GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-05-01 19:34:57 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 Running: tgyjn6kj.exe; Driver: C:\Users\deyna\AppData\Local\Temp\ugloapog.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x9031DBAE] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x9031D9D2] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x9031DB0C] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntkrnlpa.exe!ZwLoadDriver 82B7DDEE 7 Bytes JMP 9031DB10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82BE9633 5 Bytes JMP 903195D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 82C42573 5 Bytes JMP 9031AFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!NtCreateSection 82C43E15 7 Bytes JMP 9031D9D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82CA3E70 7 Bytes JMP 9031DBB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E60C340, 0x3EDBA7, 0xE8000020] ? System32\Drivers\ElbyCDFL.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1560] kernel32.dll!SetUnhandledExceptionFilter 7706A8C5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\services.exe[724] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00170002 IAT C:\Windows\system32\services.exe[724] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 00170000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat tvtumon.sys (Windows Update Monitor Driver/Lenovo) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556eaf19d Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002556eaf19d@00265d4c0d36 0x18 0xF6 0xF9 0x72 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556eaf19d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002556eaf19d@00265d4c0d36 0x18 0xF6 0xF9 0x72 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556eaf19d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002556eaf19d@00265d4c0d36 0x18 0xF6 0xF9 0x72 ... Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\002556eaf19d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\002556eaf19d@00265d4c0d36 0x18 0xF6 0xF9 0x72 ... Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\002556eaf19d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\002556eaf19d@00265d4c0d36 0x18 0xF6 0xF9 0x72 ... Reg HKLM\SYSTEM\ControlSet006\Services\BTHPORT\Parameters\Keys\002556eaf19d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\BTHPORT\Parameters\Keys\002556eaf19d@00265d4c0d36 0x18 0xF6 0xF9 0x72 ... Reg HKLM\SYSTEM\ControlSet007\Services\BTHPORT\Parameters\Keys\002556eaf19d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\BTHPORT\Parameters\Keys\002556eaf19d@00265d4c0d36 0x18 0xF6 0xF9 0x72 ... Reg HKLM\SYSTEM\ControlSet008\Services\BTHPORT\Parameters\Keys\002556eaf19d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\BTHPORT\Parameters\Keys\002556eaf19d@00265d4c0d36 0x18 0xF6 0xF9 0x72 ... Reg HKLM\SYSTEM\ControlSet009\Services\BTHPORT\Parameters\Keys\002556eaf19d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet009\Services\BTHPORT\Parameters\Keys\002556eaf19d@00265d4c0d36 0x18 0xF6 0xF9 0x72 ... Reg HKLM\SYSTEM\ControlSet010\Services\BTHPORT\Parameters\Keys\002556eaf19d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet010\Services\BTHPORT\Parameters\Keys\002556eaf19d@00265d4c0d36 0x18 0xF6 0xF9 0x72 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\redist\Miles\mssdsp.flt 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\redist\Miles\msseax.flt 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\redist\Miles\mssmp3.asi 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Balance_of_Chaos.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Blood_on_the_Snow.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Castle_of_the_Gods.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Emerge.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\General_Conflict.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Hightower.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Killing_Fields.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Range.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Refill_Conflict.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Reinforcement_Conflict.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Stielstand.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Struggle.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Two_Hills.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Village_in_Squeeze.scn 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\NAMCO BANDAI Games\Warhammer\xae Mark of Chaos\scenario\Multiplayer\Watch_over_Ford.scn 1 ---- EOF - GMER 1.0.15 ----