GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-15 20:19:35 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AC1 465,76GB Running: 9n8hzh7s.exe; Driver: C:\Users\Anna\AppData\Local\Temp\aftcqaog.sys ---- Kernel code sections - GMER 2.0 ---- .text ntoskrnl.exe!ZwRollbackTransaction + 13E9 83440899 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 83460312 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .sptd1 C:\windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x8BF0E346] .text USBPORT.SYS!DllUnload 956C0D18 5 Bytes JMP 876D4368 ? C:\Users\Anna\AppData\Local\Temp\aftcqaog.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.0 ---- .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtCreateFile + 6 77A046B6 4 Bytes [28, C8, 2A, 00] {SUB AL, CL; SUB AL, [EAX]} .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtCreateFile + B 77A046BB 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtMapViewOfSection + 6 77A04D16 4 Bytes [28, CB, 2A, 00] {SUB BL, CL; SUB AL, [EAX]} .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtMapViewOfSection + B 77A04D1B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenFile + 6 77A04DC6 4 Bytes [68, C8, 2A, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenFile + B 77A04DCB 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcess + 6 77A04E76 4 Bytes [A8, C9, 2A, 00] {TEST AL, 0xc9; SUB AL, [EAX]} .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcess + B 77A04E7B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcessToken + 6 77A04E86 4 Bytes CALL 76A07954 C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcessToken + B 77A04E8B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcessTokenEx + 6 77A04E96 4 Bytes [A8, CA, 2A, 00] {TEST AL, 0xca; SUB AL, [EAX]} .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenProcessTokenEx + B 77A04E9B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThread + 6 77A04EF6 4 Bytes [68, C9, 2A, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThread + B 77A04EFB 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThreadToken + 6 77A04F06 4 Bytes [68, CA, 2A, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThreadToken + B 77A04F0B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThreadTokenEx + 6 77A04F16 4 Bytes CALL 76A079E5 C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtOpenThreadTokenEx + B 77A04F1B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtQueryAttributesFile + 6 77A05026 4 Bytes [A8, C8, 2A, 00] {TEST AL, 0xc8; SUB AL, [EAX]} .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtQueryAttributesFile + B 77A0502B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtQueryFullAttributesFile + 6 77A050D6 4 Bytes CALL 76A07BA3 C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtQueryFullAttributesFile + B 77A050DB 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtSetInformationFile + 6 77A05726 4 Bytes [28, C9, 2A, 00] {SUB CL, CL; SUB AL, [EAX]} .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtSetInformationFile + B 77A0572B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtSetInformationThread + 6 77A05786 4 Bytes [28, CA, 2A, 00] {SUB DL, CL; SUB AL, [EAX]} .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtSetInformationThread + B 77A0578B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtUnmapViewOfSection + 6 77A05AA6 4 Bytes [68, CB, 2A, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3044] ntdll.dll!NtUnmapViewOfSection + B 77A05AAB 1 Byte [E2] .text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3440] kernel32.dll!SetUnhandledExceptionFilter 77623122 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtCreateFile + 6 77A046B6 4 Bytes [28, BC, 90, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtCreateFile + B 77A046BB 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtMapViewOfSection + 6 77A04D16 4 Bytes [28, BF, 90, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtMapViewOfSection + B 77A04D1B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenFile + 6 77A04DC6 4 Bytes [68, BC, 90, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenFile + B 77A04DCB 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenProcess + 6 77A04E76 4 Bytes [A8, BD, 90, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenProcess + B 77A04E7B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenProcessToken + 6 77A04E86 4 Bytes CALL 76A0DF48 C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenProcessToken + B 77A04E8B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenProcessTokenEx + 6 77A04E96 4 Bytes [A8, BE, 90, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenProcessTokenEx + B 77A04E9B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenThread + 6 77A04EF6 4 Bytes [68, BD, 90, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenThread + B 77A04EFB 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenThreadToken + 6 77A04F06 4 Bytes [68, BE, 90, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenThreadToken + B 77A04F0B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenThreadTokenEx + 6 77A04F16 4 Bytes CALL 76A0DFD9 C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtOpenThreadTokenEx + B 77A04F1B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtQueryAttributesFile + 6 77A05026 4 Bytes [A8, BC, 90, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtQueryAttributesFile + B 77A0502B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtQueryFullAttributesFile + 6 77A050D6 4 Bytes CALL 76A0E197 C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtQueryFullAttributesFile + B 77A050DB 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtSetInformationFile + 6 77A05726 4 Bytes [28, BD, 90, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtSetInformationFile + B 77A0572B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtSetInformationThread + 6 77A05786 4 Bytes [28, BE, 90, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtSetInformationThread + B 77A0578B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtUnmapViewOfSection + 6 77A05AA6 4 Bytes [68, BF, 90, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3692] ntdll.dll!NtUnmapViewOfSection + B 77A05AAB 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtCreateFile + 6 77A046B6 4 Bytes [28, 84, 4D, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtCreateFile + B 77A046BB 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtMapViewOfSection + 6 77A04D16 4 Bytes [28, 87, 4D, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtMapViewOfSection + B 77A04D1B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenFile + 6 77A04DC6 4 Bytes [68, 84, 4D, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenFile + B 77A04DCB 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenProcess + 6 77A04E76 4 Bytes [A8, 85, 4D, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenProcess + B 77A04E7B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenProcessToken + 6 77A04E86 4 Bytes CALL 76A09C10 C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenProcessToken + B 77A04E8B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenProcessTokenEx + 6 77A04E96 4 Bytes [A8, 86, 4D, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenProcessTokenEx + B 77A04E9B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenThread + 6 77A04EF6 4 Bytes [68, 85, 4D, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenThread + B 77A04EFB 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenThreadToken + 6 77A04F06 4 Bytes [68, 86, 4D, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenThreadToken + B 77A04F0B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenThreadTokenEx + 6 77A04F16 4 Bytes CALL 76A09CA1 C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtOpenThreadTokenEx + B 77A04F1B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtQueryAttributesFile + 6 77A05026 4 Bytes [A8, 84, 4D, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtQueryAttributesFile + B 77A0502B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtQueryFullAttributesFile + 6 77A050D6 4 Bytes CALL 76A09E5F C:\windows\system32\SHELL32.dll (Wspólna biblioteka DLL Powłoki systemu Windows/Microsoft Corporation) .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtQueryFullAttributesFile + B 77A050DB 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtSetInformationFile + 6 77A05726 4 Bytes [28, 85, 4D, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtSetInformationFile + B 77A0572B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtSetInformationThread + 6 77A05786 4 Bytes [28, 86, 4D, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtSetInformationThread + B 77A0578B 1 Byte [E2] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtUnmapViewOfSection + 6 77A05AA6 4 Bytes [68, 87, 4D, 00] .text C:\Users\Anna\AppData\Local\Google\Chrome\Application\chrome.exe[3904] ntdll.dll!NtUnmapViewOfSection + B 77A05AAB 1 Byte [E2] ---- Kernel IAT/EAT - GMER 2.0 ---- IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8BE13730] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8BE13F12] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [8BE14232] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8BE140F0] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8BE13914] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- Registry - GMER 2.0 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-2789141661-186915839-826018185-1000@RefCount 7 ---- EOF - GMER 2.0 ----