GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-26 18:38:27 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\00000070 WDC_WD800JD-22LSA0 rev.06.01D06 Running: Gmer.exe; Driver: C:\DOCUME~1\Krzysiek\USTAWI~1\Temp\uxtdrpod.sys ---- System - GMER 1.0.15 ---- SSDT sptd.sys ZwCreateKey [0xF867F0B0] SSDT \??\C:\PROGRA~1\eScan\ProcObsrves.sys (ProcObsrves/MicroWorld Technologies Inc.) ZwCreateSection [0xB83DCE0E] SSDT \??\C:\PROGRA~1\eScan\ProcObsrves.sys (ProcObsrves/MicroWorld Technologies Inc.) ZwDuplicateObject [0xB83DDCF8] SSDT sptd.sys ZwEnumerateKey [0xF868484C] SSDT sptd.sys ZwEnumerateValueKey [0xF8684BEC] SSDT sptd.sys ZwOpenKey [0xF867F090] SSDT \??\C:\PROGRA~1\eScan\ProcObsrves.sys (ProcObsrves/MicroWorld Technologies Inc.) ZwOpenProcess [0xB83DD7A2] SSDT \??\C:\PROGRA~1\eScan\ProcObsrves.sys (ProcObsrves/MicroWorld Technologies Inc.) ZwOpenThread [0xB83DDAF4] SSDT sptd.sys ZwQueryKey [0xF8684CC4] SSDT sptd.sys ZwQueryValueKey [0xF8684B44] SSDT sptd.sys ZwSetValueKey [0xF8684D56] SSDT \??\C:\PROGRA~1\eScan\ProcObsrves.sys (ProcObsrves/MicroWorld Technologies Inc.) ZwTerminateProcess [0xB83DCF4E] ---- Kernel code sections - GMER 1.0.15 ---- ? ovxgn.sys Nie można odnaleźć określonego pliku. ! ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .sfreloc˙˙˙˙sfsync03unknown last section [0xF87B3000, 0xA20, 0x40000040] C:\WINDOWS\system32\drivers\sfsync03.sys unknown last section [0xF87B3000, 0xA20, 0x40000040] .text USBPORT.SYS!DllUnload F60588AC 5 Bytes JMP 833D71B8 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5402360, 0x3CEED5, 0xE8000020] .reloc C:\WINDOWS\system32\drivers\acedrv11.sys section is executable [0xB85C0300, 0x25D4C, 0xE0000060] .text C:\WINDOWS\system32\DRIVERS\athsgt.sys section is writeable [0xB857B300, 0x21F20, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB8538300, 0x3AE88, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF0837300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 01229315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 012FDBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 012FDD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 01304832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 01261CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 0141E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 0141DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 0141DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 0141DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 0141DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 0141E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 0141DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 0130488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 01229315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 01304832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 0141E021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 0141DF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 0141DFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 0141DE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 0141DE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 0141E084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2132] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 0141DEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F8693580] sptd.sys IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F869352C] sptd.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F86ADAB8] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8692B9A] sptd.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2028] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [00A218FD] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 833671D8 Device \FileSystem\Fastfat \FatCdrom 831F6820 Device \Driver\NetBT \Device\NetBT_Tcpip_{5B63619E-99BF-4C2D-ABEB-18D1C122C222} 831AF980 Device \Driver\usbohci \Device\USBPDO-0 830D11D8 Device \Driver\usbehci \Device\USBPDO-1 830CD1D8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 833691D8 Device \Driver\dmio \Device\DmControl\DmConfig 833691D8 Device \Driver\dmio \Device\DmControl\DmPnP 833691D8 Device \Driver\dmio \Device\DmControl\DmInfo 833691D8 Device \Driver\nvata \Device\00000070 833681D8 Device \Driver\nvata \Device\00000070 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\Ftdisk \Device\HarddiskVolume1 833D81D8 Device \Driver\Cdrom \Device\CdRom0 830871D8 Device \Driver\Ftdisk \Device\HarddiskVolume2 833D81D8 Device \Driver\Ftdisk \Device\HarddiskVolume3 833D81D8 Device \Driver\USBSTOR \Device\00000076 830EF1D8 Device \Driver\USBSTOR \Device\00000076 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\USBSTOR \Device\00000077 830EF1D8 Device \Driver\USBSTOR \Device\00000077 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\NetBT \Device\NetBt_Wins_Export 831AF980 Device \Driver\NetBT \Device\NetbiosSmb 831AF980 Device \Driver\usbohci \Device\USBFDO-0 830D11D8 Device \Driver\nvata \Device\NvAta0 833681D8 Device \Driver\nvata \Device\NvAta0 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\usbehci \Device\USBFDO-1 830CD1D8 Device \Driver\nvata \Device\NvAta1 833681D8 Device \Driver\nvata \Device\NvAta1 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 831EA980 Device \Driver\nvata \Device\0000006e 833681D8 Device \Driver\nvata \Device\0000006e sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\nvata \Device\NvAta2 833681D8 Device \Driver\nvata \Device\NvAta2 sfsync03.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \FileSystem\MRxSmb \Device\LanmanRedirector 831EA980 Device \Driver\Ftdisk \Device\FtControl 833D81D8 Device \FileSystem\Fastfat \Fat 831F6820 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 830EB670 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x37 0xCA 0x08 0xE2 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\GRY\Deamon Tools\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x9A 0x28 0x72 0x9E ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9C 0xD7 0xB2 0x03 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -478734464 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1526244685 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x4C 0xB1 0x3D 0x45 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x37 0xCA 0x08 0xE2 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\GRY\Deamon Tools\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x9A 0x28 0x72 0x9E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9C 0xD7 0xB2 0x03 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x37 0xCA 0x08 0xE2 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\GRY\Deamon Tools\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x9A 0x28 0x72 0x9E ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x9C 0xD7 0xB2 0x03 ... ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\Krzysiek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\DM5ZRCPV\eefda2ad2037a237ae0abfec1fe24fac,11,29,100-28-160-225-0[1].jpg 4036 bytes File C:\Documents and Settings\Krzysiek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\DM5ZRCPV\f97e278aee509bd44c500c6a338fb3c2,86,1[1].jpg 1747 bytes File C:\Documents and Settings\Krzysiek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\DM5ZRCPV\352d26eb006fac0ddf4c53a65f0d92c0,33,29,0-0-665-374-0[1].jpg 9803 bytes File C:\Documents and Settings\Krzysiek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\DM5ZRCPV\20120706_175027__kasia__750x100__mbank__1[1].swf 40030 bytes File C:\Documents and Settings\Krzysiek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\DM5ZRCPV\ang-cur-hom-hsp-lot-mai-mrs-nli-olt-par-ptv-rec-rnd-srs-stx-sym-tdy-zum,8bd22624906e46833a5051a5650e32d8,wdg.widgets[2].js 107019 bytes File C:\Documents and Settings\Krzysiek\Ustawienia lokalne\Temporary Internet Files\Content.IE5\DM5ZRCPV\imp[10] 1969 bytes ---- EOF - GMER 1.0.15 ----