GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-16 10:42:27 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST380020A rev.3.39 73,06GB Running: quwqp8mg.exe; Driver: C:\DOCUME~1\Kuba\USTAWI~1\Temp\pwndrpog.sys ---- System - GMER 2.1 ---- SSDT \??\C:\WINDOWS\system32\drivers\avgtpx86.sys ZwQueryValueKey [0xF799F1D6] ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6A56000, 0x267537, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Common Files\SafeNet Sentinel\Sentinel Protection Server\WinNT\spnsrvnt.exe[124] USER32.dll!DialogBoxParamW 77D46702 5 Bytes JMP 10004BB0 c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[208] USER32.dll!DialogBoxParamW 77D46702 5 Bytes JMP 10004BB0 c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll .text C:\Program Files\Nowe Gadu-Gadu\spellchecker_gg.exe[276] USER32.dll!DialogBoxParamW 77D46702 5 Bytes JMP 00904BB0 c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll .text C:\WINDOWS\system32\ctfmon.exe[312] USER32.dll!DialogBoxParamW 77D46702 5 Bytes JMP 10004BB0 c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll .text C:\Documents and Settings\All Users\Dane aplikacji\BrowserProtect\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[320] USER32.dll!DialogBoxParamW 77D46702 5 Bytes JMP 10004BB0 C:\Documents and Settings\All Users\Dane aplikacji\BrowserProtect\2.6.1339.144\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.dll .text ... ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\winlogon.exe[640] @ C:\WINDOWS\system32\winlogon.exe [KERNEL32.dll!LoadLibraryW] [1000A6C0] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[640] @ C:\WINDOWS\system32\winlogon.exe [KERNEL32.dll!LoadLibraryA] [1000A670] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[640] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtOpenFile] [1000A830] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[640] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtOpenKey] [1000E650] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[640] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtQueryValueKey] [1000E500] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[640] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtClose] [1000E710] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[640] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtSetValueKey] [1000E570] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[640] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtCreateKey] [1000E5E0] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!LoadLibraryA] [1000A670] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!LoadLibraryW] [1000A6C0] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtCreateKey] [1000E5E0] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryValueKey] [1000E500] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtSetValueKey] [1000E570] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteValueKey] [1000E7E0] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtEnumerateKey] [1000E420] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtOpenKey] [1000E650] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteKey] [1000E790] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtSetInformationFile] [1000A9E0] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryInformationFile] [1000A0B0] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteFile] [1000A990] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtOpenFile] [1000A830] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryKey] [1000A070] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[684] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtClose] [1000E710] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[868] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [1000A670] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[868] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000E650] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[868] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E710] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[900] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [1000A670] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[900] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000E650] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[900] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E710] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[956] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [1000A670] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[956] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000E650] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[956] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E710] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1052] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [1000A670] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1052] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] [1000E650] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1052] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] [1000E710] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [1000A670] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000E650] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1124] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E710] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1280] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [1000A670] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1280] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000E650] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1280] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E710] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1348] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [1000A670] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1348] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000E650] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1348] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E710] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\Explorer.EXE[1768] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryA] [1000A670] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll IAT C:\WINDOWS\Explorer.EXE[1768] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryW] [1000A6C0] c:\docume~1\alluse~1\daneap~1\browse~1\261339~1.144\{c16c1~1\browse~1.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys