GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2011-08-15 20:03:08 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK8037GSX rev.DL240D 74,53GB Running: 21.exe; Driver: C:\DOCUME~1\STAR\USTAWI~1\Temp\kgryypoc.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\winlogon.exe[224] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10010920 C:\WINDOWS\system32\StarInsecure.dll .text C:\WINDOWS\system32\winlogon.exe[224] ADVAPI32.dll!CryptVerifySignatureA 77DEC841 5 Bytes JMP 10010910 C:\WINDOWS\system32\StarInsecure.dll .text C:\WINDOWS\system32\services.exe[268] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10010920 C:\WINDOWS\system32\StarInsecure.dll .text C:\WINDOWS\system32\services.exe[268] ADVAPI32.dll!CryptVerifySignatureA 77DEC841 5 Bytes JMP 10010910 C:\WINDOWS\system32\StarInsecure.dll .text C:\WINDOWS\system32\lsass.exe[280] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10010920 C:\WINDOWS\system32\StarInsecure.dll .text C:\WINDOWS\system32\lsass.exe[280] ADVAPI32.dll!CryptVerifySignatureA 77DEC841 5 Bytes JMP 10010910 C:\WINDOWS\system32\StarInsecure.dll .text C:\WINDOWS\system32\svchost.exe[440] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10010920 C:\WINDOWS\system32\StarInsecure.dll .text C:\WINDOWS\system32\svchost.exe[440] ADVAPI32.dll!CryptVerifySignatureA 77DEC841 5 Bytes JMP 10010910 C:\WINDOWS\system32\StarInsecure.dll .text C:\WINDOWS\system32\svchost.exe[504] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10010920 C:\WINDOWS\system32\StarInsecure.dll .text C:\WINDOWS\system32\svchost.exe[504] ADVAPI32.dll!CryptVerifySignatureA 77DEC841 5 Bytes JMP 10010910 C:\WINDOWS\system32\StarInsecure.dll .text C:\WINDOWS\system32\svchost.exe[552] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10010920 C:\WINDOWS\system32\StarInsecure.dll .text C:\WINDOWS\system32\svchost.exe[552] ADVAPI32.dll!CryptVerifySignatureA 77DEC841 5 Bytes JMP 10010910 C:\WINDOWS\system32\StarInsecure.dll .text C:\WINDOWS\system32\cmd.exe[788] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10010920 C:\WINDOWS\system32\StarInsecure.dll .text C:\WINDOWS\system32\cmd.exe[788] ADVAPI32.dll!CryptVerifySignatureA 77DEC841 5 Bytes JMP 10010910 C:\WINDOWS\system32\StarInsecure.dll .text H:\21.exe[960] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 10010920 C:\WINDOWS\system32\StarInsecure.dll .text H:\21.exe[960] ADVAPI32.dll!CryptVerifySignatureA 77DEC841 5 Bytes JMP 10010910 C:\WINDOWS\system32\StarInsecure.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641764cdb Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00164195be1a Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419d47da Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419dd80c Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419e2fa7 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016419e7f73 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641b3c06d Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001641fc6ffe Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b766ea1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0A 0x40 0xC2 0x24 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA0 0x67 0xC3 0x52 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA7 0xDE 0x1A 0xEB ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641764cdb (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00164195be1a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419d47da (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419dd80c (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419e2fa7 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016419e7f73 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641b3c06d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001641fc6ffe (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001a6b766ea1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3A 0xB3 0xE0 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xA0 0x67 0xC3 0x52 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x74 0x1C 0x4C 0x8D ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----