GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-31 16:06:06 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST3500630AS rev.3.AAK Running: yskdexu8.exe; Driver: C:\Users\MATEUS~1\AppData\Local\Temp\ugtiafog.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 82A553D9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A8ED52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? System32\Drivers\spxf.sys System nie może odnaleźć określonej ścieżki. ! .text USBPORT.SYS!DllUnload 8F71ADB9 5 Bytes JMP 85E971D8 ? C:\Windows\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[204] kernel32.dll!GetTempFileNameW 769D7039 5 Bytes JMP 10002040 C:\Users\Mateusz Laskowski\AppData\Local\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.) .text C:\Program Files\Internet Explorer\iexplore.exe[204] kernel32.dll!CreateFileW 769EE8A5 5 Bytes JMP 10001D10 C:\Users\Mateusz Laskowski\AppData\Local\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.) .text C:\Program Files\Internet Explorer\iexplore.exe[204] ADVAPI32.dll!RegSetValueExA 767514B3 5 Bytes JMP 04CFCC10 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[204] ADVAPI32.dll!RegSetValueExW 767514D6 5 Bytes JMP 04CFCCD0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[204] ADVAPI32.dll!RegSetValueW 7676A68A 5 Bytes JMP 04CFCB50 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[204] ADVAPI32.dll!RegSetValueA 767A0E41 5 Bytes JMP 04CFCA90 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!CreateWindowExW 75F8EC7C 5 Bytes JMP 6D4E38B4 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!CreateDialogParamA 75FA1F42 5 Bytes JMP 04CFD020 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!TrackPopupMenu 75FA2228 5 Bytes JMP 04CFC180 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!DialogBoxParamW 75FA3B9B 5 Bytes JMP 04CFD200 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!DialogBoxIndirectParamW 75FB3B7F 5 Bytes JMP 6D61DEC8 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!TrackPopupMenuEx 75FB4832 5 Bytes JMP 04CFC2E0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!CreateDialogParamW 75FB5630 5 Bytes JMP 04CFCEA0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!DialogBoxParamA 75FCCF42 5 Bytes JMP 04CFD110 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!DialogBoxIndirectParamA 75FCD274 5 Bytes JMP 6D61DF2B C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!MessageBoxIndirectA 75FDE869 5 Bytes JMP 6D61DDFA C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!MessageBoxIndirectW 75FDE963 5 Bytes JMP 6D61DD8F C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!MessageBoxExA 75FDE9C9 5 Bytes JMP 6D61DD2D C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!MessageBoxExW 75FDE9ED 5 Bytes JMP 6D61DCCB C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!MessageBoxA 75FDEA11 5 Bytes JMP 04CFD380 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[204] USER32.dll!MessageBoxW 75FDEA5F 5 Bytes JMP 04CFD460 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[328] kernel32.dll!GetTempFileNameW 769D7039 5 Bytes JMP 10002040 C:\Users\Mateusz Laskowski\AppData\Local\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.) .text C:\Program Files\Internet Explorer\iexplore.exe[328] kernel32.dll!CreateFileW 769EE8A5 5 Bytes JMP 10001D10 C:\Users\Mateusz Laskowski\AppData\Local\FLVService\lib\FLVSrvLib.dll (FLV Service Library for Freecorder/Applian Technologies, Inc.) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!CallNextHookEx 75F8ABE1 5 Bytes JMP 6D453CA7 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!UnhookWindowsHookEx 75F8ADF9 5 Bytes JMP 6D50D927 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!SetWindowsHookExW 75F8E30C 5 Bytes JMP 6D4A7DF1 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!CreateWindowExW 75F8EC7C 5 Bytes JMP 6D4E38B4 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!CreateDialogParamA 75FA1F42 5 Bytes JMP 04B5D020 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!TrackPopupMenu 75FA2228 5 Bytes JMP 04B5C180 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!DialogBoxParamW 75FA3B9B 5 Bytes JMP 04B5D200 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!DialogBoxIndirectParamW 75FB3B7F 5 Bytes JMP 6D61DEC8 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!TrackPopupMenuEx 75FB4832 5 Bytes JMP 04B5C2E0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!CreateDialogParamW 75FB5630 5 Bytes JMP 04B5CEA0 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!DialogBoxParamA 75FCCF42 5 Bytes JMP 04B5D110 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!DialogBoxIndirectParamA 75FCD274 5 Bytes JMP 6D61DF2B C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!MessageBoxIndirectA 75FDE869 5 Bytes JMP 6D61DDFA C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!MessageBoxIndirectW 75FDE963 5 Bytes JMP 6D61DD8F C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!MessageBoxExA 75FDE9C9 5 Bytes JMP 6D61DD2D C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!MessageBoxExW 75FDE9ED 5 Bytes JMP 6D61DCCB C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!MessageBoxA 75FDEA11 5 Bytes JMP 04B5D380 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[328] USER32.dll!MessageBoxW 75FDEA5F 5 Bytes JMP 04B5D460 C:\Users\Mateusz Laskowski\AppData\LocalLow\uTorrentBar\tbuTo0.dll (Conduit Toolbar/Conduit Ltd.) .text C:\Program Files\Internet Explorer\iexplore.exe[328] ole32.dll!OleLoadFromStream 76256143 5 Bytes JMP 6D61E226 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[328] ole32.dll!CoCreateInstance 76299D0B 5 Bytes JMP 6D4E3442 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [88AAE042] \SystemRoot\System32\Drivers\spxf.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [88AAE6D6] \SystemRoot\System32\Drivers\spxf.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [88AAE800] \SystemRoot\System32\Drivers\spxf.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [88AAE13E] \SystemRoot\System32\Drivers\spxf.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\System32\rundll32.exe[2344] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75BBFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2344] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75BBFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2344] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75BBFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2344] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75BBFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 84A9D1F8 Device \FileSystem\fastfat \FatCdrom 8680E500 Device \Driver\usbuhci \Device\USBPDO-0 85F901F8 Device \Driver\ACPI_HAL \Device\00000044 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbuhci \Device\USBPDO-1 85F901F8 Device \Driver\usbuhci \Device\USBPDO-2 85F901F8 Device \Driver\usbehci \Device\USBPDO-3 85EA9500 Device \Driver\usbuhci \Device\USBPDO-4 85F901F8 Device \Driver\usbuhci \Device\USBPDO-5 85F901F8 Device \Driver\usbuhci \Device\USBPDO-6 85F901F8 Device \Driver\volmgr \Device\HarddiskVolume1 84A991F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-7 85EA9500 Device \Driver\volmgr \Device\HarddiskVolume2 84A991F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 85AB61F8 Device \Driver\volmgr \Device\HarddiskVolume3 84A991F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\USBSTOR \Device\00000067 864791F8 Device \Driver\USBSTOR \Device\00000068 864791F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{053A71A4-8B57-4DD9-999C-445E18FEA938} 85E711F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 85E711F8 Device \Driver\usbuhci \Device\USBFDO-0 85F901F8 Device \Driver\usbuhci \Device\USBFDO-1 85F901F8 Device \Driver\usbuhci \Device\USBFDO-2 85F901F8 Device \Driver\usbehci \Device\USBFDO-3 85EA9500 Device \Driver\usbuhci \Device\USBFDO-4 85F901F8 Device \Driver\usbuhci \Device\USBFDO-5 85F901F8 Device \Driver\usbuhci \Device\USBFDO-6 85F901F8 Device \Driver\usbehci \Device\USBFDO-7 85EA9500 Device \FileSystem\fastfat \Fat 8680E500 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Threads - GMER 1.0.15 ---- Thread System [4:3764] 995AEF2E ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBA 0xF2 0xF4 0x3A ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBA 0xF2 0xF4 0x3A ... ---- Files - GMER 1.0.15 ---- File C:\Users\Mateusz Laskowski\AppData\Roaming\Microsoft\Windows\Cookies\GQ1E33R8.txt 0 bytes ---- EOF - GMER 1.0.15 ----