GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-02-25 18:59:21 Windows 6.1.7600 Harddisk0\DR0 -> \Device\0000005e SAMSUNG_ rev.1AG0 Running: ztin37y8.exe; Driver: C:\Users\Lukasz\AppData\Local\Temp\ugrdapoc.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C88579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CACF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? System32\drivers\wlkxpvn.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 1.0.15 ---- .text D:\Mozilla Firefox\firefox.exe[2076] ntdll.dll!NtQueryInformationProcess 779D5490 5 Bytes JMP 008321F9 .text D:\Mozilla Firefox\firefox.exe[2076] ntdll.dll!LdrLoadDll 779EF585 5 Bytes JMP 00A613F0 D:\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text D:\Mozilla Firefox\firefox.exe[2076] WS2_32.dll!closesocket 77873BED 5 Bytes JMP 0081CBBC .text D:\Mozilla Firefox\firefox.exe[2076] WS2_32.dll!recv 778747DF 5 Bytes JMP 0081C7D6 .text D:\Mozilla Firefox\firefox.exe[2076] WS2_32.dll!GetAddrInfoW 778760F5 5 Bytes JMP 0081BCDA .text D:\Mozilla Firefox\firefox.exe[2076] WS2_32.dll!getaddrinfo 77876737 5 Bytes JMP 0081BBFA .text D:\Mozilla Firefox\firefox.exe[2076] WS2_32.dll!WSASend 778768A7 5 Bytes JMP 0081C884 .text D:\Mozilla Firefox\firefox.exe[2076] WS2_32.dll!WSARecv 7787C29F 5 Bytes JMP 0081C958 .text D:\Mozilla Firefox\firefox.exe[2076] WS2_32.dll!send 7787C4C8 5 Bytes JMP 0081C731 .text D:\Mozilla Firefox\firefox.exe[2076] WS2_32.dll!WSAAsyncGetHostByName 77886D2A 5 Bytes JMP 0081BFC3 .text D:\Mozilla Firefox\firefox.exe[2076] WS2_32.dll!gethostbyname 77887133 5 Bytes JMP 0081BB39 .text D:\Mozilla Firefox\firefox.exe[2076] USER32.dll!DrawTextExW 75DF7BDD 2 Bytes JMP 0081D1AF .text D:\Mozilla Firefox\firefox.exe[2076] USER32.dll!DrawTextExW + 3 75DF7BE0 2 Bytes [A2, 8A] .text D:\Mozilla Firefox\firefox.exe[2076] USER32.dll!DrawTextW 75DF8220 5 Bytes JMP 0081CFED .text D:\Mozilla Firefox\firefox.exe[2076] USER32.dll!SetClipboardData 75E04979 5 Bytes JMP 0081CC63 .text D:\Mozilla Firefox\firefox.exe[2076] USER32.dll!DrawTextA 75E0A482 5 Bytes JMP 0081CF12 .text D:\Mozilla Firefox\firefox.exe[2076] USER32.dll!DrawTextExA 75E0A4B9 5 Bytes JMP 0081D0C8 .text D:\Mozilla Firefox\firefox.exe[2076] USER32.dll!DialogBoxParamW 75E1564A 5 Bytes JMP 0081C0A2 .text D:\Mozilla Firefox\firefox.exe[2076] GDI32.dll!ExtTextOutW 762C8053 5 Bytes JMP 0081D37A .text D:\Mozilla Firefox\firefox.exe[2076] GDI32.dll!GetGlyphIndicesW 762CB521 5 Bytes JMP 0081D807 .text D:\Mozilla Firefox\firefox.exe[2076] GDI32.dll!ExtTextOutA 762D0158 5 Bytes JMP 0081D296 .text D:\Mozilla Firefox\firefox.exe[2076] GDI32.dll!TextOutA 762D0878 5 Bytes JMP 0081CD7A .text D:\Mozilla Firefox\firefox.exe[2076] GDI32.dll!TextOutW 762E14B9 5 Bytes JMP 0081CE46 .text D:\Mozilla Firefox\firefox.exe[2076] GDI32.dll!GetGlyphIndicesA 762EBC42 5 Bytes JMP 0081D73A .text D:\Mozilla Firefox\firefox.exe[2076] WININET.dll!InternetCrackUrlA 75EC0EA5 5 Bytes JMP 0081DACD .text D:\Mozilla Firefox\firefox.exe[2076] WININET.dll!InternetCrackUrlW 75EEC487 5 Bytes JMP 0081DC16 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\rundll32.exe[1632] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75A05D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1632] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75A05D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1632] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75A05D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1632] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75A05D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1632] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75A05D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1632] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75A05D3D] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7467250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74672494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74655624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [746556E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74668573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74664D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [746650CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [746651A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [746666D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [746682CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74668819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7466907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7466E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1836] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74664C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [7467250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [74672494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [74655624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [746556E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [74668573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [74664D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [746650CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [746651A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [746666D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [746682CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [74668819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [7466907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7466E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[3808] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [74664C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\48429d081ca2 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\48429d081ca2@0021080c5cb6 0xE6 0xA6 0xE3 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\6842bd0818a2 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\48429d081ca2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\48429d081ca2@0021080c5cb6 0xE6 0xA6 0xE3 0xD1 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\6842bd0818a2 (not active ControlSet) ---- EOF - GMER 1.0.15 ----