GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-05 09:44:54 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-20 ST3500418AS rev.CC38 465,76GB Running: ewy1brr1.exe; Driver: C:\DOCUME~1\MS\USTAWI~1\Temp\uxtdypod.sys ---- System - GMER 2.1 ---- SSDT sptd.sys ZwCreateKey [0xF742AC04] SSDT sptd.sys ZwEnumerateKey [0xF742AD48] SSDT sptd.sys ZwEnumerateValueKey [0xF742B0C0] SSDT sptd.sys ZwOpenKey [0xF742AAE2] SSDT sptd.sys ZwQueryKey [0xF742B18A] SSDT sptd.sys ZwQueryValueKey [0xF742B022] SSDT sptd.sys ZwSetValueKey [0xF742B212] INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys A8CF816D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys A8CF7FC2 ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8C2C000, 0x1E2E7A, 0xE8000020] init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xABB56280] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA87BD400, 0x87EE2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA8861620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA8861620] .protect˙˙˙˙hardlockunknown last code section [0xA8861400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA8861400, 0x5126, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\SearchIndexer.exe[2288] kernel32.dll!WriteFile 7C8112FF 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8BA05EB0 AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 nipbcfk.sys Device \Driver\dmio \Device\DmControl\DmIoDaemon 8B9DE778 Device \Driver\dmio \Device\DmControl\DmConfig 8B9DE778 Device \Driver\dmio \Device\DmControl\DmPnP 8B9DE778 Device \Driver\dmio \Device\DmControl\DmInfo 8B9DE778 Device \Driver\atapi \Device\Ide\IdePort0 [F7843B40] atapi.sys[unknown section] {MOV EAX, 0x8b9de460; XCHG [ESP], EAX; PUSH EAX; PUSH DWORD 0xf743b684; RET } Device \Driver\atapi \Device\Ide\IdePort1 [F7843B40] atapi.sys[unknown section] {MOV EAX, 0x8b9de460; XCHG [ESP], EAX; PUSH EAX; PUSH DWORD 0xf743b684; RET } Device \Driver\atapi \Device\Ide\IdePort2 [F7843B40] atapi.sys[unknown section] {MOV EAX, 0x8b9de460; XCHG [ESP], EAX; PUSH EAX; PUSH DWORD 0xf743b684; RET } Device \Driver\atapi \Device\Ide\IdePort3 [F7843B40] atapi.sys[unknown section] {MOV EAX, 0x8b9de460; XCHG [ESP], EAX; PUSH EAX; PUSH DWORD 0xf743b684; RET } Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-7 [F7843B40] atapi.sys[unknown section] {MOV EAX, 0x8b9de460; XCHG [ESP], EAX; PUSH EAX; PUSH DWORD 0xf743b684; RET } Device \Driver\atapi \Device\Ide\IdePort4 [F7843B40] atapi.sys[unknown section] {MOV EAX, 0x8b9de460; XCHG [ESP], EAX; PUSH EAX; PUSH DWORD 0xf743b684; RET } Device \Driver\atapi \Device\Ide\IdePort5 [F7843B40] atapi.sys[unknown section] {MOV EAX, 0x8b9de460; XCHG [ESP], EAX; PUSH EAX; PUSH DWORD 0xf743b684; RET } Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-12 [F7843B40] atapi.sys[unknown section] {MOV EAX, 0x8b9de460; XCHG [ESP], EAX; PUSH EAX; PUSH DWORD 0xf743b684; RET } Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-28 [F7843B40] atapi.sys[unknown section] {MOV EAX, 0x8b9de460; XCHG [ESP], EAX; PUSH EAX; PUSH DWORD 0xf743b684; RET } Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-20 [F7843B40] atapi.sys[unknown section] {MOV EAX, 0x8b9de460; XCHG [ESP], EAX; PUSH EAX; PUSH DWORD 0xf743b684; RET } Device \Driver\Disk \Device\Harddisk0\DP(1)0x7e00-0xe8e0b30400+6 8BA050E8 Device \Driver\Disk \Device\Harddisk0\DR0 8BA050E8 Device \Driver\Disk \Device\Harddisk1\DP(1)0x7e00-0x4dc993d600+3 8BA050E8 Device \Driver\Disk \Device\Harddisk1\DP(2)0x4dc994d200-0x26a703b000+4 8BA050E8 Device \Driver\Disk \Device\Harddisk1\DR1 8BA050E8 Device \Driver\Disk \Device\Harddisk2\DP(1)0x7e00-0xe8e0b30400+5 8BA050E8 Device \Driver\Disk \Device\Harddisk2\DR2 8BA050E8 Device \Driver\Ftdisk \Device\FtControl 8B9DE9B0 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe >>UNKNOWN [0x8ba050e8]<< 8ba050e8 Trace 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8b9c2ab8] 8b9c2ab8 Trace \Driver\Disk[0x8b9c6a08] -> IRP_MJ_CREATE -> 0x8ba050e8 8ba050e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 838360498 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 388189644 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -904593677 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0x50 0x93 0xE5 0xAB ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xF6 0x0F 0x4E 0x58 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ... ---- EOF - GMER 2.1 ----