GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-22 19:52:24 Windows 5.2.3790 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS721010G9SA00 rev.MCZOC10H 93.16GB Running: 4zxczzqd.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\kwlyqpog.sys ---- Kernel code sections - GMER 2.1 ---- ? spgg.sys Nie można odnaleźć określonego pliku. ! ? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\winlogon.exe[488] ntdll.dll!NtCreateFile 7C936DDF 5 Bytes JMP 6340FDC0 c:\program files\uphclean\uphclean.dll .text C:\WINDOWS\system32\winlogon.exe[488] ntdll.dll!NtFlushKey 7C93709F 5 Bytes JMP 6340FCB0 c:\program files\uphclean\uphclean.dll .text C:\WINDOWS\system32\winlogon.exe[488] ntdll.dll!NtOpenFile 7C93730F 5 Bytes JMP 63411BF0 c:\program files\uphclean\uphclean.dll .text C:\WINDOWS\system32\winlogon.exe[488] ntdll.dll!NtSetInformationFile 7C9379FF 5 Bytes JMP 63411CA0 c:\program files\uphclean\uphclean.dll .text C:\WINDOWS\system32\winlogon.exe[488] ntdll.dll!NtUnloadKey 7C937C6F 5 Bytes JMP 6340E520 c:\program files\uphclean\uphclean.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8A7341F8 Device \Driver\usbuhci \Device\USBPDO-0 8A43C1F8 Device \Driver\usbuhci \Device\USBPDO-1 8A43C1F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7EA1F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A7EA1F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A7EA1F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A7EA1F8 Device \Driver\usbuhci \Device\USBPDO-2 8A43C1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{56DE1F5E-C5EE-4ABD-B25F-F366A5061BA5} 890241F8 Device \Driver\usbehci \Device\USBPDO-3 8A40E1F8 Device \Driver\usbuhci \Device\USBPDO-4 8A43C1F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7361F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys Device \Driver\Ftdisk \Device\HarddiskVolume2 8A7361F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys Device \Driver\Cdrom \Device\CdRom0 8A513500 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F720CE60] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F720CE60] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F720CE60] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F720CE60] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 8A7361F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys Device \Driver\Ftdisk \Device\HarddiskVolume4 8A7361F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys Device \Driver\Ftdisk \Device\HarddiskVolume5 8A7361F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 snapman.sys Device \Driver\NetBT \Device\NetBt_Wins_Export 890241F8 Device \Driver\NetBT \Device\NetbiosSmb 890241F8 Device \Driver\usbuhci \Device\USBFDO-0 8A43C1F8 Device \Driver\usbuhci \Device\USBFDO-1 8A43C1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 890231F8 Device \Driver\usbuhci \Device\USBFDO-2 8A43C1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 890231F8 Device \Driver\usbuhci \Device\USBFDO-3 8A43C1F8 Device \Driver\usbehci \Device\USBFDO-4 8A40E1F8 Device \Driver\Ftdisk \Device\FtControl 8A7361F8 Device \FileSystem\Cdfs \Cdfs 89270500 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spgg.sys >>UNKNOWN [0x8a798944]<< 8a798944 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a68eab8] 8a68eab8 Trace 3 CLASSPNP.SYS[f76ce601] -> nt!IofCallDriver -> \Device\0000006f[0x8a696030] 8a696030 Trace 5 ACPI.sys[f723c3c0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a692948] 8a692948 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x63 0xC7 0x10 0xD0 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x63 0xC7 0x10 0xD0 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability@LastAliveUptime 867 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG08.00.00.01WORKSTATION 3DF9E1371A022A16D5386476905BC23F4D7FED0D5145F686356F27665ECB5039D48BDB961E6FCCDDA1F15D2E46C30632B15CF567EB58ED805276EB1893F41B38A3038F7F5CA99C6546CD645EB2A9EBED9E734E5D9AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA6171C11EC38DE3DC038D530D6EB345216F6CEA6E26E0D9A8100F30329AF25A36123BB3FDB9B2B94C02AF1E105316188BC06895E80458ECF5934D4CD4236ECB9363C1BC2E6AFE0EA823B7523A07DFE3E51FA0399E0EAE444329FE391E4BA66429CE113C9092602CCAD567C6D686C26ECB8CBF3C6D77D52D49A33F17DA5A4782AF09CA8E2314E395A0DBE6150CADA69804893AC19F0026CDE1802E1854ABFDDDE851975E2825F87325FD8132268872CEC4B108F8568DE1C452343ADDF4DBD25561F2826E1D4F2C07855B0927B1413A7A4012695C5315FA0EE26D35F075DB13087763F7C3C34848C579572F6B95806E7241DDB495A6EB38A4602B398BB5C94B66DB976CC125EF7667B3AF06A7DF048CF6846DB49027CEE40B98A860E0161C2C387080B01474A919D1450A12B2D4DAA91F2977649C6E608FABC8893871D37FCB55A77DD96831C79D6575C9E8C71935E37C8209B116FEFDB48463747609BDBE7BE6D90F31F35313F0A7CD1257 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 8CF9DE0CFB6C21D841567E9DCBD9701B9428578241579AEFCB430D0257DEF9089FB0E29AC838411C757EEEDF562EF381B5CADC361C84EF08A2ADBFDBF94C0DAB4BEAF24584F641168B768E3C974ADF6C95CC6BE1DB17E0F2901332F1FECABF7ACF0CFE5B5BC95FA48460952B499B8CEF15AD2343EC67FE1BFA6E0DE3A5C0FDD42CB05A837BC3023E201221762C8477B5D82008E8BFC4007F8472DF282E89552EA924BC3896EDAF6A6897303D04D7C0FB490D86B7C8F0BDB116811D865F72F90D50E8C14563C29444A7AEA7F119E0AD13910FE9E501A2B5D8DD341A1C0241C28DEDB3E74F9DB280FE6D4A50FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452A9C6AECB7A5D14079DB7CE019D40AA5CB23471F211A25F790D6153A9F4F438A2086E1F97ADE42DA4B5B2ACA13A6DF27E54CF7FFEB67EEBF0666A22A01DBA6C349A7151AC5849D23805F4FC8B21B4E7F9A8090EFDB1541762CEC007C9434D6D3CAEB2F2F760A3F635668D991707D5586F4542179D158B4D25E2392CCE8C55655C0516F639A17AA0255F92663F9CD7C77292E089B0884D31F50E28ADF8B73D3498B00348D40E1B0BF6459AB7A02909F0F9CC4F48AF488817F3136A193A14B4EAD816E543D42B95A7F94645D7FD86FBBE5E067AAB342 ---- Files - GMER 2.1 ---- File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Visited Links 131072 bytes File C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\Google\Chrome\User Data\Default\Web Data-journal 6680 bytes ---- EOF - GMER 2.1 ----