GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-09-10 02:05:18 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\00000069 WDC_WD800JD-00LSA0 rev.06.01D06 Running: gmer.exe; Driver: C:\DOCUME~1\User\USTAWI~1\Temp\kfndakob.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwAddBootEntry [0xA6C7B950] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xA448D610] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwConnectPort [0xA6C7CB40] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwCreateSection [0xA6C7C764] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwCreateThread [0xA6C7AFE0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xA448DC10] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwDeleteBootEntry [0xA6C7B9D4] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwDeleteFile [0xA6C7C0E4] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwDeviceIoControlFile [0xA6C7B074] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xA448D730] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwFsControlFile [0xA6C7C084] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwImpersonateClientOfPort [0xA6C7C040] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwImpersonateThread [0xA6C7BFF2] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwLoadDriver [0xA6C7C44C] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwMapViewOfSection [0xA6C7C32A] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwModifyBootEntry [0xA6C7B992] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xA448D4B0] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwOpenSection [0xA6C7C556] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xA448D570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xA448D6D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xA448D790] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwReplaceKey [0xA6C7BB20] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwRequestWaitReplyPort [0xA6C7D9CA] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwRestoreKey [0xA6C7BA58] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwSecureConnectPort [0xA6C7CC2C] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwSetBootOptions [0xA6C7BA16] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xA448D690] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwSetInformationFile [0xA6C7C148] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xA448D650] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xA448D7D0] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwSetSystemInformation [0xA6C7B2F0] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwShutdownSystem [0xA6C7B8FE] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xA448D510] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xA448D590] SSDT \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ZwSystemDebugControl [0xA6C7B52C] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xA448D4D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xA448D5D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xA448D750] ---- Kernel code sections - GMER 1.0.15 ---- .Shltr1 C:\Program Files\SpyShelter Personal Free\SpyShelter.sys entry point in ".Shltr1" section [0xA6CD1D86] .text win32k.sys!EngAcquireSemaphore + 20EE BF808337 5 Bytes JMP A6C717FA \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngFreeUserMem + 674 BF809962 5 Bytes JMP A6C72EFC \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngFreeUserMem + 5BD5 BF80EEC3 5 Bytes JMP A6C71A14 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngDeleteSurface + 45 BF813956 5 Bytes JMP A6C6F878 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!BRUSHOBJ_pvAllocRbrush + 11F0 BF81C799 5 Bytes JMP A6C6F5D2 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngCreateBitmap + F9C BF828C73 5 Bytes JMP A6C70016 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngCreateBitmap + 2C65 BF82A93C 5 Bytes JMP A6C7050C \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngUnmapFontFileFD + 2C50 BF8316BE 5 Bytes JMP A6C705C4 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngUnmapFontFileFD + 43FD BF832E6B 5 Bytes JMP A6C71700 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngUnmapFontFileFD + B68E BF83A0FC 5 Bytes JMP A6C6F7FC \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!XLATEOBJ_iXlate + F17 BF85BEEA 5 Bytes JMP A6C6F4E2 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!XLATEOBJ_iXlate + 2EDB BF85DEAE 5 Bytes JMP A6C7185A \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngCreatePalette + 88 BF85F852 5 Bytes JMP A6C6F106 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngCreatePalette + 5454 BF864C1E 5 Bytes JMP A6C706A6 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngCreateDeviceSurface + 2767 BF86E84A 5 Bytes JMP A6C79DAC \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngGetCurrentCodePage + 77A0 BF8775E5 5 Bytes JMP A6C70A02 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngGetLastError + 1606 BF891215 5 Bytes JMP A6C70916 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngGradientFill + 26EE BF8947C0 5 Bytes JMP A6C710C8 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngStretchBltROP + 583 BF895298 5 Bytes JMP A6C7017E \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngCopyBits + 3857 BF89C643 5 Bytes JMP A6C6F428 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngCopyBits + 4DEC BF89DBD8 5 Bytes JMP A6C70F9E \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngEraseSurface + A9E0 BF8C2150 5 Bytes JMP A6C6F67E \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngFillPath + 1517 BF8CA5B2 5 Bytes JMP A6C6F8E0 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngFillPath + 1797 BF8CA832 5 Bytes JMP A6C6FD0E \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngDeleteSemaphore + 3B3E BF8EC2A7 5 Bytes JMP A6C6FEF0 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngDeleteSemaphore + CB4B BF8F52B4 5 Bytes JMP A6C6FBBE \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngCreateClip + 25B3 BF913FB9 5 Bytes JMP A6C70A9E \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngCreateClip + 48F9 BF9162FF 5 Bytes JMP A6C6F258 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) .text win32k.sys!EngPlgBlt + 18FC BF94638A 5 Bytes JMP A6C700E6 \??\C:\Program Files\SpyShelter Personal Free\SpyShelter.sys (SpyShelter Driver/SpyShelter) ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 1001A140 C:\Program Files\SpyShelter Personal Free\klhelper.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[2720] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 01064A60 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 01064A10 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 01060930 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 010619C0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 01063790 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 01062060 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 01061CA0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 01062D90 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 01064710 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 01064750 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 01064AF0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 010645D0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 010636F0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 01062620 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 01061F30 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 01062360 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 01065070 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 010630E0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 01063550 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 01063C10 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 010639A0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 01063B90 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 010640B0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 01063DC0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 01061E00 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 010624D0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 01064830 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 01063AE0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 01063690 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 01063510 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 010638A0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 01064B10 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 010638E0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 01064DB0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 01064D50 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 01064FA0 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 01065040 IAT C:\Program Files\SpyShelter Personal Free\SpyShelter.exe[272] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 01064E70 ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Components\7C61C7AA4A753464699170CD325DDB78@P_9}ÐWh\3ð\34r\3\fïä\0ú.0}\x2dd/0}\xa0o9}\bWh\3X_9}è\f C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Roles\App_LocalResources\manageSingleRole.aspx.J??? Reg HKLM\SOFTWARE\Classes\CLSID\{F5F9B44C-528A-26D3-B2CE-1730ACC8FD16}\couwj@ D\_F` Reg HKLM\SOFTWARE\Classes\CLSID\{F5F9B44C-528A-26D3-B2CE-1730ACC8FD16}\mrzgcfkroek@ RTCa^FR^QBEboUUvLaMNj Reg HKLM\SOFTWARE\Classes\CLSID\{F5F9B44C-528A-26D3-B2CE-1730ACC8FD16}\puDGjle@ erIhsN`d}|ffq\GTqUX ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\User\Ustawienia lokalne\Temp\AFEC.tmp 0 bytes ---- EOF - GMER 1.0.15 ----