GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-14 08:35:51 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3120023A rev.3.30 111,79GB Running: iyir9nfj.exe; Driver: C:\DOCUME~1\WACICI~1\USTAWI~1\Temp\kgpyrfod.sys ---- System - GMER 2.1 ---- SSDT \??\c:\documents and settings\właściciel\ustawienia lokalne\temp\4DDD17A5-2FA32255-96111E6D-63BCE8FF\429de0c16.sys ZwCreateSection [0xB167A0D8] SSDT \??\c:\documents and settings\właściciel\ustawienia lokalne\temp\4DDD17A5-2FA32255-96111E6D-63BCE8FF\429de0c16.sys ZwCreateThread [0xB167A25E] SSDT \??\c:\documents and settings\właściciel\ustawienia lokalne\temp\4DDD17A5-2FA32255-96111E6D-63BCE8FF\429de0c16.sys ZwMakeTemporaryObject [0xB167A04E] SSDT \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys ZwOpenProcess [0xB152027A] SSDT \??\c:\documents and settings\właściciel\ustawienia lokalne\temp\4DDD17A5-2FA32255-96111E6D-63BCE8FF\429de0c16.sys ZwOpenSection [0xB1676D22] SSDT \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys ZwOpenThread [0xB1520448] SSDT \??\c:\documents and settings\właściciel\ustawienia lokalne\temp\4DDD17A5-2FA32255-96111E6D-63BCE8FF\429de0c16.sys ZwQueueApcThread [0xB167A37E] SSDT \??\c:\documents and settings\właściciel\ustawienia lokalne\temp\4DDD17A5-2FA32255-96111E6D-63BCE8FF\429de0c16.sys ZwSetContextThread [0xB167A49E] SSDT \??\c:\documents and settings\właściciel\ustawienia lokalne\temp\4DDD17A5-2FA32255-96111E6D-63BCE8FF\429de0c16.sys ZwSetSystemInformation [0xB16765B0] SSDT \??\c:\documents and settings\właściciel\ustawienia lokalne\temp\4DDD17A5-2FA32255-96111E6D-63BCE8FF\429de0c16.sys ZwSetSystemTime [0xB1676766] SSDT \??\c:\documents and settings\właściciel\ustawienia lokalne\temp\4DDD17A5-2FA32255-96111E6D-63BCE8FF\429de0c16.sys ZwSystemDebugControl [0xB167628A] SSDT \??\c:\documents and settings\właściciel\ustawienia lokalne\temp\4DDD17A5-2FA32255-96111E6D-63BCE8FF\429de0c16.sys ZwTerminateProcess [0xB16767F4] SSDT \??\c:\documents and settings\właściciel\ustawienia lokalne\temp\4DDD17A5-2FA32255-96111E6D-63BCE8FF\429de0c16.sys ZwUnmapViewOfSection [0xB1679FC0] SSDT \??\c:\documents and settings\właściciel\ustawienia lokalne\temp\4DDD17A5-2FA32255-96111E6D-63BCE8FF\429de0c16.sys ZwWriteVirtualMemory [0xB167838C] Code 85FFFCEC ZwRequestPort Code 85FFFD8C ZwRequestWaitReplyPort Code 85FFFC4C ZwTraceEvent Code \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys KeInsertQueueApc Code 85FFFCEB NtRequestPort Code 85FFFD8B NtRequestWaitReplyPort Code 85FFFC4B NtTraceEvent ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!KeInsertQueueApc 804E5381 5 Bytes JMP B1521838 \??\C:\WINDOWS\system32\drivers\mbamchameleon.sys .text ntoskrnl.exe!NtTraceEvent 80545D00 5 Bytes JMP 85FFFC50 PAGE ntoskrnl.exe!NtRequestWaitReplyPort 8056DD9E 5 Bytes JMP 85FFFD90 PAGE ntoskrnl.exe!NtRequestPort 80596862 5 Bytes JMP 85FFFCF0 .text win32k.sys!EngAcquireSemaphore + 20F0 BF80834F 5 Bytes JMP 85FFF4D0 .text win32k.sys!EngFreeUserMem + 5C03 BF80EF07 5 Bytes JMP 85FFF430 .text win32k.sys!EngTransparentBlt + 44FC BF81F43F 5 Bytes JMP 85FFFA70 .text win32k.sys!EngPaint + 11A8 BF82E368 5 Bytes JMP 85FFF610 .text win32k.sys!CLIPOBJ_bEnum + 13B4 BF8383A2 5 Bytes JMP 85FFF750 .text win32k.sys!CLIPOBJ_bEnum + F626 BF846614 5 Bytes JMP 85FFF6B0 .text win32k.sys!XLATEOBJ_iXlate + 5850 BF867BE9 5 Bytes JMP 85FFF930 .text win32k.sys!EngCreatePalette + 1CB BF8B2443 5 Bytes JMP 85FFF570 .text win32k.sys!EngAlphaBlend + AE73 BF8C1A20 5 Bytes JMP 85FFF7F0 .text win32k.sys!PATHOBJ_bCloseFigure + 19F1 BF8EFA1E 5 Bytes JMP 85FFF9D0 .text win32k.sys!EngCreateClip + 1A40 BF914AEC 5 Bytes JMP 85FFFB10 .text win32k.sys!EngCreateClip + 1FD0 BF91507C 5 Bytes JMP 85FFFBB0 .text win32k.sys!EngCreateClip + 2616 BF9156C2 5 Bytes JMP 85FFF890 ? c:\documents and settings\właściciel\ustawienia lokalne\temp\4DDD17A5-2FA32255-96111E6D-63BCE8FF\429de0c16.sys System nie może odnaleźć określonej ścieżki. ! ? C:\DOCUME~1\WACICI~1\USTAWI~1\Temp\459A3B2B9.sys System nie może odnaleźć określonej ścieżki. ! ? C:\WINDOWS\system32\drivers\mbamchameleon.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\CCleaner\CCleaner.exe[2088] USER32.dll!SetScrollInfo 7E369056 5 Bytes JMP 00504E5D C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[2088] USER32.dll!GetScrollInfo 7E37DFE2 5 Bytes JMP 00504DB9 C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[2088] USER32.dll!ShowScrollBar 7E37F2F2 5 Bytes JMP 00504DEC C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[2088] USER32.dll!GetScrollPos 7E37F704 5 Bytes JMP 00504D94 C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[2088] USER32.dll!SetScrollPos 7E37F750 2 Bytes JMP 00504D37 C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[2088] USER32.dll!SetScrollPos + 3 7E37F753 2 Bytes [18, 82] .text C:\Program Files\CCleaner\CCleaner.exe[2088] USER32.dll!GetScrollRange 7E37F787 2 Bytes JMP 00504D5C C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[2088] USER32.dll!GetScrollRange + 3 7E37F78A 2 Bytes [18, 82] .text C:\Program Files\CCleaner\CCleaner.exe[2088] USER32.dll!SetScrollRange 7E37F99B 5 Bytes JMP 00504E26 C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\CCleaner\CCleaner.exe[2088] USER32.dll!EnableScrollBar 7E3B8005 5 Bytes JMP 00504E91 C:\Program Files\CCleaner\CCleaner.exe (CCleaner/Piriform Ltd) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2468] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003DA961 C:\Program Files\Mozilla Firefox\mozglue.dll (Mozilla Foundation) .text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A79B7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A7954 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A77BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A781C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A7A1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2500] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A787E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2848] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0139B170 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2848] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 0139AF39 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2848] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 0139B063 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2848] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 0139AF73 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2848] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 01700CDC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2848] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0139B314 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2848] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 01700D2C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2848] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 1000A961 C:\Program Files\Mozilla Firefox\mozglue.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2848] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 016E9E1C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2848] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 016E92F8 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2848] kernel32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 0145CD39 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2848] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 016E8ACC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2848] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 02244DC5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9B81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D1BD C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC14 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 406146A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A79B7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78E9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A7954 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A77BA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A781C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A7A1A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A787E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] ole32.dll!CoCreateInstance 774EF1D4 5 Bytes JMP 406ADC70 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3288] ole32.dll!OleLoadFromStream 7751988B 5 Bytes JMP 407A7D1F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Internet Explorer\iexplore.exe[3288] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs 429de0c16.sys Device \FileSystem\458655D0997A7394 \Device\458655D0997A7394 429de0c16.sys AttachedDevice \FileSystem\Fastfat \Fat 429de0c16.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?????????????????*??t????B?B?B???????????E??????ia??? F??5??? ?????n? ????X??5???1???4??Zgodne urz?dzenie magazynuj?ce USB?mu.??? ??????????????r???{8ECC055D-047F-11D1-A537-0000F8753ED1}???????????????????????????????5???5???????????????1????f??5?????????n??(???.??1???????????e????X??7???6???7????J??4???3???????,?????????????????(?(?(?(?????????????1?1?????????????????????????????????????????????? ??????????? ??????????????????????????????? ??????????????????????????????? ???????????{36FC9E60-C465-11CF-8056-444553540000}\0027?OC??5.1.2600.0?1\U???????????1?????s?/??Zgodne urz?dzenie magazynuj?ce USB??\?????P??1???-???????&???1??? F??1?????????&?1?????1?????1??????????????? (??1???????????????1???????4??????????wn??Wolumin uniwersalny??????????5???????h???????1???o?????????????ssy??emowe)?????????*???#???8???,?????????+?/???&?(?1?????????2???v???h???????????????????????? ??1???r??????????????????????????t????&??volume.inf??????? ???1??????????????Sterownik zgodno?ci audio Microsoft WINMM WDM?????????N??1????? Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION C47006E47EA08011816C473A1A372949CA08A2DAD582C505C6DF9565960E072856B8AF8E0BD36A8A898AF303928BBD5F751F0852F38EF8A848B639EDDCCCE643BBC3C73838491F76CEBC0B2154354BA1D4E9DCD8558941EBCBDB628C7BC06D8F12DD9530B61388305B83A664894EA13D7EC4AFE0C1B6F36D1726B4F1F7779540EBF16E0CE825E7992B867463145666E5002E249EB7BCBCCF620B67170E60AD064B114323665A5017B20E387588AD1350D5C8718EE8A796B957A8C837AB50D99AACEF1412FB6EA9115708C6B92F9C733574DAE1EC39E55656183DB7CF72000FB87A68F4FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A9C6AECB7A5D14078EDD5E5BE2F6E667FEBC9E127BECC74C0EF3508A40AB6246E6289AF95C03FC81B9BA76108DDB726BCA856678299ACBABE6CD881D2069A33FAC01CC0BC559228BD14C2F2E246508BC06839258E33DC97563CF1F18C3DEB7D464BA33631E0AB83EFDFDEB90FD759882B729309C47DC5ECB561858466E64B65DA3B26072BABAF225370826EAA11B0E20D4AE415FAA1C4A84DB77E245E5C45CC448F647FA720323623A553B43175EF48B1EF8AC8B658A768BD2724B07F3C1888D6DC74114A071C4AB8586ECF6EAB87FCD9227BBE2D730EB5FDBC48750E80D40C9F81E8A272 ---- EOF - GMER 2.1 ----