GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-28 21:51:47 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST340014A rev.3.06 Running: gmer.exe; Driver: C:\DOCUME~1\Dom\USTAWI~1\Temp\uwayyaob.sys ---- Kernel code sections - GMER 1.0.15 ---- .text atapi.sys F847E852 1 Byte [CC] {INT 3 } init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF820F870] ? C:\WINDOWS\system32\Drivers\mchInjDrv.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[200] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[200] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [0B, 5F] .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[200] KERNEL32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[200] KERNEL32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[200] KERNEL32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\WINDOWS\Tray\wintmr.exe[276] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Tray\wintmr.exe[276] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [0B, 5F] .text C:\WINDOWS\Tray\wintmr.exe[276] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\Tray\wintmr.exe[276] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A .text C:\WINDOWS\Tray\wintmr.exe[276] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\WINDOWS\System32\alg.exe[372] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\WINDOWS\system32\Ati2evxx.exe[968] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\WINDOWS\Explorer.EXE[1092] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1092] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [0B, 5F] .text C:\WINDOWS\Explorer.EXE[1092] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\Explorer.EXE[1092] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A .text C:\WINDOWS\Explorer.EXE[1092] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F120F5A .text C:\WINDOWS\Explorer.EXE[1092] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0F0F5A .text C:\WINDOWS\Explorer.EXE[1092] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\WINDOWS\Explorer.EXE[1092] kernel32.dll!WinExec 7C86250D 6 Bytes JMP 5F150F5A .text C:\WINDOWS\Explorer.EXE[1092] USER32.dll!ExitWindowsEx 7E3AA275 6 Bytes JMP 5F180F5A .text C:\WINDOWS\system32\wscntfy.exe[1940] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[1940] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\wscntfy.exe[1940] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\wscntfy.exe[1940] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\wscntfy.exe[1940] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\WINDOWS\system32\cc32\webtmr.exe[2044] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\cc32\webtmr.exe[2044] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [0B, 5F] .text C:\WINDOWS\system32\cc32\webtmr.exe[2044] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\cc32\webtmr.exe[2044] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\cc32\webtmr.exe[2044] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\DOCUME~1\Dom\USTAWI~1\Temp\Rar$EX00.453\gmer.exe[2164] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\DOCUME~1\Dom\USTAWI~1\Temp\Rar$EX00.453\gmer.exe[2164] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [0B, 5F] .text C:\DOCUME~1\Dom\USTAWI~1\Temp\Rar$EX00.453\gmer.exe[2164] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\DOCUME~1\Dom\USTAWI~1\Temp\Rar$EX00.453\gmer.exe[2164] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A .text C:\DOCUME~1\Dom\USTAWI~1\Temp\Rar$EX00.453\gmer.exe[2164] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2736] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2736] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [0B, 5F] .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2736] KERNEL32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2736] KERNEL32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2736] KERNEL32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2744] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2744] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [0B, 5F] .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2744] KERNEL32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2744] KERNEL32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A .text C:\Program Files\ATI Technologies\ATI.ACE\cli.exe[2744] KERNEL32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\Documents and Settings\Dom\Moje dokumenty\Pobieranie\OTL.exe[3172] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Dom\Moje dokumenty\Pobieranie\OTL.exe[3172] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [0B, 5F] .text C:\Documents and Settings\Dom\Moje dokumenty\Pobieranie\OTL.exe[3172] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Documents and Settings\Dom\Moje dokumenty\Pobieranie\OTL.exe[3172] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A .text C:\Documents and Settings\Dom\Moje dokumenty\Pobieranie\OTL.exe[3172] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D .text C:\Program Files\Gadu-Gadu 10\gg.exe[3608] ntdll.dll!NtSuspendProcess 7C90DE2E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gadu-Gadu 10\gg.exe[3608] ntdll.dll!NtSuspendProcess + 4 7C90DE32 2 Bytes [0B, 5F] .text C:\Program Files\Gadu-Gadu 10\gg.exe[3608] kernel32.dll!LoadLibraryExW 7C801AF5 6 Bytes JMP 5F070F5A .text C:\Program Files\Gadu-Gadu 10\gg.exe[3608] kernel32.dll!TerminateProcess 7C801E1A 6 Bytes JMP 5F040F5A .text C:\Program Files\Gadu-Gadu 10\gg.exe[3608] kernel32.dll!FreeLibrary + 15 7C80AC93 4 Bytes CALL 7170003D