GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-11-05 15:15:10 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-17 WDC_WD1600JB-55GVC0 rev.08.02D08 Running: yrr1mpu0.exe; Driver: C:\DOCUME~1\Prezes\USTAWI~1\Temp\pgtdqpow.sys ---- System - GMER 1.0.15 ---- SSDT F7E6F284 ZwClose SSDT F7E6F23E ZwCreateKey SSDT F7E6F28E ZwCreateSection SSDT F7E6F234 ZwCreateThread SSDT F7E6F243 ZwDeleteKey SSDT F7E6F24D ZwDeleteValueKey SSDT F7E6F27F ZwDuplicateObject SSDT sptd.sys ZwEnumerateKey [0xF779CFFE] SSDT sptd.sys ZwEnumerateValueKey [0xF779D38C] SSDT F7E6F252 ZwLoadKey SSDT sptd.sys ZwOpenKey [0xF7768A30] SSDT F7E6F220 ZwOpenProcess SSDT F7E6F225 ZwOpenThread SSDT sptd.sys ZwQueryKey [0xF779D464] SSDT sptd.sys ZwQueryValueKey [0xF779D2E4] SSDT F7E6F25C ZwReplaceKey SSDT F7E6F257 ZwRestoreKey SSDT F7E6F293 ZwSetContextThread SSDT F7E6F248 ZwSetValueKey SSDT F7E6F22F ZwTerminateProcess INT 0x62 ? 86797CC8 INT 0x73 ? 8671ECC8 INT 0x73 ? 8671ECC8 INT 0x82 ? 86797CC8 INT 0x94 ? 8671ECC8 INT 0xA4 ? 8671ECC8 ---- Kernel code sections - GMER 1.0.15 ---- .text sptd.sys F772E000 32 Bytes [5E, 67, 6F, 80, 20, 17, 6F, ...] .text sptd.sys F772E024 4 Bytes [74, 0F, 72, F7] {JZ 0x11; JB 0xfffffffffffffffb} .text sptd.sys F772E02C 424 Bytes [F2, BF, 57, 80, 66, E1, 59, ...] .text sptd.sys F772E1E4 4 Bytes [79, 62, 73, 4C] {JNS 0x64; JAE 0x50} .text sptd.sys F772E1EC 1 Byte [02] .text ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF7825D38] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text USBPORT.SYS!DllUnload F73F38AC 5 Bytes JMP 8671E1D8 ---- User code sections - GMER 1.0.15 ---- UPX1 C:\WINDOWS\update.5.0\svchost.exe[312] C:\WINDOWS\update.5.0\svchost.exe entry point in "UPX1" section [0x004FF280] UPX1 C:\WINDOWS\update.3\svchost.exe[444] C:\WINDOWS\update.3\svchost.exe entry point in "UPX1" section [0x004BD550] UPX1 C:\WINDOWS\update.5.0\svchost.exe[556] C:\WINDOWS\update.5.0\svchost.exe entry point in "UPX1" section [0x004FF280] ? C:\WINDOWS\update.1\svchost.exe[1480] number of sections mismatch; time/date stamp mismatch; unknown module: oleaut32.dllunknown module: version.dllunknown module: oleaut32.dllunknown module: oleaut32.dllunknown module: comctl32.dllunknown module: wsock32.dll UPX1 C:\WINDOWS\update.1\svchost.exe[1480] C:\WINDOWS\update.1\svchost.exe entry point in "UPX1" section [0x006885A0] .text C:\WINDOWS\system32\MPK\mpk.exe[1620] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\WINDOWS\system32\MPK\mpk.exe[1620] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 100074E0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\WINDOWS\system32\MPK\mpk.exe[1620] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 100076D0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\WINDOWS\system32\MPK\mpk.exe[1620] shell32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 10002FE0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\WINDOWS\system32\ctfmon.exe[1652] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\WINDOWS\system32\ctfmon.exe[1652] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 100074E0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\WINDOWS\system32\ctfmon.exe[1652] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 100076D0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\WINDOWS\system32\ctfmon.exe[1652] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 10002FE0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\WINDOWS\Explorer.EXE[1716] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 100074E0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\WINDOWS\Explorer.EXE[1716] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 100076D0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\WINDOWS\Explorer.EXE[1716] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 10002FE0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Documents and Settings\Prezes\Pulpit\yrr1mpu0.exe[1772] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\Documents and Settings\Prezes\Pulpit\yrr1mpu0.exe[1772] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 100074E0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Documents and Settings\Prezes\Pulpit\yrr1mpu0.exe[1772] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 100076D0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Documents and Settings\Prezes\Pulpit\yrr1mpu0.exe[1772] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 10002FE0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Program Files\Messenger\msmsgs.exe[1824] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\Program Files\Messenger\msmsgs.exe[1824] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 00F874E0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Program Files\Messenger\msmsgs.exe[1824] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 00F876D0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Program Files\Messenger\msmsgs.exe[1824] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 00F82FE0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1896] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1896] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 100074E0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1896] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 10002FE0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[1896] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 100076D0 C:\WINDOWS\system32\MPK\MPK.dll ? C:\WINDOWS\update.tray-8-0\svchost.exe[1944] number of sections mismatch; time/date stamp mismatch; unknown module: oleaut32.dllunknown module: version.dllunknown module: oleaut32.dllunknown module: oleaut32.dllunknown module: comctl32.dllunknown module: wsock32.dll UPX1 C:\WINDOWS\update.tray-8-0\svchost.exe[1944] C:\WINDOWS\update.tray-8-0\svchost.exe entry point in "UPX1" section [0x006885A0] .text C:\WINDOWS\update.tray-8-0\svchost.exe[1944] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\WINDOWS\update.tray-8-0\svchost.exe[1944] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 100074E0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\WINDOWS\update.tray-8-0\svchost.exe[1944] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 10002FE0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\WINDOWS\update.tray-8-0\svchost.exe[1944] OLE32.DLL!CoCreateInstance 774EF1AC 5 Bytes JMP 100076D0 C:\WINDOWS\system32\MPK\MPK.dll ? C:\WINDOWS\update.tray-5-0\svchost.exe[1992] number of sections mismatch; time/date stamp mismatch; unknown module: oleaut32.dllunknown module: version.dllunknown module: oleaut32.dllunknown module: oleaut32.dllunknown module: comctl32.dllunknown module: wsock32.dll UPX1 C:\WINDOWS\update.tray-5-0\svchost.exe[1992] C:\WINDOWS\update.tray-5-0\svchost.exe entry point in "UPX1" section [0x006885A0] .text C:\WINDOWS\update.tray-5-0\svchost.exe[1992] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\WINDOWS\update.tray-5-0\svchost.exe[1992] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 100074E0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\WINDOWS\update.tray-5-0\svchost.exe[1992] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 10002FE0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\WINDOWS\update.tray-5-0\svchost.exe[1992] OLE32.DLL!CoCreateInstance 774EF1AC 5 Bytes JMP 100076D0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2176] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2176] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 04EE74E0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2176] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 04EE76D0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Program Files\OpenOffice.org 3\program\soffice.bin[2176] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 04EE2FE0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Program Files\Windows Media Player\wmplayer.exe[2820] ntdll.dll!NtQuerySystemInformation 7C90D92E 1 Byte [E9] .text C:\Program Files\Windows Media Player\wmplayer.exe[2820] ntdll.dll!NtQuerySystemInformation 7C90D92E 5 Bytes JMP 100074E0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Program Files\Windows Media Player\wmplayer.exe[2820] SHELL32.dll!SHFileOperationW 7CA708A0 5 Bytes JMP 10002FE0 C:\WINDOWS\system32\MPK\MPK.dll .text C:\Program Files\Windows Media Player\wmplayer.exe[2820] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 100076D0 C:\WINDOWS\system32\MPK\MPK.dll ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8679B540 IAT \WINDOWS\System32\Drivers\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F772F574] sptd.sys IAT \WINDOWS\System32\Drivers\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F772F0C0] sptd.sys IAT \WINDOWS\System32\Drivers\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F772FFE0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F772F0C0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F772F362] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F772F2A4] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F77301BC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F772FFE0] sptd.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8671E308 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7744312] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 867961F8 Device \FileSystem\Fastfat \FatCdrom 85C421F8 Device \Driver\usbuhci \Device\USBPDO-0 8665C1F8 Device \Driver\usbuhci \Device\USBPDO-1 8665C1F8 Device \Driver\usbuhci \Device\USBPDO-2 8665C1F8 Device \Driver\usbuhci \Device\USBPDO-3 8665C1F8 Device \Driver\usbehci \Device\USBPDO-4 866371F8 Device \Driver\Cdrom \Device\CdRom0 866281F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86270430 Device \Driver\NetBT \Device\NetbiosSmb 86270430 Device \Driver\usbuhci \Device\USBFDO-0 8665C1F8 Device \Driver\usbuhci \Device\USBFDO-1 8665C1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{857DD415-FC36-4693-9B84-AD4985D2A832} 86270430 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 862441F8 Device \Driver\usbuhci \Device\USBFDO-2 8665C1F8 Device \Driver\usbuhci \Device\USBFDO-3 8665C1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 862441F8 Device \Driver\usbehci \Device\USBFDO-4 866371F8 Device \FileSystem\Fastfat \Fat 85C421F8 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 861E51F8 ---- Processes - GMER 1.0.15 ---- Process C:\WINDOWS\system32\MPK\mpk.exe (*** hidden *** ) 1620 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?????????7?6?7??????0209?????????????????e?????????????????????????s???????????????????????????6?&?????????????????????? ???????????????Podstawowy kana? IDE?a??Posix??????????? ???????????????? ??????????????n???????1????????????????????????\???????????????/??? ??????????????????????????????>???????????????????????????????????????????to??????????????? ?????? ??????????????????????????????????????4????cdrom???? ????????????????????????????????14???????????eex?????#????????????????????mouhid?rez????B?????????e???CDROM???intelppm?8??? .?????????????????disk????Processor???????????????? ???????????????? ?????????????^??????????????? ????s??ni???????????D??tA???????????)??????im????Z??????T????hTIM??%SystemRoot%\System32\svchost.exe -k netsvcs?M????????????????T????????????e?)??Konfiguracja zerowej sieci bezprzewodowej????????????m??p2??LocalSystem??????????????P???????e??RpcSs?Ndisuio??eea??? ???????1??????pb??? B?????????????di??? ????????????????????^????????????n????Zapewnia automatyczn? konfiguracj? kart 802 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4D 0x58 0xA7 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3E 0xF8 0x07 0x7B ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4D 0x58 0xA7 0x2D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCC 0x09 0x51 0x2D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x03 0x56 0x2A 0x05 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x07 0xC2 0x55 0x9D ... ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\All Users\Dane aplikacji\MPK\1\I40852_5705582639 227438 bytes ---- EOF - GMER 1.0.15 ----