GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-20 21:08:11 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\00000062 WDC_WD50 rev.01.0 Running: 0j5rygen.exe; Driver: C:\Users\Mariola\AppData\Local\Temp\fxdiifod.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8DA0D340, 0x3EB347, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtCreateFile + 6 771F7C7E 4 Bytes [28, 1C, 6F, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtCreateFile + B 771F7C83 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtMapViewOfSection + 6 771F83CE 4 Bytes [28, 1F, 6F, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtMapViewOfSection + B 771F83D3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtOpenFile + 6 771F845E 4 Bytes [68, 1C, 6F, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtOpenFile + B 771F8463 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtOpenProcess + 6 771F84DE 4 Bytes [A8, 1D, 6F, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtOpenProcess + B 771F84E3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtOpenProcessToken + B 771F84F3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtOpenProcessTokenEx + 6 771F84FE 4 Bytes [A8, 1E, 6F, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtOpenProcessTokenEx + B 771F8503 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtOpenThread + 6 771F854E 4 Bytes [68, 1D, 6F, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtOpenThread + B 771F8553 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtOpenThreadToken + 6 771F855E 4 Bytes [68, 1E, 6F, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtOpenThreadToken + B 771F8563 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtOpenThreadTokenEx + B 771F8573 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtQueryAttributesFile + 6 771F85FE 4 Bytes [A8, 1C, 6F, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtQueryAttributesFile + B 771F8603 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtQueryFullAttributesFile + B 771F86B3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtSetInformationFile + 6 771F8B8E 4 Bytes [28, 1D, 6F, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtSetInformationFile + B 771F8B93 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtSetInformationThread + 6 771F8BDE 4 Bytes [28, 1E, 6F, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtSetInformationThread + B 771F8BE3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtUnmapViewOfSection + 6 771F8E7E 4 Bytes [68, 1F, 6F, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] ntdll.dll!NtUnmapViewOfSection + B 771F8E83 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtCreateFile + 6 771F7C7E 4 Bytes [28, 80, 34, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtCreateFile + B 771F7C83 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtMapViewOfSection + 6 771F83CE 4 Bytes [28, 83, 34, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtMapViewOfSection + B 771F83D3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenFile + 6 771F845E 4 Bytes [68, 80, 34, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenFile + B 771F8463 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenProcess + 6 771F84DE 4 Bytes [A8, 81, 34, 00] {TEST AL, 0x81; XOR AL, 0x0} .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenProcess + B 771F84E3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenProcessToken + B 771F84F3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenProcessTokenEx + 6 771F84FE 4 Bytes [A8, 82, 34, 00] {TEST AL, 0x82; XOR AL, 0x0} .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenProcessTokenEx + B 771F8503 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenThread + 6 771F854E 4 Bytes [68, 81, 34, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenThread + B 771F8553 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenThreadToken + 6 771F855E 4 Bytes [68, 82, 34, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenThreadToken + B 771F8563 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtOpenThreadTokenEx + B 771F8573 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtQueryAttributesFile + 6 771F85FE 4 Bytes [A8, 80, 34, 00] {TEST AL, 0x80; XOR AL, 0x0} .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtQueryAttributesFile + B 771F8603 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtQueryFullAttributesFile + B 771F86B3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtSetInformationFile + 6 771F8B8E 4 Bytes [28, 81, 34, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtSetInformationFile + B 771F8B93 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtSetInformationThread + 6 771F8BDE 4 Bytes [28, 82, 34, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtSetInformationThread + B 771F8BE3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtUnmapViewOfSection + 6 771F8E7E 4 Bytes [68, 83, 34, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] ntdll.dll!NtUnmapViewOfSection + B 771F8E83 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\{0D35A451-F5C2-1DA8-B1AD-95D2916F5562}\syshost.exe[3780] ntdll.dll!NtQueryVirtualMemory 771F8888 6 Bytes JMP 01B9FFFF .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtCreateFile + 6 771F7C7E 4 Bytes [28, D4, 83, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtCreateFile + B 771F7C83 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtMapViewOfSection + 6 771F83CE 4 Bytes [28, D7, 83, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtMapViewOfSection + B 771F83D3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenFile + 6 771F845E 4 Bytes [68, D4, 83, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenFile + B 771F8463 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenProcess + 6 771F84DE 4 Bytes [A8, D5, 83, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenProcess + B 771F84E3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenProcessToken + 6 771F84EE 4 Bytes CALL 762008C8 C:\Windows\system32\ole32.dll (Microsoft OLE for Windows/Microsoft Corporation) .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenProcessToken + B 771F84F3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenProcessTokenEx + 6 771F84FE 4 Bytes [A8, D6, 83, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenProcessTokenEx + B 771F8503 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenThread + 6 771F854E 4 Bytes [68, D5, 83, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenThread + B 771F8553 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenThreadToken + 6 771F855E 4 Bytes [68, D6, 83, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenThreadToken + B 771F8563 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenThreadTokenEx + 6 771F856E 4 Bytes CALL 76200949 C:\Windows\system32\ole32.dll (Microsoft OLE for Windows/Microsoft Corporation) .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtOpenThreadTokenEx + B 771F8573 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtQueryAttributesFile + 6 771F85FE 4 Bytes [A8, D4, 83, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtQueryAttributesFile + B 771F8603 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtQueryFullAttributesFile + 6 771F86AE 4 Bytes CALL 76200A87 C:\Windows\system32\ole32.dll (Microsoft OLE for Windows/Microsoft Corporation) .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtQueryFullAttributesFile + B 771F86B3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtSetInformationFile + 6 771F8B8E 4 Bytes [28, D5, 83, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtSetInformationFile + B 771F8B93 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtSetInformationThread + 6 771F8BDE 4 Bytes [28, D6, 83, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtSetInformationThread + B 771F8BE3 1 Byte [E2] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtUnmapViewOfSection + 6 771F8E7E 4 Bytes [68, D7, 83, 00] .text C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] ntdll.dll!NtUnmapViewOfSection + B 771F8E83 1 Byte [E2] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73D28864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73D69855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73D2B984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73D1FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73D27A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73D1EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73D5B12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73D2BC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73D20756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73D206BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73D171B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73DAD9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73D47329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73D1E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73D1697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73D169A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[292] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73D22475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[1580] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00150010 IAT C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[3652] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00150010 IAT C:\Users\Mariola\AppData\Local\Google\Chrome\Application\chrome.exe[4060] @ C:\Windows\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 00150010 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----