GMER 2.1.19081 - http://www.gmer.net Rootkit scan 2013-02-24 17:31:50 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.8909 149.05GB Running: e0irb99l.exe; Driver: C:\DOCUME~1\MAGORZ~1\USTAWI~1\Temp\fwxdqpow.sys ---- Kernel code sections - GMER 2.1 ---- .sfrelocÿÿÿÿsfsync03unknown last section [0xF75D4000, 0xA20, 0x40000040] C:\WINDOWS\system32\drivers\sfsync03.sys unknown last section [0xF75D4000, 0xA20, 0x40000040] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\svchost.exe[1172] USER32.dll!DialogBoxIndirectParamAorW 7E3749D0 5 Bytes [33, C0, C2, 18, 00] {XOR EAX, EAX; RET 0x18} ? C:\WINDOWS\system32\svchost.exe[1172] C:\WINDOWS\system32\smss.exe image checksum mismatch; time/date stamp mismatch; unknown module: OLEAUT32.dllunknown module: urlmon.dllunknown module: VERSION.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtTerminateProcess] 68EC8B55 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtRaiseHardError] [00375278] C:\WINDOWS\system32\smss.exe (Menedzer sesji Windows NT/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlInitUnicodeString] E80C75FF IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAdjustPrivilege] 000003BA IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlFreeHeap] 1E75C085 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlUpcaseUnicodeChar] 37528868 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlUnicodeStringToInteger] 0C75FF00 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAllocateHeap] 0003A9E8 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlFreeUnicodeString] 75C08500 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!DbgPrintEx] 10458B0D IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlExtendedIntegerMultiply] B8002083 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryVolumeInformationFile] 80004002 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenFile] 458B14EB IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtClose] 104D8B08 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!wcslen] C9330189 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!wcscpy] 4104C083 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryInformationProcess] 08C10FF0 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreatePagingFile] C25DC033 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetInformationFile] 448B000C IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryInformationFile] 488D0424 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!DbgPrint] 40C03304 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQuerySystemInformation] 01C10FF0 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!_allmul] 0004C240 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetSecurityObject] 24748B56 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlSetOwnerSecurityDescriptor] 468D5708 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlSetDaclSecurityDescriptor] FFCF8304 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAddAccessAllowedAce] 38C10FF0 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateAcl] 8509754F IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateSecurityDescriptor] E80574F6 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAllocateAndInitializeSid] 00000184 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlDosPathNameToNtPathName_U] 5E5FC78B IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlExpandEnvironmentStrings_U] 550004C2 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryValueKey] 8B56EC8B IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!swprintf] FF570875 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenKey] 15FF2076 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetValueKey] [0037516C] C:\WINDOWS\system32\smss.exe (Menedzer sesji Windows NT/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreateKey] 00448D59 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreateFile] 36D6E840 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtReadFile] FC8B0000 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!_chkstk] 682076FF IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!wcsstr] [00375200] C:\WINDOWS\system32\smss.exe (Menedzer sesji Windows NT/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!_wcsupr] 6815FF57 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtMakeTemporaryObject] 83003751 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreateSymbolicLinkObject] 448D0CC4 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenDirectoryObject] FF500200 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!wcsncpy] 3751D015 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAnsiStringToUnicodeString] 85F08B00 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlInitAnsiString] 570A74F6 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!_stricmp] 6415FF56 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreateSection] 59003751 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!LdrVerifyImageMatchesChecksum] 18458B59 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreateDirectoryObject] C0333089 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlSetEnvironmentVariable] 5FF8658D IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!LdrUnloadDll] 14C25D5E IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!LdrGetProcedureAddress] 08668300 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlInitString] 1C4E8300 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!LdrLoadDll] 204E83FF IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCompareUnicodeString] 384689FF IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlEqualString] 0424448B IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!memmove] 8D344689 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!_wcsicmp] C7502C46 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateUnicodeString] 37523806 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlDosSearchPath_U] 0C46C700 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlQueryEnvironmentVariable_U] [00375244] C:\WINDOWS\system32\smss.exe (Menedzer sesji Windows NT/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlEqualUnicodeString] 501046C7 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAppendUnicodeToString] C7003752 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlAppendUnicodeStringToString] 525C1446 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtWaitForSingleObject] 46C70037 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtResumeThread] 37526818 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlDestroyProcessParameters] 0446C700 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateUserProcess] 00000001 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateProcessParameters] 114B00C7 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlUnlockBootStatusData] 15FF0037 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlGetSetBootStatusData] [00375100] C:\WINDOWS\system32\smss.exe (Menedzer sesji Windows NT/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlLockBootStatusData] 00010468 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtDisplayString] 30006800 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!sprintf] 00680000 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtDuplicateObject] 6A000010 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlLengthSid] 6015FF00 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlGetAce] 83003750 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlPrefixUnicodeString] 89002866 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQuerySymbolicLinkObject] C68B2446 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenSymbolicLinkObject] FF0004C2 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryDirectoryObject] 3750FC15 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtRequestWaitReplyPort] 810BEB00 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlFindMessage] 37114B38 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetEvent] 8B087400 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetSystemInformation] C0850440 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreateEvent] 83C3F175 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlLeaveCriticalSection] 51C3D4C0 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlEnterCriticalSection] 0475C985 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!wcscat] C359C033 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!LdrQueryImageFileExecutionOptions] 81328B56 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtDelayExecution] 000001FE IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtInitializeRegistry] 81227480 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlQueryRegistryValues] 000004FE IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtDeleteValueKey] 8D747580 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateEnvironment] 50042444 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateUserThread] 00010468 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCreatePort] 10006800 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlInitializeCriticalSection] 71FF0000 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetInformationProcess] 5C15FF24 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlCreateTagHeap] EB003750 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtSetInformationThread] 107A8355 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryInformationToken] 8B547601 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenThreadToken] D68B1872 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtImpersonateClientOfPort] 8124512B IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtConnectPort] 001000FA IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtCompleteConnectPort] 8B447300 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtAcceptConnectPort] 8D570851 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenProcess] EA83017A IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtReplyWaitReceivePort] 08798900 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlExitUserThread] 4A19745F IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtReplyPort] 744A0F74 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlSetThreadIsCritical] 40C03305 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtWaitForMultipleObjects] 418B2BEB IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlSetProcessIsCritical] EB068934 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlUnicodeStringToAnsiString] 38498B1D IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtAdjustPrivilegesToken] 06EB0E89 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtOpenProcessToken] 040006C7 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlUnhandledExceptionFilter] 08810000 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlUnwind] 00010010 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!NtQueryVirtualMemory] 00C08881 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!DbgBreakPoint] 01000000 IAT C:\WINDOWS\system32\svchost.exe[1172] @ C:\WINDOWS\system32\smss.exe [ntdll.dll!RtlNormalizeProcessParams] C8830000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) ---- Processes - GMER 2.1 ---- Library c:\windows\system32\z (*** hidden *** ) @ C:\WINDOWS\system32\svchost.exe [732] 0x6A300000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----