GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-27 19:56:51 Windows 5.1.2600 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS548060M9AT00 rev.MGBOA56A 55,89GB Running: zpoo0cm2.exe; Driver: C:\DOCUME~1\Krzysiek\LOCALS~1\Temp\kfayrpob.sys ---- System - GMER 2.1 ---- SSDT d347bus.sys ZwClose [0xF8508818] SSDT d347bus.sys ZwCreateKey [0xF85087D0] SSDT d347bus.sys ZwCreatePagingFile [0xF84FCA20] SSDT d347bus.sys ZwEnumerateKey [0xF84FD2A8] SSDT d347bus.sys ZwEnumerateValueKey [0xF8508910] SSDT d347bus.sys ZwOpenKey [0xF8508794] SSDT d347bus.sys ZwQueryKey [0xF84FD2C8] SSDT d347bus.sys ZwQueryValueKey [0xF8508866] SSDT d347bus.sys ZwSetSystemPowerState [0xF85080B0] INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys EF84016D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys EF83FFC2 ---- Kernel code sections - GMER 2.1 ---- ? d347bus.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\drivers\swopafwx.sys section is writeable [0xF85C3000, 0x2F40, 0xEC000040] .reloc C:\WINDOWS\system32\drivers\swopafwx.sys section is executable [0xF85C9E60, 0x1E60, 0xEE000040] ? C:\WINDOWS\system32\drivers\swopafwx.sys Odmowa dostępu. ? C:\WINDOWS\system32\drivers\mbam.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xEF4C2400, 0x82482, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xEF562420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xEF562420] .protect˙˙˙˙hardlockunknown last code section [0xEF562200, 0x5105, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xEF562200, 0x5105, 0xE0000020] ---- Devices - GMER 2.1 ---- Device swopafwx.sys Device Ntfs.sys Device 823153C0 Device Fastfat.SYS Device 820485D0 Device \FileSystem\RAW \Device\RawTape swopafwx.sys Device \FileSystem\MRxDAV \Device\WebDavRedirector swopafwx.sys Device \FileSystem\Rdbss \Device\FsWrap 81FC7580 Device \FileSystem\Srv \Device\LanmanServer 821BC4B8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver swopafwx.sys Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82007858 Device mrxsmb.sys Device \FileSystem\Npfs \Device\NamedPipe 82025BD0 Device \FileSystem\Msfs \Device\Mailslot 8202F760 AttachedDevice fltMgr.sys Device \FileSystem\Cdfs \Cdfs swopafwx.sys Device \FileSystem\Cdfs \Cdfs 82079B18 ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 ---- EOF - GMER 2.1 ----