GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-19 21:29:18 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-10 TOSHIBA_MQ01ABD050 rev.AX001U 465,76GB Running: 61n08p1b.exe; Driver: C:\DOCUME~1\Vision\USTAWI~1\Temp\kwayrpod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF3FDD000, 0x2C8F24, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\Explorer.EXE[228] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 01B92180; RET .text C:\WINDOWS\Explorer.EXE[228] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 01B926B0; RET .text C:\WINDOWS\Explorer.EXE[228] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 01B92970; RET .text C:\WINDOWS\Explorer.EXE[228] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 01B92910; RET .text C:\WINDOWS\Explorer.EXE[228] WS2_32.dll!send 71A54C27 6 Bytes PUSH 01B93A90; RET .text C:\Documents and Settings\Vision\Dane aplikacji\uTorrent\uTorrent.exe[776] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, 15] .text C:\Documents and Settings\Vision\Dane aplikacji\uTorrent\uTorrent.exe[776] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\Documents and Settings\Vision\Dane aplikacji\uTorrent\uTorrent.exe[776] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, 15] .text C:\Documents and Settings\Vision\Dane aplikacji\uTorrent\uTorrent.exe[776] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\Documents and Settings\Vision\Dane aplikacji\uTorrent\uTorrent.exe[776] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, 15] .text C:\Documents and Settings\Vision\Dane aplikacji\uTorrent\uTorrent.exe[776] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\Documents and Settings\Vision\Dane aplikacji\uTorrent\uTorrent.exe[776] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00152910; RET .text C:\Documents and Settings\Vision\Dane aplikacji\uTorrent\uTorrent.exe[776] WS2_32.dll!send 71A54C27 6 Bytes PUSH 00153A90; RET .text C:\WINDOWS\system32\wscntfy.exe[1020] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, BB] .text C:\WINDOWS\system32\wscntfy.exe[1020] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\WINDOWS\system32\wscntfy.exe[1020] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, BB] .text C:\WINDOWS\system32\wscntfy.exe[1020] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\WINDOWS\system32\wscntfy.exe[1020] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, BB] .text C:\WINDOWS\system32\wscntfy.exe[1020] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\WINDOWS\system32\wscntfy.exe[1020] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00BB2910; RET .text C:\WINDOWS\system32\wuauclt.exe[1260] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, 10] .text C:\WINDOWS\system32\wuauclt.exe[1260] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\WINDOWS\system32\wuauclt.exe[1260] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, 10] .text C:\WINDOWS\system32\wuauclt.exe[1260] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\WINDOWS\system32\wuauclt.exe[1260] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, 10] .text C:\WINDOWS\system32\wuauclt.exe[1260] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\WINDOWS\system32\wuauclt.exe[1260] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00102910; RET .text C:\WINDOWS\RTHDCPL.EXE[1324] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 04562180; RET .text C:\WINDOWS\RTHDCPL.EXE[1324] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 045626B0; RET .text C:\WINDOWS\RTHDCPL.EXE[1324] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 04562970; RET .text C:\WINDOWS\RTHDCPL.EXE[1324] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 04562910; RET .text C:\WINDOWS\system32\ctfmon.exe[1356] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, D2] .text C:\WINDOWS\system32\ctfmon.exe[1356] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\WINDOWS\system32\ctfmon.exe[1356] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, D2] .text C:\WINDOWS\system32\ctfmon.exe[1356] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\WINDOWS\system32\ctfmon.exe[1356] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, D2] .text C:\WINDOWS\system32\ctfmon.exe[1356] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\WINDOWS\system32\ctfmon.exe[1356] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00D22910; RET .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1880] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, 48] .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1880] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1880] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, 48] .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1880] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1880] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, 48] .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1880] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[1880] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00482910; RET .text C:\WINDOWS\system32\taskmgr.exe[2736] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, 0C] .text C:\WINDOWS\system32\taskmgr.exe[2736] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\WINDOWS\system32\taskmgr.exe[2736] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, 0C] .text C:\WINDOWS\system32\taskmgr.exe[2736] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\WINDOWS\system32\taskmgr.exe[2736] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, 0C] .text C:\WINDOWS\system32\taskmgr.exe[2736] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\WINDOWS\system32\taskmgr.exe[2736] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 000C2910; RET .text C:\WINDOWS\system32\taskmgr.exe[2736] WS2_32.dll!send 71A54C27 6 Bytes PUSH 000C3A90; RET .text C:\Program Files\Mozilla Firefox\firefox.exe[2928] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, 17] .text C:\Program Files\Mozilla Firefox\firefox.exe[2928] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text C:\Program Files\Mozilla Firefox\firefox.exe[2928] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, 17] .text C:\Program Files\Mozilla Firefox\firefox.exe[2928] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text C:\Program Files\Mozilla Firefox\firefox.exe[2928] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, 17] .text C:\Program Files\Mozilla Firefox\firefox.exe[2928] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text C:\Program Files\Mozilla Firefox\firefox.exe[2928] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00172910; RET .text F:\Viewer.exe[3208] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, CB] .text F:\Viewer.exe[3208] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text F:\Viewer.exe[3208] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, CB] .text F:\Viewer.exe[3208] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text F:\Viewer.exe[3208] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, CB] .text F:\Viewer.exe[3208] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text F:\Viewer.exe[3208] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00CB2910; RET .text F:\Viewer.exe[3208] WS2_32.dll!send 71A54C27 6 Bytes PUSH 00CB3A90; RET .text D:\61n08p1b.exe[3244] ntdll.dll!NtQueryDirectoryFile 7C90D76E 4 Bytes [68, 80, 21, 15] .text D:\61n08p1b.exe[3244] ntdll.dll!NtQueryDirectoryFile + 5 7C90D773 1 Byte [C3] .text D:\61n08p1b.exe[3244] ntdll.dll!NtResumeThread 7C90DB3E 4 Bytes [68, B0, 26, 15] .text D:\61n08p1b.exe[3244] ntdll.dll!NtResumeThread + 5 7C90DB43 1 Byte [C3] .text D:\61n08p1b.exe[3244] ntdll.dll!NtSetValueKey 7C90DDCE 4 Bytes [68, 70, 29, 15] .text D:\61n08p1b.exe[3244] ntdll.dll!NtSetValueKey + 5 7C90DDD3 1 Byte [C3] .text D:\61n08p1b.exe[3244] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 00152910; RET .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3520] ntdll.dll!NtQueryDirectoryFile 7C90D76E 6 Bytes PUSH 03DD2180; RET .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3520] ntdll.dll!NtResumeThread 7C90DB3E 6 Bytes PUSH 03DD26B0; RET .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3520] ntdll.dll!NtSetValueKey 7C90DDCE 6 Bytes PUSH 03DD2970; RET .text D:\Program Files\ATI Technologies\ATI.ACE\Core-Static\ccc.exe[3520] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 6 Bytes PUSH 03DD2910; RET ---- Processes - GMER 2.1 ---- Library F:\Viewer.exe (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00400000 Library F:\TsiDisp.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x10000000 Library F:\TsiTools.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x1E000000 Library F:\MFC71.DLL (*** hidden *** ) @ F:\Viewer.exe [3208] 0x7C140000 Library F:\MSVCR71.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x7C340000 Library F:\TsiImage.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x18000000 Library F:\TsiDicom.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x16000000 Library F:\TsiNet.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x20000000 Library F:\TsiLang.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00460000 Library F:\TsiSys.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00480000 Library F:\TsiXML.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00490000 Library F:\TsiDIP.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x004A0000 Library F:\TsiMath.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x004D0000 Library F:\TsiDcmDraw.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x004E0000 Library F:\Dynamit.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x11000000 Library F:\TsiRes.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x1F000000 Library F:\TsiCtrl.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x004F0000 Library F:\TsiRDBMS.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00520000 Library F:\TsiDispDAL.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00530000 Library F:\TsiHP.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00540000 Library F:\TsiGSPS.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00550000 Library F:\TsiMSCadReader.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x005D0000 Library F:\TsiTasks.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x005E0000 Library F:\TsiDlg.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x005F0000 Library F:\TsiScreen.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00600000 Library F:\TsiSettings.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00610000 Library F:\TsiEvent.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00630000 Library F:\Tsi3D.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00660000 Library F:\TsiMpr.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00680000 Library F:\TsiMip.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x006A0000 Library F:\TsiXport.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x006C0000 Library F:\TsiView.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x006E0000 Library F:\TsiXmlXerces.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x00780000 Library F:\xerces-c_2_7.dll (*** hidden *** ) @ F:\Viewer.exe [3208] 0x12000000 ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\6F949E36CB3004C50CF18C3B9B1A1EE8@P_9}(9\x81\5 \4j\5\fďä\0ú.0}\x2dd/0}\xa0o9}`8\x81\5X_9}\xa0\6 02:\SOFTWARE\Microsoft\Windows\CurrentVersion\SideBySide\Installations\x86_policy.8.0.Microsoft.VC80.CRT_1fc8b3b9a1e18e3b_8.0.50727.42_xJ????@??????????MZ?????????????? ---- EOF - GMER 2.1 ----