GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-04-23 23:08:18 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7 ST3250410AS rev.4.AAA Running: 8s5v80q9.exe; Driver: C:\DOCUME~1\user\USTAWI~1\Temp\kwdyrpob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwAdjustPrivilegesToken [0xB94170C0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwConnectPort [0xB94189A0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateFile [0xB9417F30] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateKey [0xB9416D60] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreatePort [0xB9418CC0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateProcessEx [0xB94197C0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateSection [0xB9418F20] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwCreateThread [0xB94193B0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDebugActiveProcess [0xB9416820] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeleteKey [0xB9417970] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDeleteValueKey [0xB9417AE0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwDuplicateObject [0xB9416930] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenFile [0xB94181A0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenProcess [0xB9417CB0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenSection [0xB9416370] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwOpenThread [0xB9416F70] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwResumeThread [0xB9418400] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwSecureConnectPort [0xB9418B30] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwSetValueKey [0xB94177B0] SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xB6C45620] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ZwTerminateThread [0xB9417E00] ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9547360, 0x32D25D, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB631B300, 0x3AE88, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF77C7300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\gry\Forsaken World\update\game.exe[1180] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 4 Bytes [C2, 0C, 00, F8] {RET 0xc; CLC } .text C:\gry\Forsaken World\update\game.exe[1180] kernel32.dll!LoadLibraryA 7C801D7B 5 Bytes JMP 00DC3230 .text C:\gry\Forsaken World\update\game.exe[1180] kernel32.dll!ExitProcess 7C81CB12 5 Bytes JMP 004349C0 .text C:\Program Files\Mozilla Firefox\firefox.exe[1348] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\gry\Forsaken World\update\game.exe[3476] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 4 Bytes [C2, 0C, 00, F8] {RET 0xc; CLC } ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp pwipf6.sys (pwipf6/Privacyware/PWI, Inc.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA7 0xDB 0x5A 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x49 0x42 0xDA 0xA9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xF7 0x0D 0x91 0x7B ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA7 0xDB 0x5A 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x49 0x42 0xDA 0xA9 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xF7 0x0D 0x91 0x7B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{43cd3e88-ac0b-11dd-90a0-ca261ec56db5} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{43cd3e88-ac0b-11dd-90a0-ca261ec56db5}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{43cd3e88-ac0b-11dd-90a0-ca261ec56db5}@_AutorunStatus 0x01 0x00 0x01 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{43cd3e88-ac0b-11dd-90a0-ca261ec56db5}\shell Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{43cd3e88-ac0b-11dd-90a0-ca261ec56db5}\shell@ None Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{43cd3e88-ac0b-11dd-90a0-ca261ec56db5}\shell\Autoplay Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{43cd3e88-ac0b-11dd-90a0-ca261ec56db5}\shell\Autoplay@MUIVerb @shell32.dll,-8504 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{43cd3e88-ac0b-11dd-90a0-ca261ec56db5}\shell\Autoplay\DropTarget Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{43cd3e88-ac0b-11dd-90a0-ca261ec56db5}\shell\Autoplay\DropTarget@CLSID {f26a669a-bcbb-4e37-abf9-7325da15f931} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{69e49f72-ada6-11dd-90b4-4d6564696130} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{69e49f72-ada6-11dd-90b4-4d6564696130}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{69e49f72-ada6-11dd-90b4-4d6564696130}@_AutorunStatus 0x01 0x00 0x01 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e8ea1ba-aa06-11dd-96c9-806d6172696f} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e8ea1ba-aa06-11dd-96c9-806d6172696f}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e8ea1ba-aa06-11dd-96c9-806d6172696f}@_AutorunStatus 0x01 0x00 0x01 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e8ea1ba-aa06-11dd-96c9-806d6172696f}\_Autorun Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e8ea1ba-aa06-11dd-96c9-806d6172696f}\_Autorun\DefaultIcon Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e8ea1ba-aa06-11dd-96c9-806d6172696f}\_Autorun\DefaultIcon@ D:\start.exe Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e8ea1bc-aa06-11dd-96c9-806d6172696f} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9e8ea1bc-aa06-11dd-96c9-806d6172696f}@BaseClass Drive ---- EOF - GMER 1.0.15 ----