GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-05-28 01:42:06 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST932032 rev.0001 Running: 21pdjn63.exe; Driver: C:\DOCUME~1\Agent\USTAWI~1\Temp\uxtdypow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwAdjustPrivilegesToken [0xA439D690] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwClose [0xA439DF94] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwConnectPort [0xA439EDC8] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwCreateEvent [0xA439F312] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwCreateFile [0xA439E270] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwCreateKey [0xA439C500] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwCreateMutant [0xA439F1F8] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwCreateNamedPipeFile [0xA439D27E] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwCreatePort [0xA439F0CC] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwCreateSection [0xA439D426] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwCreateSemaphore [0xA439F432] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwCreateThread [0xA439DC1C] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwCreateWaitablePort [0xA439F162] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwDebugActiveProcess [0xA43A0B1A] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwDeleteKey [0xA439CB0A] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwDeleteValueKey [0xA439CEBE] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwDeviceIoControlFile [0xA439E6F2] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwDuplicateObject [0xA43A1D26] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwEnumerateKey [0xA439D00A] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwEnumerateValueKey [0xA439D0A2] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwFsControlFile [0xA439E500] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwLoadDriver [0xA43A0C0C] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwLoadKey [0xA439C4DC] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwLoadKey2 [0xA439C4EE] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwMapViewOfSection [0xA43A1374] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwNotifyChangeKey [0xA439D1CE] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwOpenEvent [0xA439F3A8] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwOpenFile [0xA439E016] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwOpenKey [0xA439C6C0] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwOpenMutant [0xA439F288] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwOpenProcess [0xA439D8CC] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwOpenSection [0xA43A110E] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwOpenSemaphore [0xA439F4C8] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwOpenThread [0xA439D7BE] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwQueryKey [0xA439D13A] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwQueryMultipleValueKey [0xA439CD72] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwQuerySection [0xA43A16AE] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwQueryValueKey [0xA439C99C] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwQueueApcThread [0xA43A0FA0] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwRenameKey [0xA439CC2C] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwReplaceKey [0xA439BF16] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwReplyPort [0xA439F82C] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwReplyWaitReceivePort [0xA439F6F2] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwRequestWaitReplyPort [0xA43A08B4] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwRestoreKey [0xA439C28E] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwResumeThread [0xA43A1BC8] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwSaveKey [0xA439BEAE] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwSecureConnectPort [0xA439EB0E] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwSetContextThread [0xA439DE38] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwSetInformationToken [0xA43A0154] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwSetSecurityObject [0xA43A0DAA] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwSetSystemInformation [0xA43A17FE] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwSetValueKey [0xA439C816] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwSuspendProcess [0xA43A18F0] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwSuspendThread [0xA43A1A2A] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwSystemDebugControl [0xA43A0A3E] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwTerminateProcess [0xA439DA68] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwTerminateThread [0xA439D9C8] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwUnmapViewOfSection [0xA43A1552] SSDT \SystemRoot\system32\DRIVERS\4077872drv.sys ZwWriteVirtualMemory [0xA439DB52] Code \SystemRoot\system32\DRIVERS\4077872drv.sys FsRtlCheckLockForReadAccess Code \SystemRoot\system32\DRIVERS\4077872drv.sys IoIsOperationSynchronous ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804EAF84 5 Bytes JMP A438FFD0 \SystemRoot\system32\DRIVERS\4077872drv.sys .text ntkrnlpa.exe!IoIsOperationSynchronous 804EF912 5 Bytes JMP A43903AC \SystemRoot\system32\DRIVERS\4077872drv.sys .text ntkrnlpa.exe!ZwCallbackReturn + 2D68 80504604 12 Bytes [0C, 0C, 3A, A4, DC, C4, 39, ...] {OR AL, 0xc; CMP AH, [ESP+EBX*8-0x115bc63c]; LES EDI, DWORD [ECX]; MOVSB } .text ntkrnlpa.exe!ZwCallbackReturn + 2EE4 80504780 16 Bytes [2C, CC, 39, A4, 16, BF, 39, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [F0, 18, 3A, A4, 2A, 1A, 3A, ...] ? system32\DRIVERS\4077872drv.sys System nie może odnaleźć określonej ścieżki. ! ? system32\DRIVERS\03938404.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\SMINST\Scheduler.exe[248] USER32.dll!GetSysColor 7E368E78 5 Bytes JMP 00418ED0 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[248] USER32.dll!GetSysColorBrush 7E368EAB 5 Bytes JMP 00418F40 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[248] USER32.dll!SetScrollInfo 7E369056 7 Bytes JMP 00418DC0 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[248] USER32.dll!GetScrollInfo 7E37DFE2 7 Bytes JMP 00418D10 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[248] USER32.dll!ShowScrollBar 7E37F2F2 5 Bytes JMP 00418E90 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[248] USER32.dll!GetScrollPos 7E37F704 5 Bytes JMP 00418D50 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[248] USER32.dll!SetScrollPos 7E37F750 5 Bytes JMP 00418E00 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[248] USER32.dll!GetScrollRange 7E37F787 5 Bytes JMP 00418D80 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[248] USER32.dll!SetScrollRange 7E37F99B 5 Bytes JMP 00418E40 C:\WINDOWS\SMINST\Scheduler.exe .text C:\WINDOWS\SMINST\Scheduler.exe[248] USER32.dll!EnableScrollBar 7E3B8005 7 Bytes JMP 00418CD0 C:\WINDOWS\SMINST\Scheduler.exe ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\$NtUninstallKB45439$\1332269517 0 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716 0 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\@ 2048 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\cfg.ini 62 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\Desktop.ini 4608 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\L 0 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\L\priknwdy 162816 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\oemid 171 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\U 0 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\U\00000001.@ 2048 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\U\00000002.@ 224768 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\U\00000004.@ 1024 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\U\80000000.@ 1024 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\U\80000004.@ 1024 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\U\80000032.@ 115712 bytes File C:\WINDOWS\$NtUninstallKB45439$\3300619716\version 998 bytes ---- EOF - GMER 1.0.15 ----