GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-05-15 09:04:41 Windows 5.0.2195 Service Pack 4 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 ST380011A rev.8.01 Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1.INF\USTAWI~1\Temp\pgtdrpog.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryW] [781C786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\Explorer.EXE [KERNEL32.DLL!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryExW] [781C7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessA] [4AD84AE3] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryW] [781C786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\ADVAPI32.DLL [KERNEL32.dll!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryW] [781C786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryExW] [781C7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\GDI32.DLL [KERNEL32.dll!LoadLibraryW] [781C786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [781C7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!LoadLibraryW] [781C786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExA] [781C78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryExW] [781C7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryW] [781C786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessA] [4AD84AE3] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHLWAPI.DLL [KERNEL32.dll!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessA] [4AD84AE3] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryExW] [781C7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!LoadLibraryW] [781C786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryW] [781C786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!LoadLibraryExW] [781C7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\OLE32.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!LoadLibraryW] [781C786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\NETAPI32.DLL [KERNEL32.dll!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!LoadLibraryW] [781C786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\WS2_32.DLL [KERNEL32.DLL!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\WS2HELP.DLL [KERNEL32.DLL!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryW] [781C786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryExW] [781C7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!CreateProcessW] [4AD84C9A] C:\WINNT\AppPatch\AcLayers.DLL (Windows 2000 Shim Accessory DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\USERENV.DLL [KERNEL32.dll!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryW] [781C786F] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [781C771E] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryA] [781C7800] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExW] [781C7955] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!LoadLibraryExA] [781C78DE] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[404] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!FreeLibrary] [781C7A04] C:\WINNT\system32\shim.dll (Shim Engine DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eufs.sys (File System Filter Driver/CHENGDU YIWO Tech Development Co., Ltd) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 eubakup.sys (Disk Backup Driver/CHENGDU YIWO Tech Development Co., Ltd) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 eubakup.sys (Disk Backup Driver/CHENGDU YIWO Tech Development Co., Ltd) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 eubakup.sys (Disk Backup Driver/CHENGDU YIWO Tech Development Co., Ltd) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODI04.00.00.01PRO 2100EC766161E52D6AF25AB29AF2DAB19B81D5B30F49664AD6A2CA3ADFCFE688D5E37868A068DD6F94541FA02EE88718D1070AFA581CC96FE51FE2455B5B7082D9EE5416A537BBD4E027FEF373A838CD1294BF7D355AEE327CEC4439480161B007326DDA803BFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808FEBC9E127BECC74CBA7FD869164D6794A6A0AC4980AC7933D615D4DE851C5DDE4D9EB5776F8EAA8739FBD2C553CF19B1BADBEF0D27BBEB93B5EFD1E576B659564F7D1D1949031577B773050E571EAD40C912CE4E8FB6AAD1732F1E0BE9AE0D32F5769C448AAD977BF1CA62F1BC41628D402B3B45AC944856A4B3B6F5082C9DA6C3A2872259BFB71B7575B239C116C510DA12947EFA79F9A9D2822D15ABBE03ECAF4042A00D51535E468AD072DE5A38C1C956C8472EEE44597B45A616645609412230C971315C1CD35A45AAF0BCB170A0B0ABDD34AB5F04F20F475B6F76484F65FA79A988873F958D9E83454AB82578B1A7EBE99B8F9C668972FA195757CE481C8A46852004BB98A0704938D7639D2EF8B9101A9A285A6DB67F73424A3686BE2F1862923450F8D2A6A2BB2C3984ECC283E739AF0DF5B1729482EBCA096FF04BEADCC11D86460144BC7EA763CE13C4BBDD27ABFD18B19D9EC33CBE3D9818F35F2107F ---- EOF - GMER 1.0.15 ----