GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-04 19:12:28 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 Running: llk5fnc9.exe; Driver: C:\Users\sandoz\AppData\Local\Temp\uwldypob.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8EE0E340, 0x3FC377, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- ? C:\Windows\system32\svchost.exe[2392] image checksum mismatch; number of sections mismatch; time/date stamp mismatch; unknown module: dbghelp.dll ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!HeapSetInformation] 244C8D51 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 1BC82B04 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!CreateActCtxW] 23D0F7C0 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!ReleaseActCtx] 25C48BC8 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LCMapStringW] FFFFF000 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!lstrlenW] 0A72C83B IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] 9459C18B IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!InterlockedExchange] 0489008B IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] 002DC324 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 85000010 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetModuleHandleA] E9E9EB00 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] 0000950D IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetTickCount] 042474FF IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 00953EE8 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] 8BC35900 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 8800C7C1 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!TerminateProcess] C30990B1 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetCurrentProcess] B18801C7 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] F6C30990 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetCommandLineW] 01042444 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!ExitProcess] C7F18B56 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!SetProcessAffinityUpdateMode] 90B18806 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetProcessHeap] 009516E8 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!SetErrorMode] C68B5900 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!HeapFree] 2444B70F IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] FF505608 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LocalFree] 330C2474 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!CloseHandle] 9B49E8F6 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LocalAlloc] C0850000 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] 087E5959 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 15FF4650 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!FreeLibrary] [0990B148] C:\Windows\system32\svchost.exe (Proces hosta dla usług systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!Sleep] C35EC68B IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetProcAddress] 83EC8B55 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!DeactivateActCtx] 575318EC IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 0068DB33 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetLastError] 890990B2 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!ActivateActCtx] 5D89F05D IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!lstrcmpW] 680990B1 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!lstrcmpiW] FFEC4589 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!__p__commode] 3BF88B09 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_adjust_fdiv] F47D89FB IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!__setusermatherr] C0330775 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_amsg_exit] 0000EAE9 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_initterm] 358B5600 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!exit] [0990B078] C:\Windows\system32\svchost.exe (Proces hosta dla usług systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!__p__fmode] 90B1E068 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_exit] D6FF5709 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!memcpy] 90B1D468 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!memset] 45895709 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!__set_app_type] 68D6FFF8 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!?terminate@@YAXXZ] [0990B1C0] C:\Windows\system32\svchost.exe (Proces hosta dla usług systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_except_handler4_common] 8BF475FF IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_controlfp] 39D6FFF8 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_cexit] 840FF85D IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!__wgetmainargs] 000000AF IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_XcptFilter] 840FFB3B IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!GetTokenInformation] 840FC33B IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] 0000009F IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] 51F04D8D IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] FFEC75FF IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] 7415FFD0 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] 3B0990B0 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] EC4589C3 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!RegDisablePredefinedCacheEx] 008E840F IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] [0990B070] C:\Windows\system32\svchost.exe (Proces hosta dla usług systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] FB3BF88B IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!RegCloseKey] 458D7A74 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] 895750FC IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!SetServiceStatus] 55FFFC75 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ADVAPI32.dll!OpenProcessToken] 6FF883F8 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] FF5357FC IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlFreeHeap] 15FFEC75 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlCopySid] [0990B06C] C:\Windows\system32\svchost.exe (Proces hosta dla usług systemu Windows/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] F633F88B IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] [74FB3B46] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.6002.18305_none_5cb72f2a088b0ed3\comctl32.dll (Biblioteka formantów czynności użytkownika/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlAllocateHeap] FC458D38 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlInitializeSid] 55FF5750 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlImageNtHeader] [75C085F8] C:\Windows\system32\NETAPI32.dll (Net Win32 API DLL/Microsoft Corporation) IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlSetProcessIsCritical] 8BC78B2C IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 00019C88 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlInitializeCriticalSection] F04D3B00 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcServerListen] EF75C33B IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] B8830CEB IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 000001A0 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 89037406 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 5357E875 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] FFEC75FF IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 90B06815 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] F475FF09 IAT C:\Windows\system32\svchost.exe[2392] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] B06415FF ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c6076d89f08 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c6076d89f08@0021ab3cc642 0x29 0x22 0x40 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0xEB 0x10 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x08 0x9F 0xF4 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x94 0x8C 0x67 0xC9 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0c6076d89f08 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0c6076d89f08@0021ab3cc642 0x29 0x22 0x40 0x50 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0xEB 0x10 0x47 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x08 0x9F 0xF4 0x1C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x94 0x8C 0x67 0xC9 ... ---- EOF - GMER 1.0.15 ----