GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-11-14 01:02:09 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-60LSA5 rev.10.01E03 Running: jq7w6hs2.exe; Driver: C:\DOCUME~1\xxx\USTAWI~1\Temp\ffrdrpod.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xF2D77300, 0x3AE88, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF7996300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe[648] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00F2B920 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe[648] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00F2BFD0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe[648] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00F2BA60 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe[648] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00F226B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe[648] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00F22950 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe[648] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 00F2B8B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Messenger\msmsgs.exe[952] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 009AB920 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Messenger\msmsgs.exe[952] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 009ABFD0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Messenger\msmsgs.exe[952] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 009ABA60 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Messenger\msmsgs.exe[952] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 009A26B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Messenger\msmsgs.exe[952] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 009A2950 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Messenger\msmsgs.exe[952] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 009AB8B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\VTtrayp.exe[988] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 1000B920 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\VTtrayp.exe[988] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 1000BFD0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\VTtrayp.exe[988] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 1000BA60 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\VTtrayp.exe[988] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100026B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\VTtrayp.exe[988] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10002950 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\VTtrayp.exe[988] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 1000B8B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\Explorer.EXE[1368] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 1000B920 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\Explorer.EXE[1368] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 1000BFD0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\Explorer.EXE[1368] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 1000BA60 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100026B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10002950 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\Explorer.EXE[1368] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 1000B8B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\vsnpstd3.exe[1492] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 1000B920 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\vsnpstd3.exe[1492] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 1000BFD0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\vsnpstd3.exe[1492] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 1000BA60 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\vsnpstd3.exe[1492] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100026B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\vsnpstd3.exe[1492] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10002950 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\vsnpstd3.exe[1492] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 1000B8B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\tsnpstd3.exe[1504] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 1000B920 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\tsnpstd3.exe[1504] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 1000BFD0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\tsnpstd3.exe[1504] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 1000BA60 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\tsnpstd3.exe[1504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100026B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\tsnpstd3.exe[1504] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10002950 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\tsnpstd3.exe[1504] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 1000B8B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\wscntfy.exe[1544] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 1000B920 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\wscntfy.exe[1544] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 1000BFD0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\wscntfy.exe[1544] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 1000BA60 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\wscntfy.exe[1544] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100026B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\wscntfy.exe[1544] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10002950 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\wscntfy.exe[1544] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 1000B8B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\VTTimer.exe[1828] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 1000B920 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\VTTimer.exe[1828] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 1000BFD0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\VTTimer.exe[1828] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 1000BA60 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\VTTimer.exe[1828] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100026B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\VTTimer.exe[1828] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10002950 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\VTTimer.exe[1828] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 1000B8B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Kergpthwexmxz\aysfudh.exe[1868] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 1000B920 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Kergpthwexmxz\aysfudh.exe[1868] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 1000BFD0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Kergpthwexmxz\aysfudh.exe[1868] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 1000BA60 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Kergpthwexmxz\aysfudh.exe[1868] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100026B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Kergpthwexmxz\aysfudh.exe[1868] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10002950 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Kergpthwexmxz\aysfudh.exe[1868] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 1000B8B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\ctfmon.exe[1912] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 1000B920 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\ctfmon.exe[1912] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 1000BFD0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\ctfmon.exe[1912] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 1000BA60 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\ctfmon.exe[1912] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100026B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\ctfmon.exe[1912] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10002950 C:\WINDOWS\system32\msxun1er9.dll .text C:\WINDOWS\system32\ctfmon.exe[1912] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 1000B8B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1984] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 00A9B920 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1984] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 00A9BFD0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1984] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00A9BA60 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1984] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00A926B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1984] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 00A92950 C:\WINDOWS\system32\msxun1er9.dll .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1984] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 00A9B8B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Documents and Settings\xxx\Pulpit\care\jq7w6hs2.exe[3812] ntdll.dll!NtEnumerateValueKey 7C90D2EE 5 Bytes JMP 1000B920 C:\WINDOWS\system32\msxun1er9.dll .text C:\Documents and Settings\xxx\Pulpit\care\jq7w6hs2.exe[3812] ntdll.dll!NtQueryDirectoryFile 7C90D76E 5 Bytes JMP 1000BFD0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Documents and Settings\xxx\Pulpit\care\jq7w6hs2.exe[3812] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 1000BA60 C:\WINDOWS\system32\msxun1er9.dll .text C:\Documents and Settings\xxx\Pulpit\care\jq7w6hs2.exe[3812] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 100026B0 C:\WINDOWS\system32\msxun1er9.dll .text C:\Documents and Settings\xxx\Pulpit\care\jq7w6hs2.exe[3812] kernel32.dll!CreateProcessA 7C80236B 5 Bytes JMP 10002950 C:\WINDOWS\system32\msxun1er9.dll .text C:\Documents and Settings\xxx\Pulpit\care\jq7w6hs2.exe[3812] kernel32.dll!OpenProcess 7C8309E9 5 Bytes JMP 1000B8B0 C:\WINDOWS\system32\msxun1er9.dll ---- Processes - GMER 1.0.15 ---- Library C:\WINDOWS\system32\msxun1er9.dll (*** hidden *** ) @ C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe [648] 0x00F20000 Library C:\WINDOWS\system32\msxun1er9.dll (*** hidden *** ) @ C:\Program Files\Messenger\msmsgs.exe [952] 0x009A0000 Library C:\WINDOWS\system32\msxun1er9.dll (*** hidden *** ) @ C:\WINDOWS\system32\VTtrayp.exe [988] 0x10000000 Process C:\Program Files\Kergpthwexmxz\aysfudh.exe (*** hidden *** ) 1192 Library C:\WINDOWS\system32\msxun1er9.dll (*** hidden *** ) @ C:\Program Files\Kergpthwexmxz\aysfudh.exe [1192] 0x10000000 Library C:\WINDOWS\system32\msxun1er9.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1368] 0x10000000 Library C:\WINDOWS\system32\msxun1er9.dll (*** hidden *** ) @ C:\WINDOWS\vsnpstd3.exe [1492] 0x10000000 Library C:\WINDOWS\system32\msxun1er9.dll (*** hidden *** ) @ C:\WINDOWS\tsnpstd3.exe [1504] 0x10000000 Library C:\WINDOWS\system32\msxun1er9.dll (*** hidden *** ) @ C:\WINDOWS\system32\wscntfy.exe [1544] 0x10000000 Library C:\WINDOWS\system32\msxun1er9.dll (*** hidden *** ) @ C:\WINDOWS\system32\VTTimer.exe [1828] 0x10000000 Process C:\Program Files\Kergpthwexmxz\aysfudh.exe (*** hidden *** ) 1868 Library C:\WINDOWS\system32\msxun1er9.dll (*** hidden *** ) @ C:\Program Files\Kergpthwexmxz\aysfudh.exe [1868] 0x10000000 Library C:\WINDOWS\system32\msxun1er9.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [1912] 0x10000000 Library C:\WINDOWS\system32\msxun1er9.dll (*** hidden *** ) @ C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [1984] 0x00A90000 Library C:\WINDOWS\system32\msxun1er9.dll (*** hidden *** ) @ C:\Documents and Settings\xxx\Pulpit\care\jq7w6hs2.exe [3812] 0x10000000 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run@15518 C:\Program Files\Kergpthwexmxz\aysfudh.exe ay Reg HKLM\SOFTWARE\Classes\CLSID\{6A1247C5-43CB-F9A4-32E1-52DEE1FDE352}\kwktaiZl@ F\ Reg HKLM\SOFTWARE\Classes\CLSID\{6A1247C5-43CB-F9A4-32E1-52DEE1FDE352}\LREajCb@ uFfUGlTzb|Cyl_N{cA?eHde@ Reg HKLM\SOFTWARE\Classes\CLSID\{6A1247C5-43CB-F9A4-32E1-52DEE1FDE352}\nybykwiyuscl@ NQ[gOVABgblX\\YI\}RmKVdD^ Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@15518 C:\Program Files\Kergpthwexmxz\aysfudh.exe ay ---- Files - GMER 1.0.15 ---- File C:\Program Files\Kergpthwexmxz 0 bytes File C:\Program Files\Kergpthwexmxz\aysfudh.exe 2188962 bytes executable File C:\Program Files\Kergpthwexmxz\help.chm 765626 bytes File C:\Program Files\Kergpthwexmxz\Log 0 bytes File C:\Program Files\Kergpthwexmxz\Log\Audio 0 bytes File C:\Program Files\Kergpthwexmxz\Log\Text 0 bytes File C:\Program Files\Kergpthwexmxz\Log\Text\aiocht.dat 11881566 bytes File C:\Program Files\Kergpthwexmxz\Log\Text\aiotxt.dat 330734 bytes File C:\Program Files\Kergpthwexmxz\Log\Text\aioweb.dat 668 bytes File C:\Program Files\Kergpthwexmxz\Log\Visual 0 bytes File C:\Program Files\Kergpthwexmxz\Log\Visual\04192010.dat 77106419 bytes File C:\Program Files\Kergpthwexmxz\Log\Visual\04202010.dat 178973906 bytes File C:\Program Files\Kergpthwexmxz\Log\Visual\04212010.dat 247707077 bytes File C:\Program Files\Kergpthwexmxz\Log\Visual\04222010.dat 354319769 bytes File C:\Program Files\Kergpthwexmxz\Log\Visual\04232010.dat 69065671 bytes File C:\Program Files\Kergpthwexmxz\Log\Visual\04252010.dat 34100386 bytes File C:\Program Files\Kergpthwexmxz\unins000.dat 13458 bytes File C:\Program Files\Kergpthwexmxz\unins000.exe 708211 bytes File C:\WINDOWS\system32\msxun1er9.dll 135168 bytes executable ---- EOF - GMER 1.0.15 ----