GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-12-22 22:42:43 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\00000070 SAMSUNG_SP2504C rev.VT100-41 Running: fwvr67lj.exe; Driver: C:\DOCUME~1\Admin\USTAWI~1\Temp\ugldapog.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF5BDE360, 0x24BB1D, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1920] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 17, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 17, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 17, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 17, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90ED1A .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 17, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 17, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 17, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90ED8B .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 17, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EEB9 .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 17, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 17, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 17, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3864] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002E0010 ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE6 0x3F 0xFF 0x18 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1C 0x59 0xAE 0xBC ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x25 0xCF 0xB8 0xB3 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x54 0x51 0x04 0x59 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xD3 0x6D 0x47 0xDC ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xA6 0x74 0x82 0x23 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x7E 0x2E 0x42 0xCB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEC 0x46 0xC5 0x51 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x09 0xCD 0x53 0x55 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEC 0x46 0xC5 0x51 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x09 0xCD 0x53 0x55 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEC 0x46 0xC5 0x51 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x09 0xCD 0x53 0x55 ... ---- Files - GMER 1.0.15 ---- File C:\UsbFix 0 bytes File C:\UsbFix\Erunt 0 bytes File C:\UsbFix\Erunt\ERDNT.E_E 163328 bytes executable File C:\UsbFix\Erunt\ERDNTDOS.LOC 2815 bytes File C:\UsbFix\Erunt\ERDNTWIN.LOC 3275 bytes File C:\UsbFix\Erunt\ERUNT.com 161280 bytes File C:\UsbFix\Erunt\ERUNT.LOC 4090 bytes File C:\UsbFix\Go.exe 557827 bytes executable File C:\UsbFix\Res 0 bytes File C:\UsbFix\Res\Paypal-EN.jpg 3637 bytes File C:\UsbFix\Res\Paypal-FR.jpg 3933 bytes File C:\UsbFix\Res\Picture.JPG 61637 bytes File C:\UsbFix\Res\UsbFix.ico 71354 bytes File C:\UsbFix\Tools 0 bytes File C:\UsbFix\Tools\GREP.com 52224 bytes executable File C:\UsbFix\Tools\MD5Hash.dll 57711 bytes executable File C:\UsbFix\Tools\Reboot_UsbFix.exe 350583 bytes executable File C:\UsbFix\Tools\swreg.com 284160 bytes File C:\UsbFix\Tools\swxcacls.com 81920 bytes File C:\UsbFix\Tools\zip.com 32256 bytes executable File C:\UsbFix\Un-UsbFix.exe 105540 bytes executable File C:\UsbFix.txt 8324 bytes ---- EOF - GMER 1.0.15 ----