GMER 1.0.15.15641 - [url="http://www.gmer.net"]http://www.gmer.net[/url] Rootkit scan 2012-03-11 13:20:01 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 Hitachi_HDT721032SLA360 rev.ST2OA3AA Running: gmer.exe; Driver: C:\Users\PIOTR_~1\AppData\Local\Temp\ugldapob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwAllocateVirtualMemory [0x8B0AD2D2] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwCreateThread [0x8B0AE904] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwCreateThreadEx [0x8B0AE9E0] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwFreeVirtualMemory [0x8B0AD55E] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwQueueApcThread [0x8B0AEA0C] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwQueueApcThreadEx [0x8B0AEA32] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwSetContextThread [0x8B0AEA58] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwWriteVirtualMemory [0x8B0AD66E] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 82C8C369 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CC5D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82CCCDA8 4 Bytes [D2, D2, 0A, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 82CCCEB8 8 Bytes [04, E9, 0A, 8B, E0, E9, 0A, ...] {ADD AL, 0xe9; OR CL, [EBX-0x74f51620]} .text ntkrnlpa.exe!KeRemoveQueueEx + 12B3 82CCCF68 4 Bytes [5E, D5, 0A, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 14DB 82CCD190 8 Bytes JMP EA328B0A .text ntkrnlpa.exe!KeRemoveQueueEx + 1597 82CCD24C 4 Bytes JMP F9BD8B0A .text ... ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [744F2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [744D5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [744D56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [744F24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [744E8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [744E4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [744E506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [744E5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [744E6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [744E826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [744E87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [744E901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [744EE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [744E4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000005a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7D 0x42 0x63 0xE0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x0F 0x8B 0x13 0x54 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x20 0x25 0xA8 0x1F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7D 0x42 0x63 0xE0 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x0F 0x8B 0x13 0x54 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x20 0x25 0xA8 0x1F ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OOCC06.00.00.01WSSV BBD9B9E64469C7DA0949E7D91C51B0FD544FF16F3E5790521F3BF4213EBEB820D759ACE352A66D24A13C11417EA130B95395CA8901555510DFA3EC13A0AE6FEDFA2A0C03B7230409187A1DB41F0299713915239F5ED9090288CDB35A35692FE64485C229FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808A2D97226D213B555FEBC9E127BECC74C5D575E7D6A3B980821A5A198065997590350FC139F603A28C8D8713D93B7AA6A7299647F4B993246F6D3997A27C1346D4B215E885F9FF8A1B7747AD54927D65C77AF83895F291CF3B3C3E8749F3BD0E3C165696436374992BE4C40EA7EC107B6EA08B3D3C86664BFE7E2ED8EFBC11AD83553233CFE3D8CF7897D09C4F9D570F5F5C8237A5B7AB7C4D87ED952BB764FABA501602F06E8B78F7789F02F74535FDBF37CD198DE2E54E8814CB24F549B467D4CED4E5A8B9954DE9CD568FA1C51306C751115D10DF20F4F0DE2D1972D9AE538937869E246CE7EAE402C33FC940BD5F1BF59164A15D9CDE25F3D65C121FCAB84976585EE5D2C698ADD3AE70EF1DB57F94B0DCF2D1B198CD28CB9EEE7827527D22DDBC9ABEEFCD8422510740ABEC7CDD3444415A7348DDA8FDE9D452B13557BD559EA31478CACA6EA79A41652F9F2E8960BFE896AED35DBD1D210102A0C17E385588188F ---- Files - GMER 1.0.15 ---- File C:\Windows\$NtUninstallKB2685$\1491381606 0 bytes File C:\Windows\$NtUninstallKB2685$\1491381606\@ 2048 bytes File C:\Windows\$NtUninstallKB2685$\1491381606\L 0 bytes File C:\Windows\$NtUninstallKB2685$\1491381606\L\xadqopqo 78336 bytes File C:\Windows\$NtUninstallKB2685$\1491381606\loader.tlb 2632 bytes File C:\Windows\$NtUninstallKB2685$\1491381606\U 0 bytes File C:\Windows\$NtUninstallKB2685$\1491381606\U\@00000001 45968 bytes File C:\Windows\$NtUninstallKB2685$\1491381606\U\@000000c0 2560 bytes File C:\Windows\$NtUninstallKB2685$\1491381606\U\@000000cb 3072 bytes File C:\Windows\$NtUninstallKB2685$\1491381606\U\@000000cf 1536 bytes File C:\Windows\$NtUninstallKB2685$\1491381606\U\@80000000 73216 bytes File C:\Windows\$NtUninstallKB2685$\1491381606\U\@800000c0 43520 bytes File C:\Windows\$NtUninstallKB2685$\1491381606\U\@800000cb 25600 bytes File C:\Windows\$NtUninstallKB2685$\1491381606\U\@800000cf 31232 bytes File C:\Windows\$NtUninstallKB2685$\4270572511 0 bytes ---- EOF - GMER 1.0.15 ----