GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-24 19:51:07 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-b SAMSUNG_HD403LJ rev.CT100-11 Running: ufoso9fi.exe; Driver: C:\DOCUME~1\walczak\USTAWI~1\Temp\uxtdqpod.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9617000, 0x2BCD8C, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA986D300, 0x3B6D8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA428300, 0x1BEE, 0xE8000020] ? C:\DOCUME~1\JUNIR\USTAWI~1\Temp\uxtdqpog.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, 20, D0, 00] {SUB [EAX], AH; ROL BYTE [EAX], 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtMapViewOfSection + 6 7C90D506 4 Bytes [28, 23, D0, 00] {SUB [EBX], AH; ROL BYTE [EAX], 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtMapViewOfSection + B 7C90D50B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, 20, D0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, 21, D0, 00] {TEST AL, 0x21; ROL BYTE [EAX], 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B91A61C .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, 22, D0, 00] {TEST AL, 0x22; ROL BYTE [EAX], 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, 21, D0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, 22, D0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B91A68D .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, 20, D0, 00] {TEST AL, 0x20; ROL BYTE [EAX], 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B91A7BB .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, 21, D0, 00] {SUB [ECX], AH; ROL BYTE [EAX], 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, 22, D0, 00] {SUB [EDX], AH; ROL BYTE [EAX], 0x1} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtUnmapViewOfSection + 6 7C90DEF6 4 Bytes [68, 23, D0, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2808] ntdll.dll!NtUnmapViewOfSection + B 7C90DEFB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, 78, 30, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtMapViewOfSection + 6 7C90D506 4 Bytes [28, 7B, 30, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtMapViewOfSection + B 7C90D50B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, 78, 30, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, 79, 30, 00] {TEST AL, 0x79; XOR [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B910674 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, 7A, 30, 00] {TEST AL, 0x7a; XOR [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, 79, 30, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, 7A, 30, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B9106E5 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, 78, 30, 00] {TEST AL, 0x78; XOR [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B910813 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, 79, 30, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, 7A, 30, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtUnmapViewOfSection + 6 7C90DEF6 4 Bytes [68, 7B, 30, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3416] ntdll.dll!NtUnmapViewOfSection + B 7C90DEFB 1 Byte [E2] ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x58 0x34 0x41 0x4C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x34 0x99 0xF8 0x99 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x58 0x34 0x41 0x4C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x34 0x99 0xF8 0x99 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0403BA7B-F559-A65C-D11C-F94F0CEE07DB} ---- EOF - GMER 1.0.15 ----