GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-18 14:23:37 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-12 SAMSUNG_HD502IJ rev.1AA01112 Running: tfdtt66q.exe; Driver: C:\DOCUME~1\SAFECZ~1\USTAWI~1\Temp\pgtdypow.sys ---- System - GMER 1.0.15 ---- Code B8778C9C ZwRequestPort Code B8778D3C ZwRequestWaitReplyPort Code B8778BFC ZwTraceEvent Code B8778C9B NtRequestPort Code B8778D3B NtRequestWaitReplyPort Code B8778BFB NtTraceEvent ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!NtTraceEvent 8053516E 5 Bytes JMP B8778C00 PAGE ntkrnlpa.exe!NtRequestPort 805A2A52 5 Bytes JMP B8778CA0 PAGE ntkrnlpa.exe!NtRequestWaitReplyPort 805A2D7E 5 Bytes JMP B8778D40 .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB70EA000, 0x235F87, 0xE8000020] .text win32k.sys!EngAcquireSemaphore + 20F0 BF8082F4 5 Bytes JMP B8778480 .text win32k.sys!EngFreeUserMem + 5BD7 BF80EE80 5 Bytes JMP B87783E0 .text win32k.sys!EngSetLastError + 79AA BF8240ED 5 Bytes JMP B87785C0 .text win32k.sys!FONTOBJ_pxoGetXform + 84ED BF851765 5 Bytes JMP B8778A20 .text win32k.sys!XLATEOBJ_iXlate + 2EDD BF85DC50 5 Bytes JMP B8778520 .text win32k.sys!EngCreatePalette + 8A BF85F5F2 5 Bytes JMP B87788E0 .text win32k.sys!EngCopyBits + 1409 BF899DCD 5 Bytes JMP B8778700 .text win32k.sys!EngCopyBits + 4DF9 BF89D7BD 5 Bytes JMP B8778660 .text win32k.sys!EngEraseSurface + A9E8 BF8C1D00 5 Bytes JMP B87787A0 .text win32k.sys!EngDeleteSemaphore + 3B35 BF8EBDCE 5 Bytes JMP B8778980 .text win32k.sys!EngCreateClip + 1A2F BF9142F4 5 Bytes JMP B8778AC0 .text win32k.sys!EngCreateClip + 1FBF BF914884 5 Bytes JMP B8778B60 .text win32k.sys!EngCreateClip + 2605 BF914ECA 5 Bytes JMP B8778840 .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA25A6300, 0x3AF78, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8440300, 0x1BCE, 0xE8000020] ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB3 0x1A 0x78 0x70 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9E 0xE9 0x50 0xA1 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA0 0xE3 0x64 0x40 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x15 0xFA 0xB7 0x14 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x0C 0x12 0x80 0xF6 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB3 0x1A 0x78 0x70 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x9E 0xE9 0x50 0xA1 ... ---- EOF - GMER 1.0.15 ----