GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-03 21:28:05 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS541080G9SA00 rev.MB4IC60R Running: l65692hd.exe; Driver: C:\DOCUME~1\Tomek\USTAWI~1\Temp\kgndypod.sys ---- System - GMER 1.0.15 ---- SSDT F8B9A22C ZwClose SSDT F8B9A1E6 ZwCreateKey SSDT F8B9A236 ZwCreateSection SSDT F8B9A1DC ZwCreateThread SSDT F8B9A1EB ZwDeleteKey SSDT F8B9A1F5 ZwDeleteValueKey SSDT F8B9A227 ZwDuplicateObject SSDT F8B9A1FA ZwLoadKey SSDT F8B9A1C8 ZwOpenProcess SSDT F8B9A1CD ZwOpenThread SSDT F8B9A24F ZwQueryValueKey SSDT F8B9A204 ZwReplaceKey SSDT F8B9A240 ZwRequestWaitReplyPort SSDT F8B9A1FF ZwRestoreKey SSDT F8B9A23B ZwSetContextThread SSDT F8B9A245 ZwSetSecurityObject SSDT F8B9A1F0 ZwSetValueKey SSDT F8B9A24A ZwSystemDebugControl SSDT F8B9A1D7 ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- ? RGRCZ@J@ Nazwa pliku, nazwa katalogu lub składnia etykiety woluminu jest niepoprawna. ! ? system32\drivers\xpsec.sys System nie może odnaleźć określonej ścieżki. ! ? system32\drivers\xcpip.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[132] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 02899D85 .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[132] WS2_32.dll!send 71A54C27 5 Bytes JMP 028998B1 .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[132] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 02899C37 .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[132] WS2_32.dll!recv 71A5676F 5 Bytes JMP 02899A03 .text C:\Program Files\Diskeeper Corporation\Diskeeper\DkService.exe[132] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 02899AD6 .text C:\Program Files\Java\jre6\bin\jqs.exe[380] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01F49D85 .text C:\Program Files\Java\jre6\bin\jqs.exe[380] WS2_32.dll!send 71A54C27 5 Bytes JMP 01F498B1 .text C:\Program Files\Java\jre6\bin\jqs.exe[380] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01F49C37 .text C:\Program Files\Java\jre6\bin\jqs.exe[380] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01F49A03 .text C:\Program Files\Java\jre6\bin\jqs.exe[380] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01F49AD6 .text C:\Program Files\Q-Pilot Client\Service\QPilot-Client-Service.exe[524] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 13629D85 .text C:\Program Files\Q-Pilot Client\Service\QPilot-Client-Service.exe[524] WS2_32.dll!send 71A54C27 5 Bytes JMP 136298B1 .text C:\Program Files\Q-Pilot Client\Service\QPilot-Client-Service.exe[524] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 13629C37 .text C:\Program Files\Q-Pilot Client\Service\QPilot-Client-Service.exe[524] WS2_32.dll!recv 71A5676F 5 Bytes JMP 13629A03 .text C:\Program Files\Q-Pilot Client\Service\QPilot-Client-Service.exe[524] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 13629AD6 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[676] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00DB9D85 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[676] WS2_32.dll!send 71A54C27 5 Bytes JMP 00DB98B1 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[676] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00DB9C37 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[676] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00DB9A03 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[676] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00DB9AD6 .text C:\WINDOWS\Explorer.EXE[740] USER32.dll!DisplayExitWindowsWarnings 7E3A9F91 5 Bytes JMP 00F22A93 .text C:\WINDOWS\Explorer.EXE[740] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01809D85 .text C:\WINDOWS\Explorer.EXE[740] WS2_32.dll!send 71A54C27 5 Bytes JMP 018098B1 .text C:\WINDOWS\Explorer.EXE[740] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01809C37 .text C:\WINDOWS\Explorer.EXE[740] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01809A03 .text C:\WINDOWS\Explorer.EXE[740] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01809AD6 .text C:\WINDOWS\system32\winlogon.exe[792] Secur32.dll!LsaLogonUser 77FE33F1 5 Bytes JMP 01472C81 .text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1160] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 06C39D85 .text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1160] WS2_32.dll!send 71A54C27 5 Bytes JMP 06C398B1 .text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1160] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 06C39C37 .text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1160] WS2_32.dll!recv 71A5676F 5 Bytes JMP 06C39A03 .text C:\Program Files\Intel\Wireless\Bin\EvtEng.exe[1160] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 06C39AD6 .text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1288] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 06E69D85 .text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1288] WS2_32.dll!send 71A54C27 5 Bytes JMP 06E698B1 .text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1288] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 06E69C37 .text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1288] WS2_32.dll!recv 71A5676F 5 Bytes JMP 06E69A03 .text C:\Program Files\Intel\Wireless\Bin\S24EvMon.exe[1288] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 06E69AD6 .text C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1496] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 025B9D85 .text C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1496] WS2_32.dll!send 71A54C27 5 Bytes JMP 025B98B1 .text C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1496] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 025B9C37 .text C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1496] WS2_32.dll!recv 71A5676F 5 Bytes JMP 025B9A03 .text C:\Program Files\Cisco\Cisco AnyConnect VPN Client\vpnagent.exe[1496] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 025B9AD6 .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1712] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01229D85 .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1712] WS2_32.dll!send 71A54C27 5 Bytes JMP 012298B1 .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1712] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01229C37 .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1712] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01229A03 .text C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[1712] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01229AD6 .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[2020] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 02389D85 .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[2020] WS2_32.dll!send 71A54C27 5 Bytes JMP 023898B1 .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[2020] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 02389C37 .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[2020] WS2_32.dll!recv 71A5676F 5 Bytes JMP 02389A03 .text C:\Program Files\Avira\AntiVir Desktop\avguard.exe[2020] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 02389AD6 .text C:\Program Files\Q-Pilot Client\GUI\QPilot-Client-GUI.exe[2428] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 140C9D85 .text C:\Program Files\Q-Pilot Client\GUI\QPilot-Client-GUI.exe[2428] WS2_32.dll!send 71A54C27 5 Bytes JMP 140C98B1 .text C:\Program Files\Q-Pilot Client\GUI\QPilot-Client-GUI.exe[2428] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 140C9C37 .text C:\Program Files\Q-Pilot Client\GUI\QPilot-Client-GUI.exe[2428] WS2_32.dll!recv 71A5676F 5 Bytes JMP 140C9A03 .text C:\Program Files\Q-Pilot Client\GUI\QPilot-Client-GUI.exe[2428] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 140C9AD6 .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2456] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00EF9D85 .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2456] WS2_32.dll!send 71A54C27 5 Bytes JMP 00EF98B1 .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2456] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00EF9C37 .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2456] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00EF9A03 .text C:\Program Files\Windows Media Player\WMPNetwk.exe[2456] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00EF9AD6 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3168] WS2_32.dll!closesocket 71A53E2B 3 Bytes JMP 01309D85 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3168] WS2_32.dll!closesocket + 4 71A53E2F 1 Byte [8F] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3168] WS2_32.dll!send 71A54C27 3 Bytes JMP 013098B1 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3168] WS2_32.dll!send + 4 71A54C2B 1 Byte [8F] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3168] WS2_32.dll!WSARecv 71A54CB5 3 Bytes JMP 01309C37 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3168] WS2_32.dll!WSARecv + 4 71A54CB9 1 Byte [8F] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3168] WS2_32.dll!recv 71A5676F 3 Bytes JMP 01309A03 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3168] WS2_32.dll!recv + 4 71A56773 1 Byte [8F] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3168] WS2_32.dll!WSASend 71A568FA 3 Bytes JMP 01309AD6 .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3168] WS2_32.dll!WSASend + 4 71A568FE 1 Byte [8F] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3596] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00D69D85 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3596] WS2_32.dll!send 71A54C27 5 Bytes JMP 00D698B1 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3596] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00D69C37 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3596] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00D69A03 .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3596] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00D69AD6 .text C:\WINDOWS\System32\alg.exe[3648] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00BF9D85 .text C:\WINDOWS\System32\alg.exe[3648] WS2_32.dll!send 71A54C27 5 Bytes JMP 00BF98B1 .text C:\WINDOWS\System32\alg.exe[3648] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00BF9C37 .text C:\WINDOWS\System32\alg.exe[3648] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00BF9A03 .text C:\WINDOWS\System32\alg.exe[3648] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00BF9AD6 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3880] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00F29D85 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3880] WS2_32.dll!send 71A54C27 5 Bytes JMP 00F298B1 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3880] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00F29C37 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3880] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00F29A03 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3880] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00F29AD6 .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3944] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01049D85 .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3944] WS2_32.dll!send 71A54C27 5 Bytes JMP 010498B1 .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3944] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01049C37 .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3944] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01049A03 .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[3944] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01049AD6 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device owAZEVAoRGRCZ \Device\Ide\IdeDeviceP0T0L0-3 RGRCZ@J@ Device owAZEVAoRGRCZ \Device\Ide\IdePort0 RGRCZ@J@ Device owAZEVAoRGRCZ \Device\Ide\IdePort1 RGRCZ@J@ Device owAZEVAoRGRCZ \Device\Ide\IdeDeviceP1T0L0-e RGRCZ@J@ Device \FileSystem\Fastfat \Fat A806FD20 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----