GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-27 11:05:40 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298.09GB Running: vr9b6ngc.exe; Driver: C:\Users\Jarek\AppData\Local\Temp\ugloypow.sys ---- System - GMER 2.1 ---- INT 0x51 ? C2B2C7D8 INT 0x52 ? C3ACAA58 INT 0x61 ? C51F5558 INT 0x62 ? C2B2C058 INT 0x71 ? C51F57D8 INT 0x72 ? C2B2C2D8 INT 0x82 ? C3ACA2D8 INT 0x92 ? C2B2CA58 INT 0xA0 ? C3ACA7D8 INT 0xA2 ? C51F5CD8 INT 0xB0 ? C3ACA558 INT 0xB1 ? C2B2CCD8 ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 140D E287D9A9 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 E289D4F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0xC8F2FB2E] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73AF24CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73AD562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73AD56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73AF2546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73AE85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73AE4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73AE5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73AE51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73AE6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73AE8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73AE8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73AE90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73AEE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1584] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73AE4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\506313e7f097 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\506313e7f097@64779150745b 0xA6 0x7E 0x92 0xF0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\506313e7f097@001fdfc4b68d 0x82 0x94 0x96 0x88 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x53 0x33 0x7A 0x7E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\506313e7f097 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\506313e7f097@64779150745b 0xA6 0x7E 0x92 0xF0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\506313e7f097@001fdfc4b68d 0x82 0x94 0x96 0x88 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x53 0x33 0x7A 0x7E ... ---- EOF - GMER 2.1 ----