GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-10 22:55:23 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHT2040AT_PL rev.0022 Running: 16godzso.exe; Driver: C:\DOCUME~1\Owner\LOCALS~1\Temp\kwkdrkog.sys ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\System32\svchost.exe[1040] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 01F19DC2 .text C:\Windows\System32\svchost.exe[1040] NETAPI32.dll!NetpwPathCanonicalize 5B86A3A9 5 Bytes JMP 01F19D62 .text C:\Windows\System32\svchost.exe[1124] ntdll.dll!NtQueryInformationProcess 7C90D7E0 5 Bytes JMP 00869DC2 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Cdfs \Cdfs A4192400 ---- Services - GMER 1.0.15 ---- Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] akuhy <-- ROOTKIT !!! Service C:\windows\system32\02.tmp (*** hidden *** ) [MANUAL] qvclrx <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\akuhy@DisplayName ryujgom Reg HKLM\SYSTEM\CurrentControlSet\Services\akuhy@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\akuhy@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\akuhy@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\akuhy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\akuhy@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\akuhy@Description Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Reg HKLM\SYSTEM\CurrentControlSet\Services\akuhy\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\akuhy\Parameters@ServiceDll C:\WINDOWS\system32\hyhhthoj.dll Reg HKLM\SYSTEM\ControlSet003\Services\akuhy@DisplayName ryujgom Reg HKLM\SYSTEM\ControlSet003\Services\akuhy@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\akuhy@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\akuhy@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\akuhy@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\akuhy@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\akuhy@Description Maintains date and time synchronization on all clients and servers in the network. If this service is stopped, date and time synchronization will be unavailable. If this service is disabled, any services that explicitly depend on it will fail to start. Reg HKLM\SYSTEM\ControlSet003\Services\akuhy\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\akuhy\Parameters@ServiceDll C:\WINDOWS\system32\hyhhthoj.dll Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6AE71E9A-253C-82C4-C6EF-7DF0FFE2A9B7} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6AE71E9A-253C-82C4-C6EF-7DF0FFE2A9B7}@iahahnafmehcmjgapm 0x6A 0x61 0x6C 0x6A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6AE71E9A-253C-82C4-C6EF-7DF0FFE2A9B7}@hanpaalibmpdpkbh 0x6A 0x61 0x6C 0x6A ... ---- EOF - GMER 1.0.15 ----