GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-14 16:34:53 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD1200BEVS-08RST2 rev.08.01G08 111,79GB Running: zm93cxob.exe; Driver: C:\DOCUME~1\Asia\USTAWI~1\Temp\kwtdqpog.sys ---- User code sections - GMER 2.1 ---- .reloc C:\WINDOWS\Explorer.EXE[772] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0x3800, 0xE0000040] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, F0, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtMapViewOfSection + 6 7C90D506 4 Bytes [28, F3, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtMapViewOfSection + B 7C90D50B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, F0, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, F1, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B90FDEC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, F2, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, F1, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, F2, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B90FE5D .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, F0, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B90FF8B .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, F1, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, F2, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtUnmapViewOfSection + 6 7C90DEF6 4 Bytes [68, F3, 27, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3520] ntdll.dll!NtUnmapViewOfSection + B 7C90DEFB 1 Byte [E2] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cda07e2 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cda07e2@001ea3b1d83b 0xC5 0xA5 0xE4 0x82 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cda07e2@a0079871c375 0xCE 0x5B 0x78 0x9E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cda07e2@001e7d9c33dd 0x6D 0x09 0xDD 0x48 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cda07e2@90cf152620b6 0x30 0x31 0xF5 0x7A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cda07e2@d4c1fcd69d8a 0xB0 0xC7 0xFD 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e4cda07e2@5c17d3068f49 0x69 0xB0 0x63 0x9D ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e4cda07e2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e4cda07e2@001ea3b1d83b 0xC5 0xA5 0xE4 0x82 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e4cda07e2@a0079871c375 0xCE 0x5B 0x78 0x9E ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e4cda07e2@001e7d9c33dd 0x6D 0x09 0xDD 0x48 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e4cda07e2@90cf152620b6 0x30 0x31 0xF5 0x7A ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e4cda07e2@d4c1fcd69d8a 0xB0 0xC7 0xFD 0x8B ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e4cda07e2@5c17d3068f49 0x69 0xB0 0x63 0x9D ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DF925EF3-7A87-44E4-9CAF-8D7B280BF616}\iexplore@Count 95 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\74\Shell@MinPos1280x800(1).x -32000 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\74\Shell@MinPos1280x800(1).y -32000 ---- Files - GMER 2.1 ---- ADS C:\System Volume Information\_restore{9B97A004-468A-474D-8DF3-79914303515F}\RP206\A0368041.exe:BAK 22528 bytes executable ---- EOF - GMER 2.1 ----