GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-04 22:08:40 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS541612J9SA00 rev.SBDOC7KP Running: mzkrgmtw.exe; Driver: C:\DOCUME~1\admin\USTAWI~1\Temp\pwddypog.sys ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\winlogon.exe[244] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\winlogon.exe[244] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\winlogon.exe[244] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\winlogon.exe[244] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\winlogon.exe[244] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\winlogon.exe[244] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\winlogon.exe[244] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\winlogon.exe[244] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[288] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[288] ntdll.dll!NtReplyWaitReceivePort 7C90DA8E 5 Bytes JMP 10028AC0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[288] ntdll.dll!NtReplyWaitReceivePortEx 7C90DA9E 5 Bytes JMP 10028860 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[288] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[288] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[288] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[288] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[288] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[288] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\services.exe[288] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[300] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[300] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[300] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[300] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[300] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[300] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[300] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[300] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[300] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\lsass.exe[300] ole32.dll!CoGetClassObject 775051F5 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[456] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[456] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[456] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[456] ole32.dll!CoGetClassObject 775051F5 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[540] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[540] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[540] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[540] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[540] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[540] ole32.dll!CoGetClassObject 775051F5 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[572] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[572] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[572] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[572] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[572] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[572] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[572] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[572] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\svchost.exe[572] ole32.dll!CoGetClassObject 775051F5 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\userinit.exe[756] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\userinit.exe[756] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\userinit.exe[756] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\userinit.exe[756] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\userinit.exe[756] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\userinit.exe[756] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\userinit.exe[756] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\userinit.exe[756] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\userinit.exe[756] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\system32\userinit.exe[756] ole32.dll!CoGetClassObject 775051F5 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[776] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[776] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[776] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[776] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[776] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[776] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[776] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[776] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[776] ole32.dll!CoCreateInstanceEx 774EF154 5 Bytes JMP 1002E410 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text C:\WINDOWS\Explorer.EXE[776] ole32.dll!CoGetClassObject 775051F5 5 Bytes JMP 1002E1D0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text E:\GoGo\mzkrgmtw.exe[864] ntdll.dll!NtClose 7C90CFEE 5 Bytes JMP 1001CE40 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text E:\GoGo\mzkrgmtw.exe[864] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 10025680 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text E:\GoGo\mzkrgmtw.exe[864] ntdll.dll!LdrUnloadDll 7C91738B 5 Bytes JMP 1001CF60 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text E:\GoGo\mzkrgmtw.exe[864] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100226F0 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text E:\GoGo\mzkrgmtw.exe[864] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10023280 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text E:\GoGo\mzkrgmtw.exe[864] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 10021220 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text E:\GoGo\mzkrgmtw.exe[864] ADVAPI32.dll!CreateProcessAsUserA 77E00CE8 5 Bytes JMP 10021B50 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) .text E:\GoGo\mzkrgmtw.exe[864] USER32.dll!EndTask 7E3AA0A5 5 Bytes JMP 1002DF90 C:\WINDOWS\system32\guard32.dll (COMODO Internet Security/COMODO) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00106096afd2 (not active ControlSet) Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00106096afd2 Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00106096afd2 (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{951260C5-AFCA-93E2-7A44-1F04EED731DC} ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 234420483 Disk \Device\Harddisk0\DR0 PE file @ sector 234420505 ---- EOF - GMER 1.0.15 ----