GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-06 17:11:53 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 Hitachi_HTS542525K9SA00 rev.BBFOC32P 232,89GB Running: n1t2j48p.exe; Driver: C:\Users\Tomash\AppData\Local\Temp\pwdiyuod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8EAFD7F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8EAFD8B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8EAFD870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8EAFD830] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82E4FA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E89212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 82E90598 4 Bytes [F0, D7, AF, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 82E906A8 4 Bytes [B0, D8, AF, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 161F 82E909B4 4 Bytes [70, D8, AF, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 82E909FC 4 Bytes [30, D8, AF, 8E] ? C:\Windows\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ? C:\Users\Tomash\AppData\Local\Temp\catchme.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1320] kernel32.dll!SetUnhandledExceptionFilter 7682F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[8092] ntdll.dll!NtCreateFile 77935608 5 Bytes JMP 5F8BB8D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[8092] ntdll.dll!NtFlushBuffersFile 77935998 5 Bytes JMP 5F8B7B07 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[8092] ntdll.dll!NtQueryFullAttributesFile 77936028 5 Bytes JMP 5F8B7820 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[8092] ntdll.dll!NtReadFile 779362F8 5 Bytes JMP 5F8B7A00 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[8092] ntdll.dll!NtReadFileScatter 77936308 5 Bytes JMP 6010CCC0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[8092] ntdll.dll!NtWriteFile 77936AA8 5 Bytes JMP 5F8BBFE0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[8092] ntdll.dll!NtWriteFileGather 77936AB8 5 Bytes JMP 6010CC6F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[8092] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 768294E6 7 Bytes JMP 600D9E65 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[8092] kernel32.dll!QueryPerformanceCounter + 13 7682C4E5 7 Bytes JMP 600D9E88 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[8092] kernel32.dll!LoadAppInitDlls + 355 7682F5A6 7 Bytes JMP 5F8B8236 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[8092] USER32.dll!GetWindowInfo 75F34B5E 5 Bytes JMP 5FFE7585 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[8092] GDI32.dll!GetViewportOrgEx + 26C 761F884B 7 Bytes JMP 600D9DE6 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [74C4249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [74C25652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [74C25710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [74C4251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [74C3857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [74C34D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [74C350D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [74C351AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74C366DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [74C382D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [74C38824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [74C39085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [74C3E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\explorer.exe[5320] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [74C34C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Threads - GMER 2.1 ---- Thread System [4:892] 8777B560 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37a931d9 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37a931d9@0018c520c9ba 0x55 0x54 0x6C 0x1E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37a931d9@001a890a055c 0x98 0x18 0x27 0x7B ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37a931d9@dc2b61073983 0xEB 0x0F 0x2E 0xE8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001e37a931d9@28987bee7f28 0x1C 0xFA 0x9C 0xFF ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1C 0x11 0xE6 0x9F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x19 0xBE 0x38 0x22 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x80 0x68 0xB7 0x94 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37a931d9 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37a931d9@0018c520c9ba 0x55 0x54 0x6C 0x1E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37a931d9@001a890a055c 0x98 0x18 0x27 0x7B ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37a931d9@dc2b61073983 0xEB 0x0F 0x2E 0xE8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001e37a931d9@28987bee7f28 0x1C 0xFA 0x9C 0xFF ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1C 0x11 0xE6 0x9F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x19 0xBE 0x38 0x22 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x80 0x68 0xB7 0x94 ... ---- Files - GMER 2.1 ---- File C:\Users\Tomash\Desktop\Z dysku ACER wszystko\materialy i zdjecia sz policji\szkoła\Materiały do nauki\policja1\14.09.2008\pomoce szkolne\szkoła policji\mail\PYTANIA TESTOWE - odpowiedzi prawidłowe zakodowane\POSTĘPOWANIE EGZEKUCYJNE I ADMINISTRACYJNE\PATROLOWANIE\PYTANIA TESTOWE.doc 48128 bytes File C:\Users\Tomash\Desktop\Z dysku ACER wszystko\materialy i zdjecia sz policji\szkoła\Materiały do nauki\policja1\14.09.2008\pomoce szkolne\szkoła policji\mail\PYTANIA TESTOWE - odpowiedzi prawidłowe zakodowane\ŚRODKI PRZYMUSU BEZPOŚREDNIEGO\PRAWA I WOLNOŚCI CZŁOWIEKA\PRAWA I WOLNOŚCI CZŁOWIEKA.doc 594432 bytes File C:\Users\Tomash\Desktop\Z dysku ACER wszystko\materialy i zdjecia sz policji\szkoła\Materiały do nauki\policja1\14.09.2008\pomoce szkolne\szkoła policji\policja\PYTANIA TESTOWE - odpowiedzi prawidłowe zakodowane\POSTĘPOWANIE EGZEKUCYJNE I ADMINISTRACYJNE\PATROLOWANIE\PYTANIA TESTOWE.doc 48128 bytes ---- EOF - GMER 2.1 ----