GMER 1.0.15.15319 - http://www.gmer.net Rootkit scan 2010-10-18 09:45:49 Windows 5.1.2600 Dodatek Service Pack 3 Running: xg7gpebr.exe; Driver: C:\DOCUME~1\Adrian\USTAWI~1\Temp\uglyrpod.sys ---- Kernel code sections - GMER 1.0.15 ---- .sfrelocÿÿÿÿsfsync04unknown last section [0xF7425000, 0xBC8, 0x40000040] C:\WINDOWS\system32\drivers\sfsync04.sys unknown last section [0xF7425000, 0xBC8, 0x40000040] init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF6914870] .text C:\WINDOWS\system32\drivers\oreans32.sys section is writeable [0xF6AE9280, 0x7B1C, 0xE8000020] .text C:\WINDOWS\system32\drivers\ACEDRV07.sys section is writeable [0xA80B7000, 0x328BA, 0xE8000020] .pklstb C:\WINDOWS\system32\drivers\ACEDRV07.sys entry point in ".pklstb" section [0xA80FB000] .relo2 C:\WINDOWS\system32\drivers\ACEDRV07.sys unknown last section [0xA8117000, 0x8E, 0x42000040] .reloc C:\WINDOWS\system32\drivers\acedrv11.sys section is executable [0xA7A46600, 0x25B0C, 0xE0000060] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\Explorer.EXE[464] C:\WINDOWS\Explorer.EXE section is writeable [0x01001000, 0x44C09, 0xE0000020] .reloc C:\WINDOWS\Explorer.EXE[464] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0xA800, 0xE0000060] .text C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\System32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000020] .rsrc C:\WINDOWS\System32\svchost.exe[1088] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\System32\svchost.exe[1208] C:\WINDOWS\System32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000020] .rsrc C:\WINDOWS\System32\svchost.exe[1208] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\System32\svchost.exe[1272] C:\WINDOWS\System32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000020] .rsrc C:\WINDOWS\System32\svchost.exe[1272] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\system32\svchost.exe[1428] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000020] .rsrc C:\WINDOWS\system32\svchost.exe[1428] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\system32\svchost.exe[1524] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000020] .rsrc C:\WINDOWS\system32\svchost.exe[1524] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\System32\svchost.exe[1616] C:\WINDOWS\System32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000020] .rsrc C:\WINDOWS\System32\svchost.exe[1616] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\system32\svchost.exe[1652] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000020] .rsrc C:\WINDOWS\system32\svchost.exe[1652] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\System32\svchost.exe[1736] C:\WINDOWS\System32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000020] .rsrc C:\WINDOWS\System32\svchost.exe[1736] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\system32\svchost.exe[1820] C:\WINDOWS\system32\svchost.exe section is writeable [0x01001000, 0x2C00, 0xE0000020] .rsrc C:\WINDOWS\system32\svchost.exe[1820] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation) Device \Driver\prodrv06 \Device\ProDrv06 E1E62838 Device \Driver\USBSTOR \Device\00000070 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\prohlp02 \Device\ProHlp02 E1009F80 Device \Driver\USBSTOR \Device\00000079 sfsync04.sys (StarForce Protection Synchronization Driver/Protection Technology) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0x78 0xBC 0xF9 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD8 0x72 0x13 0x5C ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD2 0xE0 0x0A 0xE6 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x2E 0xF6 0x61 0xF6 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x70 0xCE 0x04 0x85 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x79 0x79 0xCA 0xAD ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x27 0xB4 0x67 0x3F ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x56 0x17 0xB1 0xBF ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA7 0x24 0xAB 0x13 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x7F 0x18 0xC4 0x63 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5C 0x78 0xBC 0xF9 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD8 0x72 0x13 0x5C ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xD2 0xE0 0x0A 0xE6 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xC6 0x83 0x14 0x3C ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x6B 0x4C 0xB2 0x38 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x64 0x54 0xCC 0x70 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{247680F7-9358-21E7-025F-09EFA900ADD3} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{247680F7-9358-21E7-025F-09EFA900ADD3}@napbkfcgngbcnjfhaenhfeelemln 0x6A 0x61 0x64 0x6A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{247680F7-9358-21E7-025F-09EFA900ADD3}@majbmfhkfpmjipngkohkflleln 0x6A 0x61 0x64 0x6A ... ---- EOF - GMER 1.0.15 ----