GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-25 10:12:34 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JB-00FMA0 rev.13.03G13 74,53GB Running: jzh047iz.exe; Driver: C:\DOCUME~1\tenchika\USTAWI~1\Temp\pgldqpog.sys ---- System - GMER 2.0 ---- SSDT 8A06D1A8 ZwAlertResumeThread SSDT 8A0721A8 ZwAlertThread SSDT 8A3AE390 ZwAllocateVirtualMemory SSDT 89D831A8 ZwAssignProcessToJobObject SSDT 89DCF1F8 ZwConnectPort SSDT \??\C:\WINNT\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA472CED0] SSDT 89D898D8 ZwCreateMutant SSDT 8A3EB838 ZwCreateSymbolicLinkObject SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0xA4B4F7F0] SSDT 8A08CA18 ZwDebugActiveProcess SSDT \??\C:\WINNT\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA472D150] SSDT \??\C:\WINNT\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA472D810] SSDT 8A260288 ZwDuplicateObject SSDT 89E3BBE8 ZwFreeVirtualMemory SSDT 8A1881A8 ZwImpersonateAnonymousToken SSDT 8A06B1A8 ZwImpersonateThread SSDT 8A0E6DE8 ZwLoadDriver SSDT 89DD5C50 ZwMapViewOfSection SSDT 8A1731A8 ZwOpenEvent SSDT 8A3C5390 ZwOpenProcess SSDT 8A4001A8 ZwOpenProcessToken SSDT 8A237148 ZwOpenSection SSDT 8A557C50 ZwOpenThread SSDT 89DD49D0 ZwProtectVirtualMemory SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xA4B4F630] SSDT \??\C:\WINNT\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwRenameKey [0xA472DD80] SSDT 8A0ED900 ZwResumeThread SSDT 89DAA1A8 ZwSetContextThread SSDT 8A06F108 ZwSetInformationProcess SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xA4B4F4F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xA4B4F670] SSDT 8A3413B0 ZwSetSystemInformation SSDT \??\C:\WINNT\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA472DAA0] SSDT 8A08F1A8 ZwSuspendProcess SSDT 89E4D4B8 ZwSuspendThread SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0xA4B4F830] SSDT 8A17A1A8 ZwTerminateProcess SSDT 89E4DDE8 ZwTerminateThread SSDT 89DD81A8 ZwUnmapViewOfSection SSDT 8A0FE0B8 ZwWriteVirtualMemory INT 0x62 ? 8A52CCC8 INT 0x63 ? 8A213CC8 INT 0x73 ? 8A213CC8 INT 0x82 ? 8A52CCC8 INT 0x83 ? 8A213CC8 INT 0x83 ? 8A213CC8 INT 0xB4 ? 8A213CC8 INT 0xB4 ? 8A213CC8 ---- Kernel code sections - GMER 2.0 ---- .text ntoskrnl.exe!ZwYieldExecution + 1C2 804E4A1C 4 Bytes [E8, BB, E3, 89] .text ntoskrnl.exe!ZwYieldExecution + 1FA 804E4A54 4 Bytes [E8, 6D, 0E, 8A] .text ntoskrnl.exe!ZwYieldExecution + 46A 804E4CC4 12 Bytes [A8, F1, 08, 8A, B8, D4, E4, ...] {TEST AL, 0xf1; OR [EDX-0x761b2b48], CL; XOR AL, BH; MOV AH, 0xa4} .sptd1 C:\WINNT\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF744C346] ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload F655C62C 5 Bytes JMP 8A2131D8 ---- User code sections - GMER 2.0 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[200] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10005610 C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\raphook.dll .text C:\Program Files\AVG Secure Search\vprot.exe[224] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\AVG Secure Search\vprot.exe[224] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\AVG Secure Search\vprot.exe[224] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C45610 C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\raphook.dll .text C:\Program Files\AVG Secure Search\vprot.exe[224] USER32.dll!DeviceEventWorker + 178 77D79E30 7 Bytes JMP 003E084A .text C:\Program Files\AVG Secure Search\vprot.exe[224] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FE0 7 Bytes JMP 003E020E .text C:\Program Files\AVG Secure Search\vprot.exe[224] ADVAPI32.dll!LogonUserExW + 44D 77DE49F8 7 Bytes JMP 003E012A .text C:\Program Files\AVG Secure Search\vprot.exe[224] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C51 7 Bytes JMP 003E0682 .text C:\Program Files\AVG Secure Search\vprot.exe[224] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26FAC 7 Bytes JMP 003E059E .text C:\Program Files\AVG Secure Search\vprot.exe[224] ADVAPI32.dll!ChangeServiceConfigA + 193 77E27144 7 Bytes JMP 003E03D6 .text C:\Program Files\AVG Secure Search\vprot.exe[224] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E27354 7 Bytes JMP 003E02F2 .text C:\Program Files\AVG Secure Search\vprot.exe[224] ADVAPI32.dll!CreateServiceA + 193 77E274EC 7 Bytes JMP 003E04BA .text C:\Program Files\AVG Secure Search\vprot.exe[224] ADVAPI32.dll!CreateServiceW + 103 77E275F4 7 Bytes JMP 003E0766 .text C:\Documents and Settings\tenchika\Pulpit\jzh047iz.exe[364] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003D0048 .text C:\Documents and Settings\tenchika\Pulpit\jzh047iz.exe[364] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003B004C .text C:\Documents and Settings\tenchika\Pulpit\jzh047iz.exe[364] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 00C65610 C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\raphook.dll .text C:\Documents and Settings\tenchika\Pulpit\jzh047iz.exe[364] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FE0 7 Bytes JMP 003D020E .text C:\Documents and Settings\tenchika\Pulpit\jzh047iz.exe[364] ADVAPI32.dll!LogonUserExW + 44D 77DE49F8 7 Bytes JMP 003D012A .text C:\Documents and Settings\tenchika\Pulpit\jzh047iz.exe[364] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C51 7 Bytes JMP 003D0682 .text C:\Documents and Settings\tenchika\Pulpit\jzh047iz.exe[364] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26FAC 7 Bytes JMP 003D059E .text C:\Documents and Settings\tenchika\Pulpit\jzh047iz.exe[364] ADVAPI32.dll!ChangeServiceConfigA + 193 77E27144 7 Bytes JMP 003D03D6 .text C:\Documents and Settings\tenchika\Pulpit\jzh047iz.exe[364] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E27354 7 Bytes JMP 003D02F2 .text C:\Documents and Settings\tenchika\Pulpit\jzh047iz.exe[364] ADVAPI32.dll!CreateServiceA + 193 77E274EC 7 Bytes JMP 003D04BA .text C:\Documents and Settings\tenchika\Pulpit\jzh047iz.exe[364] ADVAPI32.dll!CreateServiceW + 103 77E275F4 7 Bytes JMP 003D0766 .text C:\Documents and Settings\tenchika\Pulpit\jzh047iz.exe[364] USER32.dll!DeviceEventWorker + 178 77D79E30 7 Bytes JMP 003D084A .text C:\Program Files\Norton AntiVirus\Engine\20.2.1.22\ccSvcHst.exe[380] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10005610 C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\raphook.dll .text C:\Program Files\Messenger\msmsgs.exe[508] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10005610 C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\raphook.dll .text C:\Program Files\Analog Devices\SoundMAX\SMax4PNP.exe[1844] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01115610 C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\raphook.dll .text C:\Program Files\Analog Devices\SoundMAX\Smax4.exe[1852] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10005610 C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\raphook.dll .text C:\Program Files\Winamp\winampa.exe[1876] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10005610 C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\raphook.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1956] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Ask.com\Updater\Updater.exe[2016] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10005610 C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\raphook.dll .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[2316] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10005610 C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\raphook.dll .text C:\Program Files\Norton Identity Safe\Engine\2013.2.1.33\ccSvcHst.exe[2448] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 01E05610 C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\raphook.dll .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe[2500] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe[2500] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe[2500] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FE0 7 Bytes JMP 003E020E .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe[2500] ADVAPI32.dll!LogonUserExW + 44D 77DE49F8 7 Bytes JMP 003E012A .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe[2500] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C51 7 Bytes JMP 003E0682 .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe[2500] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26FAC 7 Bytes JMP 003E059E .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe[2500] ADVAPI32.dll!ChangeServiceConfigA + 193 77E27144 7 Bytes JMP 003E03D6 .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe[2500] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E27354 7 Bytes JMP 003E02F2 .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe[2500] ADVAPI32.dll!CreateServiceA + 193 77E274EC 7 Bytes JMP 003E04BA .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe[2500] ADVAPI32.dll!CreateServiceW + 103 77E275F4 7 Bytes JMP 003E0766 .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\13.3.2\ToolbarUpdater.exe[2500] USER32.dll!DeviceEventWorker + 178 77D79E30 7 Bytes JMP 003E084A .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[3264] kernel32.dll!LoadLibraryA 7C801D77 5 Bytes JMP 10005610 C:\Program Files\Radeon Omega Drivers\v3.8.231\ATI Tray Tools\raphook.dll ---- Kernel IAT/EAT - GMER 2.0 ---- IAT \WINNT\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F7352232] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINNT\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F7351730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINNT\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F7351F12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7351730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7351914] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7351856] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73520F0] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F7351F12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8A213308 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7365F1E] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- User IAT/EAT - GMER 2.0 ---- IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1732] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x11 0xB9 0xAE 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x11 0xB9 0xAE 0xE6 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x11 0xB9 0xAE 0xE6 ... ---- EOF - GMER 2.0 ----