GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-22 10:29:02 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400BB-00JHC0 rev.05.01C05 Running: f1xz8evc.exe; Driver: C:\DOCUME~1\admin\USTAWI~1\Temp\pxtdapob.sys ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\TEMP\mc21.tmp Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\crypserv.exe[168] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\crypserv.exe[168] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\crypserv.exe[168] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\crypserv.exe[168] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\crypserv.exe[168] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\Program Files\Java\jre7\bin\jqs.exe[244] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Java\jre7\bin\jqs.exe[244] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\Java\jre7\bin\jqs.exe[244] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\Java\jre7\bin\jqs.exe[244] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Java\jre7\bin\jqs.exe[244] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[272] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[272] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[272] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[272] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[272] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[660] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[660] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[660] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D .text C:\WINDOWS\system32\csrss.exe[668] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\csrss.exe[668] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\csrss.exe[668] KERNEL32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\csrss.exe[668] KERNEL32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\csrss.exe[668] KERNEL32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\winlogon.exe[692] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\winlogon.exe[692] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\services.exe[736] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\services.exe[736] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\services.exe[736] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\notepad.exe[812] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\notepad.exe[812] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\notepad.exe[812] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\notepad.exe[812] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\notepad.exe[812] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\notepad.exe[812] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D .text C:\WINDOWS\system32\svchost.exe[896] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[896] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[896] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text G:\f1xz8evc.exe[1036] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text G:\f1xz8evc.exe[1036] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text G:\f1xz8evc.exe[1036] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text G:\f1xz8evc.exe[1036] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text G:\f1xz8evc.exe[1036] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text G:\f1xz8evc.exe[1036] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D .text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1096] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1096] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\wscntfy.exe[1296] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\wscntfy.exe[1296] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\wscntfy.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\wscntfy.exe[1296] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\wscntfy.exe[1296] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\wscntfy.exe[1296] kernel32.dll!FreeLibrary + 15 7C80AC03 4 Bytes CALL 5F00003D .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1320] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1320] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\spoolsv.exe[1592] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\spoolsv.exe[1592] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\spoolsv.exe[1592] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\spoolsv.exe[1592] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\spoolsv.exe[1592] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[1732] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\Explorer.EXE[1732] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\VTTimer.exe[1856] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\VTTimer.exe[1856] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\VTTimer.exe[1856] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\VTTimer.exe[1856] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\VTTimer.exe[1856] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\Program Files\Gadu-Gadu 10\gg.exe[1864] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\Program Files\Gadu-Gadu 10\gg.exe[1864] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\Program Files\Gadu-Gadu 10\gg.exe[1864] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\Program Files\Gadu-Gadu 10\gg.exe[1864] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\Program Files\Gadu-Gadu 10\gg.exe[1864] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A .text C:\WINDOWS\system32\svchost.exe[2044] ntdll.dll!NtTerminateProcess 7C90DE6E 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\system32\svchost.exe[2044] ntdll.dll!NtTerminateProcess + 4 7C90DE72 2 Bytes [0E, 5F] {PUSH CS; POP EDI} .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!LoadLibraryExW 7C801AF1 6 Bytes JMP 5F070F5A .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateProcessW 7C802332 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\system32\svchost.exe[2044] kernel32.dll!CreateProcessA 7C802367 6 Bytes JMP 5F040F5A ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Spyware Doctor\sdhelp.exe[492] @ C:\WINDOWS\system32\user32.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd) IAT C:\Program Files\Spyware Doctor\sdhelp.exe[492] @ C:\WINDOWS\system32\advapi32.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd) IAT C:\Program Files\Spyware Doctor\sdhelp.exe[492] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd) IAT C:\Program Files\Spyware Doctor\sdhelp.exe[492] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd) IAT C:\Program Files\Spyware Doctor\sdhelp.exe[492] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd) IAT C:\Program Files\Spyware Doctor\sdhelp.exe[492] @ C:\WINDOWS\system32\shell32.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd) IAT C:\Program Files\Spyware Doctor\sdhelp.exe[492] @ C:\WINDOWS\system32\SHLWAPI.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd) IAT C:\Program Files\Spyware Doctor\sdhelp.exe[492] @ C:\WINDOWS\system32\WS2_32.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd) IAT C:\Program Files\Spyware Doctor\sdhelp.exe[492] @ C:\WINDOWS\system32\WS2HELP.dll [KERNEL32.dll!CreateThread] [0042B398] C:\Program Files\Spyware Doctor\sdhelp.exe (PC Tools Research Pty Ltd) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----