GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-21 21:00:18 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T1L0-1b WDC_WD600BB-75CAA0 rev.16.06V16 55,90GB Running: lyy240wf.exe; Driver: D:\DOCUME~1\GuziX\USTAWI~1\Temp\awkcqaog.sys ---- System - GMER 2.0 ---- SSDT spdx.sys ZwCreateKey [0xB7EB50E0] SSDT spdx.sys ZwEnumerateKey [0xB7ECDDA4] SSDT spdx.sys ZwEnumerateValueKey [0xB7ECE132] SSDT spdx.sys ZwOpenKey [0xB7EB50C0] SSDT spdx.sys ZwQueryKey [0xB7ECE20A] SSDT spdx.sys ZwQueryValueKey [0xB7ECE08A] SSDT spdx.sys ZwSetValueKey [0xB7ECE29C] INT 0x62 ? 8A6D2BF8 INT 0x63 ? 8A39DBF8 INT 0x73 ? 8A39DBF8 INT 0x73 ? 8A39DBF8 INT 0x83 ? 8A6D2BF8 INT 0xA4 ? 8A39DBF8 INT 0xB4 ? 8A39DBF8 ---- Kernel code sections - GMER 2.0 ---- ? spdx.sys Nie można odnaleźć określonego pliku. ! .text D:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB46113C0, 0x95B7EA, 0xE8000020] .text USBPORT.SYS!DllUnload B45F262C 5 Bytes JMP 8A39D1D8 ---- User code sections - GMER 2.0 ---- .text D:\WINDOWS\System32\svchost.exe[1096] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 011D9DC4 .text D:\WINDOWS\System32\svchost.exe[1096] NETAPI32.dll!NetpwPathCanonicalize 6FF4A259 5 Bytes JMP 011D9D64 .text D:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 009C9DC4 ---- Kernel IAT/EAT - GMER 2.0 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EB6042] spdx.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EB613E] spdx.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EB60C0] spdx.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EB6800] spdx.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EB66D6] spdx.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EC5B90] spdx.sys ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2D 0xFD 0xA0 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\Services\mnmrii@DisplayName Universal Monitor Reg HKLM\SYSTEM\ControlSet002\Services\mnmrii@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\mnmrii@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\mnmrii@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\mnmrii@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\mnmrii@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\mnmrii@Description Zarz?dza konfiguracj? sieci poprzez rejestracj? i aktualizacj? adres?w IP i nazw DNS. Reg HKLM\SYSTEM\ControlSet002\Services\mnmrii\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\mnmrii\Parameters@ServiceDll D:\WINDOWS\system32\vyhvnxkq.dll Reg HKLM\SYSTEM\ControlSet002\Services\pezery@DisplayName Monitor Task Reg HKLM\SYSTEM\ControlSet002\Services\pezery@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\pezery@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\pezery@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\pezery@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\pezery@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\pezery@Description Rozpoznaje i buforuje nazwy systemu Domain Name System (DNS). Je?li ta us?uga zostanie zatrzymana, ten komputer nie b?dzie m?g? rozpoznawa? nazw DNS ani lokalizowa? kontroler?w domen w us?udze Active Directory. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\ControlSet002\Services\pezery\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\pezery\Parameters@ServiceDll D:\Documents and Settings\NetworkService\Dane aplikacji\vyhvnxkq.dll Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2D 0xFD 0xA0 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA6 0x38 0x90 0xF6 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD2 0x89 0x08 0x21 ... Reg HKLM\SYSTEM\ControlSet002\Services\ypuhnrpd@DisplayName Network System Reg HKLM\SYSTEM\ControlSet002\Services\ypuhnrpd@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\ypuhnrpd@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\ypuhnrpd@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\ypuhnrpd@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\ypuhnrpd@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\ypuhnrpd@Description Zapewnia zarz?dzanie kompozycjami obs?ugiwanymi przez u?ytkownika. Reg HKLM\SYSTEM\ControlSet002\Services\ypuhnrpd\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\ypuhnrpd\Parameters@ServiceDll D:\Program Files\Movie Maker\vyhvnxkq.dll ---- EOF - GMER 2.0 ----