GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-11-15 09:27:56 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ExcelStor_Technology_J640 rev.V31OA60A Running: g901531n.exe; Driver: C:\DOCUME~1\admin\USTAWI~1\Temp\uwliapob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB11496AE] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB1127A96] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB1127D5E] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB114A04C] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB114A3D6] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB11488EC] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB114A91A] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB1149A50] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB1127506] Code \??\C:\DOCUME~1\admin\USTAWI~1\Temp\catchme.sys pIofCallDriver ---- Kernel code sections - GMER 1.0.15 ---- ? C:\DOCUME~1\admin\USTAWI~1\Temp\mbr.sys Nie można odnaleźć określonego pliku. ! ? C:\DOCUME~1\admin\USTAWI~1\Temp\catchme.sys Nie można odnaleźć określonego pliku. ! ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\svchost.exe[180] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 009E0001 .text C:\WINDOWS\system32\svchost.exe[208] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00B00001 .text C:\WINDOWS\system32\cidaemon.exe[236] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00E90001 .text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 006A0001 .text C:\WINDOWS\system32\cisvc.exe[344] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00DA0001 .text ... .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9 .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\WINDOWS\system32\spoolsv.exe[1504] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00BF0001 .text C:\WINDOWS\System32\SCardSvr.exe[1544] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00720001 .text C:\WINDOWS\system32\wdfmgr.exe[1672] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00680001 .text C:\WINDOWS\system32\ctfmon.exe[1736] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00D30001 .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1744] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01380001 .text ... .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9 .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00] .text C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1440] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010 IAT C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002C0010 ---- Devices - GMER 1.0.15 ---- Device Ntfs.sys (NT File System Driver/Microsoft Corporation) Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation) Device \Driver\PCTSDInjDriver32 \Device\PCTSDInjDriver32 PCTSDInj32.sys (UM Injection Driver/PC Tools) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0018e408b597 Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0018e408b597 (not active ControlSet) ---- EOF - GMER 1.0.15 ----