GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-09-06 11:00:16 Windows 6.1.7600 Running: yeo7x1v3.exe; Driver: C:\Users\userek\AppData\Local\Temp\kwwoapog.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAllocateVirtualMemory [0xA1B8D752] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAlpcConnectPort [0xA1B8D388] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAssignProcessToJobObject [0xA1B8D440] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwConnectPort [0xA1B8D482] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateFile [0xA1B8D530] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateProcess [0xA1B8DDD8] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateProcessEx [0xA1B8DE64] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateThread [0xA1B8DEF4] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateThreadEx [0xA1B8DF96] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateUserProcess [0xA1B8DD68] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwDebugActiveProcess [0xA1B8D580] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwDuplicateObject [0xA1B8D5C2] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwLoadDriver [0xA1B8D606] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenKey [0xA1B8D648] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenSection [0xA1B8D68A] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenThread [0xA1B8D6CC] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwProtectVirtualMemory [0xA1B8D79A] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwRequestWaitReplyPort [0xA1B8D70E] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwRestoreKey [0xA1B8D7DC] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwResumeThread [0xA1B8D824] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSecureConnectPort [0xA1B8D8B4] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSetValueKey [0xA1B8D866] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSuspendProcess [0xA1B8D958] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSystemDebugControl [0xA1B8D99A] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwTerminateProcess [0xA1B8D9DC] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwWriteVirtualMemory [0xA1B8DA2A] INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83029AF8 INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83029104 INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830293F4 INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83011634 INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83011898 INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830291DC INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83029958 INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830296F8 INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83029F2C INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 8302A1A8 Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x83615B9C] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x836159C0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x83615AFA] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83089599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830ADF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 23C 830B574C 4 Bytes [52, D7, B8, A1] .text ntkrnlpa.exe!RtlSidHashLookup + 248 830B5758 4 Bytes [88, D3, B8, A1] .text ntkrnlpa.exe!RtlSidHashLookup + 29C 830B57AC 4 Bytes [40, D4, B8, A1] .text ntkrnlpa.exe!RtlSidHashLookup + 2DC 830B57EC 4 Bytes [82, D4, B8, A1] .text ntkrnlpa.exe!RtlSidHashLookup + 2F8 830B5808 4 Bytes [30, D5, B8, A1] .text ... PAGE ntkrnlpa.exe!ZwLoadDriver 831E7291 7 Bytes JMP 83615AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 8324EFBF 5 Bytes JMP 836115B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 83268CF3 5 Bytes JMP 83612FD2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!NtCreateSection 83276D63 7 Bytes JMP 836159C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 83320EAC 7 Bytes JMP 83615BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ? \Device\Harddisk0\Partition2\Windows\system32\drivers\PctWfpFilter.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9143D000, 0x2D5378, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA1B7D300, 0x1B7E, 0xE8000020] .text peauth.sys A2813C9D 28 Bytes [C4, 2F, D8, B9, 32, 66, 22, ...] .text peauth.sys A2813CC1 28 Bytes [C4, 2F, D8, B9, 32, 66, 22, ...] PAGE peauth.sys A2819E20 101 Bytes [C9, 26, 92, D2, A9, 60, 44, ...] PAGE peauth.sys A281A02C 102 Bytes [50, 57, 7A, AD, 5B, EB, 2A, ...] ? C:\Windows\system32\drivers\EagleNT.sys Nie można odnaleźć określonego pliku. ! ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000054 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp pctgntdi.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3C 0x56 0x95 0x40 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3C 0x56 0x95 0x40 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\userek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Edytor gry Bitwa o Śródziemie(tm).lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Edytor gry Bitwa o Śródziemie(tm).lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\userek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Rejestracja elektroniczna.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Rejestracja elektroniczna.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\userek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Szukaj uaktualnień.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Szukaj uaktualnień.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\userek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Usuń Bitwa o Śródziemie\x2122.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Usuń Bitwa o Śródziemie\x2122.lnk 1 ---- EOF - GMER 1.0.15 ----