GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-18 23:39:12 Windows 6.1.7601 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-4 ST3500320AS rev.SD1A Running: ju15thob.exe; Driver: C:\Users\WINDOW~1\AppData\Local\Temp\fgldrpog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0xA059B7F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0xA059B8B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0xA059B870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0xA059B830] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 82E45A09 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E7F352 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 152F 82E86624 4 Bytes [F0, B7, 59, A0] .text ntkrnlpa.exe!KeRemoveQueueEx + 163F 82E86734 4 Bytes [B0, B8, 59, A0] .text ntkrnlpa.exe!KeRemoveQueueEx + 194B 82E86A40 4 Bytes [70, B8, 59, A0] .text ntkrnlpa.exe!KeRemoveQueueEx + 1993 82E86A88 4 Bytes [30, B8, 59, A0] ? System32\Drivers\spwg.sys System nie może odnaleźć określonej ścieżki. ! PAGE PCIIDEX.SYS!DllUnload 88E89606 5 Bytes JMP 84E921D8 PAGE ataport.SYS!DllUnload + 1 88EC4AD7 4 Bytes JMP 84E8F1D9 .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E639000, 0x2D5378, 0xE8000020] .text USBPORT.SYS!DllUnload 8F977CA0 5 Bytes JMP 85E3D1D8 .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9F32D300, 0x3B6D8, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9F370300, 0x1BEE, 0xE8000020] PAGE peauth.sys A040D02C 102 Bytes [D6, D1, E9, 8C, 19, 6F, B5, ...] ? system32\DRIVERS\ehdrv.sys System nie może odnaleźć określonej ścieżki. ! ? system32\DRIVERS\epfwwfp.sys System nie może odnaleźć określonej ścieżki. ! ? system32\DRIVERS\epfw.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9F32D300, 0x3B6D8, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program[7396] kernel32.dll!SetUnhandledExceptionFilter 756B05E8 4 Bytes [C2, 04, 00, 00] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [88C8190E] \SystemRoot\System32\Drivers\spwg.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [88C81F9C] \SystemRoot\System32\Drivers\spwg.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [88C813E6] \SystemRoot\System32\Drivers\spwg.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [88C82178] \SystemRoot\System32\Drivers\spwg.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [88C811D4] \SystemRoot\System32\Drivers\spwg.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [737E2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [737C5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [737C56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [737E250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [737D8573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [737D4D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [737D50CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [737D51A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [737D66D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [737D82CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [737D8819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [737D907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [737DE21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [737D4C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 84E961F8 Device \FileSystem\fastfat \FatCdrom 87D3D470 Device \Driver\volmgr \Device\VolMgrControl 84E911F8 Device \Driver\usbuhci \Device\USBPDO-0 85E421F8 Device \Driver\usbuhci \Device\USBPDO-1 85E421F8 Device \Driver\ACPI_HAL \Device\00000052 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbuhci \Device\USBPDO-2 85E421F8 Device \Driver\usbehci \Device\USBPDO-3 85E45470 Device \Driver\sptd \Device\283752417 spwg.sys Device \Driver\usbuhci \Device\USBPDO-4 85E421F8 Device \Driver\usbuhci \Device\USBPDO-5 85E421F8 Device \Driver\usbuhci \Device\USBPDO-6 85E421F8 Device \Driver\volmgr \Device\HarddiskVolume1 84E911F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-7 85E45470 Device \Driver\volmgr \Device\HarddiskVolume2 84E911F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 85D401F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84E941F8 Device \Driver\atapi \Device\Ide\IdePort0 84E941F8 Device \Driver\atapi \Device\Ide\IdePort1 84E941F8 Device \Driver\atapi \Device\Ide\IdePort2 84E941F8 Device \Driver\atapi \Device\Ide\IdePort3 84E941F8 Device \Driver\atapi \Device\Ide\IdePort4 84E941F8 Device \Driver\atapi \Device\Ide\IdePort5 84E941F8 Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-4 84E941F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-8 84E941F8 Device \Driver\volmgr \Device\HarddiskVolume3 84E911F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom1 85D401F8 Device \Driver\volmgr \Device\HarddiskVolume4 84E911F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom2 85D401F8 Device \Driver\volmgr \Device\HarddiskVolume5 84E911F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume6 84E911F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume7 84E911F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 85D7B1F8 Device \Driver\volmgr \Device\HarddiskVolume8 84E911F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\USBSTOR \Device\00000078 85CF31F8 Device \Driver\USBSTOR \Device\00000079 85CF31F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{BC975AB5-3545-4D07-B583-1BD93E622A04} 85D7B1F8 Device \Driver\PCI_PNP4417 \Device\0000005b spwg.sys Device \Driver\usbuhci \Device\USBFDO-0 85E421F8 Device \Driver\usbuhci \Device\USBFDO-1 85E421F8 Device \Driver\USBSTOR \Device\0000007a 85CF31F8 Device \Driver\usbuhci \Device\USBFDO-2 85E421F8 Device \Driver\USBSTOR \Device\0000007b 85CF31F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{7AE01914-857C-4474-B588-5272C2DACB4C} 85D7B1F8 Device \Driver\usbehci \Device\USBFDO-3 85E45470 Device \Driver\USBSTOR \Device\0000007c 85CF31F8 Device \Driver\usbuhci \Device\USBFDO-4 85E421F8 Device \Driver\usbuhci \Device\USBFDO-5 85E421F8 Device \Driver\usbuhci \Device\USBFDO-6 85E421F8 Device \Driver\usbehci \Device\USBFDO-7 85E45470 Device \Driver\ayq8xufw \Device\Scsi\ayq8xufw1Port6Path0Target0Lun0 85F72470 Device \Driver\ayq8xufw \Device\Scsi\ayq8xufw1 85F72470 Device \FileSystem\fastfat \Fat 87D3D470 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) 8E171000-8E188000 (94208 bytes) ---- Processes - GMER 1.0.15 ---- Process C:\Windows\System32\ping.exe (*** hidden *** ) 3556 Library C:\Program (*** hidden *** ) @ C:\Program [7396] 0x00950000 Library C:\Program (*** hidden *** ) @ C:\Program [7396] 0x6F820000 Library C:\Program (*** hidden *** ) @ C:\Program [7396] 0x6D1D0000 Library C:\Program (*** hidden *** ) @ C:\Program [7396] 0x6C580000 Library C:\Program (*** hidden *** ) @ C:\Program [7396] 0x6E8B0000 Library C:\Program (*** hidden *** ) @ C:\Program [7396] 0x6E6C0000 Library C:\Program (*** hidden *** ) @ C:\Program [7396] 0x6C4E0000 Library C:\Program (*** hidden *** ) @ C:\Program [7396] 0x6C4A0000 Library C:\Program (*** hidden *** ) @ C:\Program [7396] 0x6C450000 Library C:\Program (*** hidden *** ) @ C:\Program [7396] 0x6C400000 Library C:\Program (*** hidden *** ) @ C:\Program [7396] 0x6E670000 Library C:\Program (*** hidden *** ) @ C:\Program [7396] 0x25800000 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x0B 0x47 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7D 0x3C 0x1A 0xD7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB1 0x56 0x39 0xB0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4F 0xF8 0x17 0xDE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x0B 0x47 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7D 0x3C 0x1A 0xD7 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xB1 0x56 0x39 0xB0 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4F 0xF8 0x17 0xDE ... ---- Files - GMER 1.0.15 ---- File C:\Users\Windows 7 Ultimate\AppData\Local\Opera\Opera\cache\g_003E\opr0064T.tmp 5204 bytes File C:\Users\Windows 7 Ultimate\AppData\Local\Opera\Opera\cache\sesn\opr0064Z.tmp 5204 bytes File C:\Windows\$NtUninstallKB19369$\4235769809 0 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\@ 2048 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\cfg.ini 204 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\Desktop.ini 4608 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\L 0 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\L\xadqgnnk 78336 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\twl.dll 223744 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\U 0 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\U\00000001.@ 2048 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\U\00000002.@ 224768 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\U\00000004.@ 1024 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\U\80000000.@ 66560 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\U\80000004.@ 1024 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\U\80000032.@ 115712 bytes File C:\Windows\$NtUninstallKB19369$\4235769809\version 1029 bytes File C:\Windows\$NtUninstallKB19369$\676277647 0 bytes ---- EOF - GMER 1.0.15 ----