180; RET .text C:\WINDOWS\RTHDCPL.EXE[1440] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 02C826B0; RET .text C:\WINDOWS\RTHDCPL.EXE[1440] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 02C82970; RET .text C:\WINDOWS\RTHDCPL.EXE[1440] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 02C82910; RET .text C:\WINDOWS\system32\ctfmon.exe[1656] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, BF] .text C:\WINDOWS\system32\ctfmon.exe[1656] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\WINDOWS\system32\ctfmon.exe[1656] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, BF] .text C:\WINDOWS\system32\ctfmon.exe[1656] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\WINDOWS\system32\ctfmon.exe[1656] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, BF] .text C:\WINDOWS\system32\ctfmon.exe[1656] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\WINDOWS\system32\ctfmon.exe[1656] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00BF2910; RET .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1980] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 03D82180; RET .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1980] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 03D826B0; RET .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1980] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 03D82970; RET .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1980] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 03D82910; RET .text C:\WINDOWS\system32\wuauclt.exe[2136] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, EC] .text C:\WINDOWS\system32\wuauclt.exe[2136] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\WINDOWS\system32\wuauclt.exe[2136] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, EC] .text C:\WINDOWS\system32\wuauclt.exe[2136] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\WINDOWS\system32\wuauclt.exe[2136] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, EC] .text C:\WINDOWS\system32\wuauclt.exe[2136] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\WINDOWS\system32\wuauclt.exe[2136] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00EC2910; RET .text C:\WINDOWS\system32\wscntfy.exe[3356] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, C0] .text C:\WINDOWS\system32\wscntfy.exe[3356] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\WINDOWS\system32\wscntfy.exe[3356] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, C0] .text C:\WINDOWS\system32\wscntfy.exe[3356] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\WINDOWS\system32\wscntfy.exe[3356] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, C0] .text C:\WINDOWS\system32\wscntfy.exe[3356] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\WINDOWS\system32\wscntfy.exe[3356] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00C02910; RET ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F949E36CB3004C50CF18C3B9B1A1EE8@P_9}(9\x81\5 \4j\5\fïä\0ú.0}\x2dd/0}\xa0o9}`8\x81\5X_9}\xa0\6 02:\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_xJ????@??????????MZ?????????????? ---- EOF - GMER 2.1 ----