GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-09-06 11:49:01 Windows 6.1.7600 Running: yeo7x1v3.exe; Driver: C:\Users\userek\AppData\Local\Temp\kwwoapog.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAllocateVirtualMemory [0x9EDBA752] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAlpcConnectPort [0x9EDBA388] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwAssignProcessToJobObject [0x9EDBA440] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwConnectPort [0x9EDBA482] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateFile [0x9EDBA530] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateProcess [0x9EDBADD8] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateProcessEx [0x9EDBAE64] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateThread [0x9EDBAEF4] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateThreadEx [0x9EDBAF96] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwCreateUserProcess [0x9EDBAD68] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwDebugActiveProcess [0x9EDBA580] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwDuplicateObject [0x9EDBA5C2] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwLoadDriver [0x9EDBA606] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenKey [0x9EDBA648] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenSection [0x9EDBA68A] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwOpenThread [0x9EDBA6CC] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwProtectVirtualMemory [0x9EDBA79A] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwRequestWaitReplyPort [0x9EDBA70E] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwRestoreKey [0x9EDBA7DC] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwResumeThread [0x9EDBA824] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSecureConnectPort [0x9EDBA8B4] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSetValueKey [0x9EDBA866] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSuspendProcess [0x9EDBA958] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwSystemDebugControl [0x9EDBA99A] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwTerminateProcess [0x9EDBA9DC] SSDT \??\C:\Windows\system32\drivers\PCTAppEvent.sys ZwWriteVirtualMemory [0x9EDBAA2A] INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83021AF8 INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83021104 INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830213F4 INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83009634 INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83009898 INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830211DC INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83021958 INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830216F8 INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83021F2C INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830221A8 Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x91415B9C] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x914159C0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x91415AFA] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83081599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830A5F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 23C 830AD74C 4 Bytes [52, A7, DB, 9E] .text ntkrnlpa.exe!RtlSidHashLookup + 248 830AD758 4 Bytes [88, A3, DB, 9E] .text ntkrnlpa.exe!RtlSidHashLookup + 29C 830AD7AC 4 Bytes [40, A4, DB, 9E] .text ntkrnlpa.exe!RtlSidHashLookup + 2DC 830AD7EC 4 Bytes [82, A4, DB, 9E] .text ntkrnlpa.exe!RtlSidHashLookup + 2F8 830AD808 4 Bytes [30, A5, DB, 9E] .text ... PAGE ntkrnlpa.exe!ZwLoadDriver 831DF291 2 Bytes JMP 91415AFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ZwLoadDriver + 3 831DF294 4 Bytes [23, 0E, CC, CC] {AND ECX, [ESI]; INT 3 ; INT 3 } PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83246FBF 5 Bytes JMP 914115B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 83260CF3 5 Bytes JMP 91412FD2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!NtCreateSection 8326ED63 7 Bytes JMP 914159C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 83318EAC 7 Bytes JMP 91415BA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ? \Device\Harddisk0\Partition2\Windows\system32\drivers\PctWfpFilter.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9183D000, 0x2D5378, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9EDAA300, 0x1B7E, 0xE8000020] .text peauth.sys 9FE3BC9D 28 Bytes [5E, 93, 1F, 20, 4B, 94, 8D, ...] .text peauth.sys 9FE3BCC1 28 Bytes [5E, 93, 1F, 20, 4B, 94, 8D, ...] PAGE peauth.sys 9FE41E20 12 Bytes [66, F0, 67, ED, D7, 9C, 11, ...] PAGE peauth.sys 9FE41E2D 88 Bytes [6E, AE, BA, 80, A5, 90, EC, ...] PAGE peauth.sys 9FE4202C 102 Bytes [01, 7A, D4, F6, ED, 80, FC, ...] PAGE spsys.sys!?SPRevision@@3PADA + 4F90 AC439000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 AC439123 629 Bytes [45, 43, AC, FE, 05, 34, 45, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 AC439399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F AC4393FF 51 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE spsys.sys!?SPRevision@@3PADA + 53C3 AC439433 96 Bytes [42, AC, 85, C9, 7C, 18, 8D, ...] PAGE ... ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\System32\rundll32.exe[2548] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75085E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2548] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75085E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2548] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75085E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2548] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75085E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000054 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp pctgntdi.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{D340E8B4-21C5-41B1-B01A-9EF9CB4F1C24}\Connection@Name isatap.{719DB6DD-9E88-460B-85F1-FB404D0FEC00} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{D340E8B4-21C5-41B1-B01A-9EF9CB4F1C24}?\Device\{F2818F70-F5EA-46CC-92C8-EAB14F0F5B9C}?\Device\{FF628A0D-EC7C-46B4-BE84-5AEC5598339D}?\Device\{8CC667A4-43D0-45F7-AF06-7B43DFB44537}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{D340E8B4-21C5-41B1-B01A-9EF9CB4F1C24}"?"{F2818F70-F5EA-46CC-92C8-EAB14F0F5B9C}"?"{FF628A0D-EC7C-46B4-BE84-5AEC5598339D}"?"{8CC667A4-43D0-45F7-AF06-7B43DFB44537}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{D340E8B4-21C5-41B1-B01A-9EF9CB4F1C24}?\Device\TCPIP6TUNNEL_{F2818F70-F5EA-46CC-92C8-EAB14F0F5B9C}?\Device\TCPIP6TUNNEL_{FF628A0D-EC7C-46B4-BE84-5AEC5598339D}?\Device\TCPIP6TUNNEL_{8CC667A4-43D0-45F7-AF06-7B43DFB44537}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{D340E8B4-21C5-41B1-B01A-9EF9CB4F1C24}@InterfaceName isatap.{719DB6DD-9E88-460B-85F1-FB404D0FEC00} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{D340E8B4-21C5-41B1-B01A-9EF9CB4F1C24}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3C 0x56 0x95 0x40 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3C 0x56 0x95 0x40 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\userek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Edytor gry Bitwa o Śródziemie(tm).lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Edytor gry Bitwa o Śródziemie(tm).lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\userek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Rejestracja elektroniczna.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Rejestracja elektroniczna.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\userek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Szukaj uaktualnień.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Szukaj uaktualnień.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\userek\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Usuń Bitwa o Śródziemie\x2122.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\EA GAMES\Bitwa o Śródziemie\x2122\Usuń Bitwa o Śródziemie\x2122.lnk 1 ---- EOF - GMER 1.0.15 ----