Обзор и тестирование антивирусов под Windows (Часть 8) - [9234] :: Программы

GMER 2.1.19357 - http://www.gmer.net
Rootkit scan 2015-12-23 20:05:22
Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\0000009b VMware,_ rev.1.0_ 60,00GB
Running: tlmxzph8.exe; Driver: C:\Users\Acer\AppData\Local\Temp\kwldikoc.sys

---- User code sections - GMER 2.1 ----

.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\kernel32.dll!RegQueryValueExW 0000000076932182 6 bytes [68, 0C, 00, A1, 02, C3]
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\kernel32.dll!RegCloseKey 000000007693251e 6 bytes [68, 0C, 00, 95, 02, C3]
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\kernel32.dll!RegCloseKey + 625 000000007693278f 7 bytes JMP 00000001029b0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\kernel32.dll!RegEnumKeyExW 0000000076934272 6 bytes [68, 0C, 00, 97, 02, C3]
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\kernel32.dll!GetThreadLocale + 13 0000000076934532 7 bytes JMP 00000001029a0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\kernel32.dll!RegQueryValueExA 0000000076934699 6 bytes [68, 0C, 00, A0, 02, C3]
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\kernel32.dll!RegEnumValueW 0000000076935230 6 bytes [68, 0C, 00, 99, 02, C3]
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\kernel32.dll!RegQueryInfoKeyW 00000000769355b5 6 bytes [68, 0C, 00, 9F, 02, C3]
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\kernel32.dll!RegQueryInfoKeyA 000000007693f7af 6 bytes [68, 0C, 00, 9E, 02, C3]
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW + 119 000000007694eb9d 7 bytes JMP 00000001029c0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\kernel32.dll!RegEnumKeyExA + 1 000000007694ed59 5 bytes [0F, 00, 96, 02, C3]
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\kernel32.dll!RegEnumValueA 000000007694f47e 6 bytes [68, 0C, 00, 98, 02, C3]
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!SetTimer + 27 00000000772a7e8d 7 bytes JMP 00000001028c0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!DispatchMessageA + 19 00000000772a8116 7 bytes JMP 00000001028b0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!OpenWindowStationA + 347 00000000772b010d 7 bytes JMP 00000001028e0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!PtInRect + 42 00000000772b0e08 7 bytes JMP 0000000102890005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!GetMessagePos 00000000772b2bc7 6 bytes [68, 0C, 00, 88, 02, C3]
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!ChangeClipboardChain + 236 00000000772ced53 7 bytes JMP 00000001028d0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!RegisterSystemThread + 25 00000000772e9c88 7 bytes JMP 00000001028a0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!MessageBoxTimeoutA + 164 00000000772ffd5c 7 bytes JMP 0000000102310005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA + 199 00000000772ffe28 7 bytes JMP 0000000102940005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW + 52 00000000772ffe61 7 bytes JMP 0000000100460005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!MessageBoxExA + 31 00000000772ffe85 7 bytes JMP 0000000102300005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!MessageBoxExW + 31 00000000772ffea9 7 bytes JMP 0000000100440005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!MessageBoxA + 28 00000000772ffeca 7 bytes JMP 0000000100450005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\USER32.dll!GetCursorInfo 00000000773082bf 6 bytes [68, 0F, 00, 87, 02, C3]
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!RegEnumKeyA + 46 000000007702d2e8 7 bytes JMP 0000000102a40005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!EqualPrefixSid + 19 000000007702d3bc 7 bytes JMP 0000000102a80005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!RegDeleteValueW + 19 000000007702d534 7 bytes JMP 0000000102a20005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!RegDeleteValueA + 19 0000000077031961 7 bytes JMP 0000000102ac0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!RegDeleteKeyW + 494 0000000077031b6c 7 bytes JMP 0000000102aa0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!RegCreateKeyExA + 19 0000000077031b84 7 bytes JMP 0000000102920005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!RegSetValueExW + 57 0000000077031cbb 7 bytes JMP 0000000102a90005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!GetUserNameW + 594 0000000077033124 7 bytes JMP 0000000102a50005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!ConvertSidToStringSidW + 261 000000007703b941 7 bytes JMP 0000000102ab0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!AddAccessAllowedAceEx + 19 000000007703bb3d 7 bytes JMP 0000000102ad0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!RegQueryInfoKeyW + 30 000000007703bb60 7 bytes JMP 0000000102930005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!RegEnumKeyExW + 8 000000007703bb6d 7 bytes JMP 0000000102a30005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!SetSecurityDescriptorSacl + 19 000000007703bc08 7 bytes JMP 0000000102a60005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExA + 19 000000007703bc20 7 bytes JMP 0000000102ae0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!RegQueryValueExA + 171 000000007703bcd0 7 bytes JMP 0000000102af0005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!CreateWellKnownSid + 340 000000007703bebf 7 bytes JMP 0000000102a70005
.text C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe[2272] C:\Windows\syswow64\ADVAPI32.dll!RegOpenKeyExW + 11 000000007703becf 7 bytes JMP 0000000102910005

---- Threads - GMER 2.1 ----

Thread C:\Windows\System32\spoolsv.exe [312:2116] 000007fef6ec10c8
Thread C:\Windows\System32\spoolsv.exe [312:2124] 000007fef6e86144
Thread C:\Windows\System32\spoolsv.exe [312:2128] 000007fef6bd5fd0
Thread C:\Windows\System32\spoolsv.exe [312:2132] 000007fef6bc3438
Thread C:\Windows\System32\spoolsv.exe [312:2136] 000007fef6bd63ec
Thread C:\Windows\System32\spoolsv.exe [312:2144] 000007fef7695e5c
Thread C:\Windows\System32\spoolsv.exe [312:2148] 000007fef7734828
Thread C:\Windows\system32\dllhost.exe [1852:1928] 000007fef8078b20
Thread C:\Windows\system32\dllhost.exe [1852:2032] 000007fef8082af0
Thread C:\Windows\Explorer.EXE [2068:2316] 0000000003d53df8
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2688:2800] 000007fefa212a74
Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2688:2164] 000007fefade5124
Thread C:\Windows\system32\svchost.exe [2736:2764] 000007fef4948470
Thread C:\Windows\system32\svchost.exe [2736:2768] 000007fef4952418
Thread C:\Windows\system32\svchost.exe [2736:2904] 000007fef6bd5fd0
Thread C:\Windows\system32\svchost.exe [2736:2908] 000007fef6bd63ec
---- Processes - GMER 2.1 ----

Process C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe (*** suspicious ***) @ C:\Users\Acer\AppData\Roaming\Taukxumo\obokonz.exe [2272] (Utility for viewing CHM files/Yo-Dizign)(2015-12-17 18:01:49) 0000000000400000

---- Registry - GMER 2.1 ----

Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@!\0045\4B\0045\0042\4>\0045\4 \0?\4>\0044\4:\4;\4N\4G\0045\4=\48\0045\4 \0I\0n\0t\0e\0l\0(\0R\0)\0 \0P\0R\0O\0/\0001\0000\0000\0000\0 \0M\0T 1?
Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\20\0044\0040\4?\4B\0045\4@\4 \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0I\0S\0A\0T\0A\0P 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@!\0045\4B\0045\0042\4>\0045\4 \0?\4>\0044\4:\4;\4N\4G\0045\4=\48\0045\4 \0I\0n\0t\0e\0l\0(\0R\0)\0 \0P\0R\0O\0/\0001\0000\0000\0000\0 \0M\0T 1?
Reg HKLM\SYSTEM\ControlSet002\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\20\0044\0040\4?\4B\0045\4@\4 \0M\0i\0c\0r\0o\0s\0o\0f\0t\0 \0I\0S\0A\0T\0A\0P 1?

---- EOF - GMER 2.1 ----

Модерирует : gyra, Maz
articlebot (23-03-2016 15:15): http://forum.ru-board.com/topic.cgi?forum=5&topic=48419&glp	Версия для печати • Подписаться • Добавить в закладки
На первую страницу • к этому сообщению • к последнему сообщению