GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-13 16:08:41 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD2500BEVT-75ZCT2 rev.11.01A11 Running: y8x3xx4w.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\uwtdqpog.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8225D3C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82296D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 1.0.15 ---- .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtCreateFile + 6 76F655CE 4 Bytes [28, 00, 1D, 00] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtCreateFile + B 76F655D3 1 Byte [E2] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtMapViewOfSection + 6 76F65C2E 1 Byte [28] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtMapViewOfSection + 6 76F65C2E 4 Bytes [28, 03, 1D, 00] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtMapViewOfSection + B 76F65C33 1 Byte [E2] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenFile + 6 76F65CDE 4 Bytes [68, 00, 1D, 00] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenFile + B 76F65CE3 1 Byte [E2] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenProcess + 6 76F65D8E 4 Bytes [A8, 01, 1D, 00] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenProcess + B 76F65D93 1 Byte [E2] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenProcessToken + 6 76F65D9E 4 Bytes CALL 75F67AA4 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenProcessToken + B 76F65DA3 1 Byte [E2] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenProcessTokenEx + 6 76F65DAE 4 Bytes [A8, 02, 1D, 00] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenProcessTokenEx + B 76F65DB3 1 Byte [E2] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenThread + 6 76F65E0E 4 Bytes [68, 01, 1D, 00] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenThread + B 76F65E13 1 Byte [E2] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenThreadToken + 6 76F65E1E 4 Bytes [68, 02, 1D, 00] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenThreadToken + B 76F65E23 1 Byte [E2] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenThreadTokenEx + 6 76F65E2E 4 Bytes CALL 75F67B35 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtOpenThreadTokenEx + B 76F65E33 1 Byte [E2] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtQueryAttributesFile + 6 76F65F3E 4 Bytes [A8, 00, 1D, 00] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtQueryAttributesFile + B 76F65F43 1 Byte [E2] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtQueryFullAttributesFile + 6 76F65FEE 4 Bytes CALL 75F67CF3 C:\Windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtQueryFullAttributesFile + B 76F65FF3 1 Byte [E2] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtSetInformationFile + 6 76F6663E 4 Bytes [28, 01, 1D, 00] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtSetInformationFile + B 76F66643 1 Byte [E2] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtSetInformationThread + 6 76F6669E 4 Bytes [28, 02, 1D, 00] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtSetInformationThread + B 76F666A3 1 Byte [E2] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtUnmapViewOfSection + 6 76F669BE 1 Byte [68] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtUnmapViewOfSection + 6 76F669BE 4 Bytes [68, 03, 1D, 00] .text C:\Users\Marcin\AppData\Local\Google\Chrome\Application\chrome.exe[1988] ntdll.dll!NtUnmapViewOfSection + B 76F669C3 1 Byte [E2] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000051 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \FileSystem\fastfat \Fat A0E15130 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b222a1 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b222a1@7c6193500a2f 0x8A 0xC8 0x0D 0x1D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b222a1@ccf9e8e44bea 0x04 0xE3 0xB4 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\000272b222a1@b0ec710a42ad 0x3D 0x90 0x12 0x1F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272b222a1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272b222a1@7c6193500a2f 0x8A 0xC8 0x0D 0x1D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272b222a1@ccf9e8e44bea 0x04 0xE3 0xB4 0xCF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\000272b222a1@b0ec710a42ad 0x3D 0x90 0x12 0x1F ... ---- EOF - GMER 1.0.15 ----