GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-12-26 15:07:09 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD1600AAJS-00B4A0 rev.01.03A01 Running: prylpzo9.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pftdypow.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWS.0\Explorer.EXE[1768] @ C:\WINDOWS.0\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.0\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET) ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS.0\system32\svchost.exe (*** hidden *** ) [AUTO] gcqkhoddl <-- ROOTKIT !!! Service C:\WINDOWS.0\system32\svchost.exe (*** hidden *** ) [AUTO] hcscwtiq <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\gcqkhoddl@DisplayName Center Update Reg HKLM\SYSTEM\CurrentControlSet\Services\gcqkhoddl@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\gcqkhoddl@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\gcqkhoddl@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\gcqkhoddl@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\gcqkhoddl@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\gcqkhoddl@Description Umo?liwia u?ytkownikowi konfigurowanie i planowanie automatycznych zada? na tym komputerze. Je?li ta us?uga zostanie zatrzymana, zadania te nie b?d? uruchamiane o wyznaczonej godzinie. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\CurrentControlSet\Services\gcqkhoddl\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\gcqkhoddl\Parameters@ServiceDll C:\WINDOWS.0\system32\yfolfs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\hcscwtiq@DisplayName Microsoft Security Reg HKLM\SYSTEM\CurrentControlSet\Services\hcscwtiq@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\hcscwtiq@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\hcscwtiq@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\hcscwtiq@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\hcscwtiq@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\hcscwtiq@Description ?ledzi zdarzenia systemowe, takie jak zdarzenia zwi?zane z logowaniem do systemu Windows, sieci? i zasilaniem. Zawiadamia o tych zdarzeniach subskrybent?w systemu zdarze? COM+. Reg HKLM\SYSTEM\CurrentControlSet\Services\hcscwtiq\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\hcscwtiq\Parameters@ServiceDll C:\WINDOWS.0\system32\yfolfs.dll Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 17055B94271ACBB7D4FD4CDA7BC6E1DB0E4B3EBA87567D7044401E2829F6C7E2798DD96D526354AD0F818A219EAE381E87E66FB12FA9EA230AE2BE00DEC8FDB2BB743E8BBF289FBBE77032AAEE18ED277CA115D5B1BCA1E94B6A2E01663D79ABA77CE108C77F86F3CE1DE7FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A9C6AECB7A5D1407BA7FD869164D67949DB7CE019D40AA5C46BBCABAA636B2FEBB1FDFF810949C206F3A95E2EB11E0690F2D76F4DA7F5EAA6EBE797FD5BB2A9C6F943D69DE16D792FDCAD6464604CEF19ACDAFB87B2EAE7E759177A8ED494C7D930B9D47053A3119138564629C133426EB447B8C99D92227516E310B8E1FF3AF995030236A699111B5F0CE273F6C2D5043EAE9DB9012A5F91F25D8B1B952FE3914CAE8C6DBDC6BC915A3E9B6650EDA2F0830D0C720BC2AC29C19E5D8D74F5111BCF2FD290924B00A814DCD6926CCE2F3C2944AA5689126BFAC4090F2B3D0CFA4ED53E9FA07A1D889EEAE57CB814FEBC4A2B0B27CF19E122556A7D7A47DEBE652270DEC1ECD0E60F6771CA59B5612A3BB77AD2A892643EC99446DFEC7C78305EE8ED40B29B9F147F0D6FE1FCCEB65BB67B94A17BDD1B5B738C5C58B698AD11BC2E97289E68CAB108FEFD568086BEBE5490258223CAA7D780F4EF6C54CA