GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-15 15:24:12 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0010 Running: 01qk1uv7.exe; Driver: C:\Users\klucz\AppData\Local\Temp\fwddykod.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 828945D9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828B9092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000063 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076aea098 Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Export ???l?~??? ???????k?????l?????k?-??????????I????????S????? ??????????????x???? ???????l???????????j?-????????Z???????????????????????????????Microsoft??????l?&???????l???????e???l????????????????N??l?????????D????? ???????k?????l?????k?-??????????\? ???????V???? `??l??????????????? ???????l???????????k?-????????N??????????????????????????????????l?&?????????????????s????teamviewervpn???????????????????? ?????????????l???????1???????????????????????l????6.1.7600.16385???????? ??l???1???????????i???3???????????h???3???p???????9???????????????????l???????????????k??????????150 -500?????????k???????????l??????t????????????C?`?e?j?k?k?l?l?l?l?l???????????????????????l???????d???????9???????e??????ce??????????????????? "??l???5?????1?1????N??p????????D??????????k???????????????????????l??? ???????k?????l?????k?-??????????K???????????????N??l???'??????????? ???????l???????????j?-????????N?????????????N??l?????????D?????????9???5???;?????l?&??Ndi-Mp-AgileVpn?Vp??6.1.7600.16385??6.???????????s????????(??k???1???1??Mic Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x52 0xD1 0x1C 0x23 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x36 0x3A 0x8F 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076aea098 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Export ???o?p??13??????? ???????p???????????e????????,?F??? ???????????? F??p??????????????%SystemRoot%\system32\cryptsvc.dll????????"??p?????????n????CryptServiceMain????????????????????????????? ???????p???????????p??????????????????????? ???????o?????p??????????????????\???????r?????? ???????p???????????????????????????????g??? ???????o?????p?????p?*??????$???]? ?????????????$??p?????????e????@oleres.dll,-5012????p????&??p??????????COM Infrastructure????????`??p????????h?????%SystemRoot%\system32\svchost.exe -k DcomLaunch???????$??p?????????n????@oleres.dll,-5013????p???p???p??? ???p??????????????LocalSystem?????????????????????????????????????????????????????t??????? ????????????????????????????????????p???????????????????p??????????????????SeAssignPrimaryTokenPrivilege?SeAuditPrivilege?SeChangeNotifyPrivilege?SeCreateGlobalPrivilege?SeDebugPrivilege?SeImpersonatePrivilege?SeIncreaseQuotaPrivilege?SeTcbPrivilege?SeBackupPrivilege?SeRestorePrivilege??????p?p?p?p?p?p?p?p?p?p?p??? ???????p???????????p??????????@?? Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x52 0xD1 0x1C 0x23 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x36 0x3A 0x8F 0xB8 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Battlefield 3\x2122\__Installer\vc\vc2008sp1\redist\vcredist_x86.exe 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Battlefield 3\x2122\__Installer\vc\vc2008sp1\redist\vcredist_x64.exe 1 ---- EOF - GMER 1.0.15 ----