GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-03 21:51:06 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1237GSX rev.DL130M Running: gmer.exe; Driver: C:\Users\Tomek\AppData\Local\Temp\ugrdrkod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0x83873C0C] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0x83873ED4] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0x8387380A] SSDT \SystemRoot\system32\drivers\PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateUserProcess [0x838741D0] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 209 82CB798C 8 Bytes [0C, 3C, 87, 83, D4, 3E, 87, ...] {OR AL, 0x3c; XCHG [EBX-0x7c78c12c], EAX} .text ntkrnlpa.exe!KeSetEvent + 621 82CB7DA4 4 Bytes [0A, 38, 87, 83] .text ntkrnlpa.exe!KeSetEvent + 6E5 82CB7E68 4 Bytes [D0, 41, 87, 83] .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x88B5A000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x88BA3000, 0x510, 0x40000040] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8EC0F000, 0x267978, 0xE8000020] .text smb.sys 8F4F6302 42 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text smb.sys 8F4F6341 684 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text smb.sys 8F4F65F7 1856 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text smb.sys 8F4F6D39 288 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text smb.sys 8F4F6E63 849 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ... .INIT C:\Windows\system32\DRIVERS\smb.sys entry point in ".INIT" section [0x8F504522] ? C:\Windows\system32\DRIVERS\smb.sys suspicious PE modification ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\smb.sys[HAL.dll!KeGetCurrentIrql] 7D8B0C75 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) ---- Threads - GMER 1.0.15 ---- Thread System [4:384] 876CE540 Thread System [4:388] 876CE540 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00037ad6d98c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00037ad6d98c@d875334998d6 0x30 0x05 0x17 0x9B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00037ad6d98c Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00037ad6d98c@d875334998d6 0x30 0x05 0x17 0x9B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00037ad6d98c@d87533d64998 0xD7 0x48 0x6D 0x5A ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00037ad6d98c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00037ad6d98c@d875334998d6 0x30 0x05 0x17 0x9B ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00037ad6d98c@d87533d64998 0xD7 0x48 0x6D 0x5A ... ---- Files - GMER 1.0.15 ---- File C:\Windows\$NtUninstallKB62309$\3025705565 0 bytes File C:\Windows\$NtUninstallKB62309$\727459782 0 bytes File C:\Windows\$NtUninstallKB62309$\727459782\@ 2048 bytes File C:\Windows\$NtUninstallKB62309$\727459782\L 0 bytes File C:\Windows\$NtUninstallKB62309$\727459782\L\qnbwvoto 66560 bytes File C:\Windows\$NtUninstallKB62309$\727459782\loader.tlb 2632 bytes File C:\Windows\$NtUninstallKB62309$\727459782\U 0 bytes File C:\Windows\$NtUninstallKB62309$\727459782\U\@00000001 45968 bytes File C:\Windows\$NtUninstallKB62309$\727459782\U\@000000c0 2560 bytes File C:\Windows\$NtUninstallKB62309$\727459782\U\@000000cb 3072 bytes File C:\Windows\$NtUninstallKB62309$\727459782\U\@000000cf 1536 bytes File C:\Windows\$NtUninstallKB62309$\727459782\U\@80000000 73216 bytes File C:\Windows\$NtUninstallKB62309$\727459782\U\@800000c0 43520 bytes File C:\Windows\$NtUninstallKB62309$\727459782\U\@800000cb 25600 bytes File C:\Windows\$NtUninstallKB62309$\727459782\U\@800000cf 31232 bytes ---- EOF - GMER 1.0.15 ----