GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-31 18:38:37 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1200BEVS-07LAT0 rev.01.06M01 Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\kwlcipow.sys ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Google\Chrome\Application\chrome.exe[404] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100597D0 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[404] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100594A0 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[404] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 100595D0 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[404] ntdll.dll!NtLockFile 7C90D49E 5 Bytes JMP 100596C0 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[404] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 10059420 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[404] ntdll.dll!NtQueryInformationFile 7C90D7CE 5 Bytes JMP 10039E20 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[404] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10039C90 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[404] ntdll.dll!NtSetInformationFile 7C90DC5E 5 Bytes JMP 10059640 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[404] ntdll.dll!NtUnlockFile 7C90DEEE 5 Bytes JMP 10059750 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[404] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 10059540 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100597D0 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100594A0 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 100595D0 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtLockFile 7C90D49E 5 Bytes JMP 100596C0 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 10059420 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtQueryInformationFile 7C90D7CE 5 Bytes JMP 10039E20 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10039C90 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtSetInformationFile 7C90DC5E 5 Bytes JMP 10059640 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtUnlockFile 7C90DEEE 5 Bytes JMP 10059750 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1468] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 10059540 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\WINDOWS\system32\svchost.exe[1472] USER32.dll!DialogBoxIndirectParamAorW 77D46896 5 Bytes [33, C0, C2, 18, 00] {XOR EAX, EAX; RET 0x18} ? C:\WINDOWS\system32\svchost.exe[1472] C:\WINDOWS\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dllunknown module: urlmon.dllunknown module: VERSION.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1596] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 100597D0 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1596] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 100594A0 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1596] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 100595D0 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1596] ntdll.dll!NtLockFile 7C90D49E 5 Bytes JMP 100596C0 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1596] ntdll.dll!NtOpenFile 7C90D59E 5 Bytes JMP 10059420 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1596] ntdll.dll!NtQueryInformationFile 7C90D7CE 5 Bytes JMP 10039E20 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1596] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 10039C90 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1596] ntdll.dll!NtSetInformationFile 7C90DC5E 5 Bytes JMP 10059640 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1596] ntdll.dll!NtUnlockFile 7C90DEEE 5 Bytes JMP 10059750 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) .text C:\Program Files\Google\Chrome\Application\chrome.exe[1596] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 10059540 C:\PROGRA~1\SEARCH~1\Datamngr\datamngr.dll (Data Manager/Bandoo Media, inc) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Google\Chrome\Application\chrome.exe[1468] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002D0010 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtTerminateProcess] 68EC8B55 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtRaiseHardError] [003F5258] C:\WINDOWS\system32\smss.exe (Mened¿er sesji Windows NT/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] E80C75FF IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 000003BA IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlFreeHeap] 1E75C085 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] [3F526868] C:\WINDOWS\system32\mshtml.dll (Microsoft ® HTML Viewer/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] 0C75FF00 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAllocateHeap] 0003A9E8 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 75C08500 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!DbgPrintEx] [10458B0D] C:\WINDOWS\system32\Macromed\Flash\Flash32_11_3_300_268.ocx (Adobe Flash Player 11.3 r300/Adobe Systems, Inc.) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] B8002083 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 80004002 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenFile] 458B14EB IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtClose] [104D8B08] C:\WINDOWS\system32\Macromed\Flash\Flash32_11_3_300_268.ocx (Adobe Flash Player 11.3 r300/Adobe Systems, Inc.) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!wcslen] C9330189 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!wcscpy] 4104C083 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] 08C10FF0 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreatePagingFile] C25DC033 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetInformationFile] 448B000C IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryInformationFile] 488D0424 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!DbgPrint] [40C03304] C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 01C10FF0 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!_allmul] 0004C240 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 24748B56 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] 468D5708 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] FFCF8304 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] 38C10FF0 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateAcl] 8509754F IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] E80574F6 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 00000184 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] 5E5FC78B IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] 550004C2 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryValueKey] 8B56EC8B IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!swprintf] FF570875 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenKey] 15FF2076 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetValueKey] [003F5144] C:\WINDOWS\system32\smss.exe (Mened¿er sesji Windows NT/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreateKey] 00448D59 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreateFile] 2FE6E840 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtReadFile] FC8B0000 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!_chkstk] 682076FF IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!wcsstr] [003F51E0] C:\WINDOWS\system32\smss.exe (Mened¿er sesji Windows NT/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!_wcsupr] 4015FF57 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 83003F51 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] 448D0CC4 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] FF500200 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!wcsncpy] [3F51AC15] C:\WINDOWS\system32\mshtml.dll (Microsoft ® HTML Viewer/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] 85F08B00 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 570A74F6 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!_stricmp] 3C15FF56 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreateSection] 59003F51 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksum] 18458B59 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] C0333089 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 5FF8658D IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!LdrUnloadDll] 14C25D5E IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!LdrGetProcedureAddress] 08668300 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlInitString] 1C4E8300 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!LdrLoadDll] 204E83FF IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 384689FF IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlEqualString] 0424448B IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!memmove] 8D344689 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!_wcsicmp] C7502C46 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] [3F521806] C:\WINDOWS\system32\mshtml.dll (Microsoft ® HTML Viewer/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 0C46C700 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] [003F5224] C:\WINDOWS\system32\smss.exe (Mened¿er sesji Windows NT/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] 301046C7 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] C7003F52 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 523C1446 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 46C7003F IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtResumeThread] [3F524818] C:\WINDOWS\system32\mshtml.dll (Microsoft ® HTML Viewer/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 0446C700 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 00000001 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateProcessParameters] 114B00C7 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] 15FF003F IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] [003F5160] C:\WINDOWS\system32\smss.exe (Mened¿er sesji Windows NT/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 00010468 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtDisplayString] 30006800 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!sprintf] 00680000 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtDuplicateObject] 6A000010 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlLengthSid] 5C15FF00 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlGetAce] 83003F50 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 89002866 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] C68B2446 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] FF0004C2 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] [3F516815] C:\WINDOWS\system32\mshtml.dll (Microsoft ® HTML Viewer/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] 810BEB00 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlFindMessage] 3F114B38 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetEvent] 8B087400 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetSystemInformation] C0850440 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreateEvent] 83C3F175 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlLeaveCriticalSection] 51C3D4C0 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlEnterCriticalSection] 0475C985 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!wcscat] C359C033 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] 81328B56 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtDelayExecution] 000001FE IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 81227480 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 000004FE IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtDeleteValueKey] 8D747580 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] 50042444 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateUserThread] 00010468 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreatePort] [10006800] C:\WINDOWS\system32\Macromed\Flash\Flash32_11_3_300_268.ocx (Adobe Flash Player 11.3 r300/Adobe Systems, Inc.) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlInitializeCriticalSection] 71FF0000 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetInformationProcess] 5815FF24 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] EB003F50 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetInformationThread] [107A8355] C:\WINDOWS\system32\Macromed\Flash\Flash32_11_3_300_268.ocx (Adobe Flash Player 11.3 r300/Adobe Systems, Inc.) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryInformationToken] 8B547601 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenThreadToken] D68B1872 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtImpersonateClientOfPort] 8124512B IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtConnectPort] 001000FA IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCompleteConnectPort] 8B447300 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtAcceptConnectPort] 8D570851 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenProcess] EA83017A IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtReplyWaitReceivePort] 08798900 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlExitUserThread] 4A19745F IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtReplyPort] 744A0F74 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] [40C03305] C:\WINDOWS\system32\ieframe.dll (Internet Explorer/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] 418B2BEB IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] EB068934 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] 38498B1D IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtAdjustPrivilegesToken] 06EB0E89 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenProcessToken] 040006C7 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] 08810000 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlUnwind] 00010010 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryVirtualMemory] 00C08881 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!DbgBreakPoint] 01000000 IAT C:\WINDOWS\system32\svchost.exe[1472] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] C8830000 ---- Processes - GMER 1.0.15 ---- Library c:\windows\system32\n (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1036] 0x45670000 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] kvskxiuwc <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] phjbnl <-- ROOTKIT !!! Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] wesmkuczi <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\kvskxiuwc@DisplayName gtwqoax Reg HKLM\SYSTEM\CurrentControlSet\Services\kvskxiuwc@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\kvskxiuwc@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\kvskxiuwc@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\kvskxiuwc@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\kvskxiuwc@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\kvskxiuwc@Description Allow protected access to routing table Reg HKLM\SYSTEM\CurrentControlSet\Services\kvskxiuwc\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\kvskxiuwc\Parameters@ServiceDll C:\WINDOWS\system32\mehxrdwn.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\phjbnl@DisplayName Update Manager Reg HKLM\SYSTEM\CurrentControlSet\Services\phjbnl@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\phjbnl@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\phjbnl@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\phjbnl@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\phjbnl@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\phjbnl@Description Zarz?dza konfiguracj? sieci poprzez rejestracj? i aktualizacj? adres?w IP i nazw DNS. Reg HKLM\SYSTEM\CurrentControlSet\Services\phjbnl\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\phjbnl\Parameters@ServiceDll C:\WINDOWS\system32\mehxrdwn.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\wesmkuczi@DisplayName Universal Microsoft Reg HKLM\SYSTEM\CurrentControlSet\Services\wesmkuczi@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\wesmkuczi@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\wesmkuczi@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\wesmkuczi@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\wesmkuczi@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\wesmkuczi@Description Allow protected access to routing table Reg HKLM\SYSTEM\CurrentControlSet\Services\wesmkuczi\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\wesmkuczi\Parameters@ServiceDll C:\WINDOWS\system32\mehxrdwn.dll Reg HKLM\SYSTEM\ControlSet003\Services\kvskxiuwc@DisplayName gtwqoax Reg HKLM\SYSTEM\ControlSet003\Services\kvskxiuwc@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\kvskxiuwc@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\kvskxiuwc@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\kvskxiuwc@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\kvskxiuwc@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\kvskxiuwc@Description Allow protected access to routing table Reg HKLM\SYSTEM\ControlSet003\Services\kvskxiuwc\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\kvskxiuwc\Parameters@ServiceDll C:\WINDOWS\system32\mehxrdwn.dll Reg HKLM\SYSTEM\ControlSet003\Services\phjbnl@DisplayName Update Manager Reg HKLM\SYSTEM\ControlSet003\Services\phjbnl@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\phjbnl@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\phjbnl@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\phjbnl@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\phjbnl@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\phjbnl@Description Zarz?dza konfiguracj? sieci poprzez rejestracj? i aktualizacj? adres?w IP i nazw DNS. Reg HKLM\SYSTEM\ControlSet003\Services\phjbnl\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\phjbnl\Parameters@ServiceDll C:\WINDOWS\system32\mehxrdwn.dll Reg HKLM\SYSTEM\ControlSet003\Services\wesmkuczi@DisplayName Universal Microsoft Reg HKLM\SYSTEM\ControlSet003\Services\wesmkuczi@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\wesmkuczi@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\wesmkuczi@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\wesmkuczi@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\wesmkuczi@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\wesmkuczi@Description Allow protected access to routing table Reg HKLM\SYSTEM\ControlSet003\Services\wesmkuczi\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\wesmkuczi\Parameters@ServiceDll C:\WINDOWS\system32\mehxrdwn.dll ---- EOF - GMER 1.0.15 ----