GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-24 15:05:06 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAJS-00B4A0 rev.01.03A01 298,09GB Running: 07nu1904.exe; Driver: C:\DOCUME~1\Kamil\USTAWI~1\Temp\awkoifog.sys ---- System - GMER 2.1 ---- SSDT BA72865C ZwClose SSDT BA728616 ZwCreateKey SSDT BA728666 ZwCreateSection SSDT BA72860C ZwCreateThread SSDT BA72861B ZwDeleteKey SSDT BA728625 ZwDeleteValueKey SSDT BA728657 ZwDuplicateObject SSDT BA72862A ZwLoadKey SSDT BA7285F8 ZwOpenProcess SSDT BA7285FD ZwOpenThread SSDT BA72867F ZwQueryValueKey SSDT BA728634 ZwReplaceKey SSDT BA728670 ZwRequestWaitReplyPort SSDT BA72862F ZwRestoreKey SSDT BA72866B ZwSetContextThread SSDT BA728675 ZwSetSecurityObject SSDT BA728620 ZwSetValueKey SSDT BA72867A ZwSystemDebugControl SSDT BA728607 ZwTerminateProcess ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB90B3000, 0x1A5044, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA7930300, 0x3AE88, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA418300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\svchost.exe[152] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004680 c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[224] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 01454680 c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll .text C:\Documents and Settings\Kamil\Ustawienia lokalne\Dane aplikacji\tuto4pc_pl_1\supt4pc_pl_1.exe[232] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004680 c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll .text C:\WINDOWS\system32\winlogon.exe[716] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004680 c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll .text C:\WINDOWS\system32\services.exe[760] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004680 c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll .text ... ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\svchost.exe[152] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009AC0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[152] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000C9E0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[152] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000CAA0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[716] @ C:\WINDOWS\system32\winlogon.exe [KERNEL32.dll!LoadLibraryW] [10009B10] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[716] @ C:\WINDOWS\system32\winlogon.exe [KERNEL32.dll!LoadLibraryA] [10009AC0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[716] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtOpenFile] [10009C80] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[716] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtOpenKey] [1000C9E0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[716] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtQueryValueKey] [1000C890] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[716] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtClose] [1000CAA0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[716] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtSetValueKey] [1000C900] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[716] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtCreateKey] [1000C970] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!LoadLibraryA] [10009AC0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!LoadLibraryW] [10009B10] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtCreateKey] [1000C970] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryValueKey] [1000C890] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtSetValueKey] [1000C900] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteValueKey] [1000CB70] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtEnumerateKey] [1000C7B0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtOpenKey] [1000C9E0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteKey] [1000CB20] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtSetInformationFile] [10009E30] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryInformationFile] [100096D0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteFile] [10009DE0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtOpenFile] [10009C80] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryKey] [10009690] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[760] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtClose] [1000CAA0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[956] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009AC0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[956] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000C9E0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[956] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000CAA0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009AC0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000C9E0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1040] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000CAA0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1160] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009AC0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1160] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] [1000C9E0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1160] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] [1000CAA0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1220] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009AC0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1220] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000C9E0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1220] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000CAA0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1392] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009AC0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1392] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000C9E0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1392] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000CAA0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1624] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009AC0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1624] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000C9E0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1624] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000CAA0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1708] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009AC0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1708] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000C9E0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1708] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000CAA0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\Explorer.EXE[1860] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryA] [10009AC0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\Explorer.EXE[1860] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryW] [10009B10] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1996] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009AC0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1996] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] [1000C9E0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1996] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] [1000CAA0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[2028] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009AC0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[2028] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] [1000C9E0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[2028] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] [1000CAA0] c:\docume~1\alluse~1\daneap~1\browse~2\261040~1.25\{c16c1~1\browse~1.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\HP Deskjet F4200 series@ChangeID 3286265 ---- EOF - GMER 2.1 ----