GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-08-25 11:21:24 Windows 5.1.2600 Dodatek Service Pack 2 Running: fruzviw3.exe; Driver: C:\DOCUME~1\Marcin\USTAWI~1\Temp\pgtdypob.sys ---- System - GMER 1.0.15 ---- SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF7A52D72] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF7A339A6] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF7A33B98] SSDT F8350224 ZwCreateThread SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF7A53568] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF7A53820] SSDT F8350242 ZwLoadKey SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF7A51A80] SSDT F8350210 ZwOpenProcess SSDT F8350215 ZwOpenThread SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF7A53C8A] SSDT F835024C ZwReplaceKey SSDT F8350247 ZwRestoreKey SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF7A53036] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xF7A33656] SSDT \??\C:\WINNT\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB9AEB6D0] ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINNT\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6702360, 0x242F4E, 0xE8000020] ? C:\WINNT\system32\Drivers\uphcleanhlp.sys Nie można odnaleźć określonego pliku. ! ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1728] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\prodrv06 \Device\ProDrv06 E19A5828 Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\prohlp02 \Device\ProHlp02 E1509788 Device \Driver\nvata \Device\NvAta0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x58 0x6D 0xEE 0x06 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 E:\Programy\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x4C 0x2B 0xEE 0x2C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xBB 0xED 0x40 0x4E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x21 0xB5 0x33 0xAE ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x58 0x6D 0xEE 0x06 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 E:\Programy\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x4C 0x2B 0xEE 0x2C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xBB 0xED 0x40 0x4E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x21 0xB5 0x33 0xAE ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}@FriendlyName Windows Media Player Exception Pack Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}@ComponentGUID {CAC24AF7-5447-4F19-9FA6-F6E6E69D395E} Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}@Version 589824 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}@Sub-Version 2980 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}@ExceptionInfName C:\WINNT\RegisteredPackages\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}\wmexpack.inf Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}@ExceptionCatalogName C:\WINNT\RegisteredPackages\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}\wmexpack.cat Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwDir@Installed 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwFlash@Installed 1 Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\Plugins\SP\NeroBurnPlugin@ProgID MDNeroBurnPlugin.MDNeroBurnPlugin Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F00226B-60BB-FE4A-3A73-BF007CCB7EA3} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F00226B-60BB-FE4A-3A73-BF007CCB7EA3}@damghene 0x64 0x62 0x64 0x66 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F00226B-60BB-FE4A-3A73-BF007CCB7EA3}@iahdfnhlhhapkmfalf 0x69 0x61 0x65 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F00226B-60BB-FE4A-3A73-BF007CCB7EA3}@hajeplhdafhadcfc 0x69 0x61 0x65 0x65 ... ---- EOF - GMER 1.0.15 ----