GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-14 22:35:36 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c ST3250310AS rev.3.AAC 232,88GB Running: tek6n95p.exe; Driver: C:\DOCUME~1\UYTKOW~1\USTAWI~1\Temp\afriiaoc.sys ---- System - GMER 2.1 ---- SSDT spzj.sys ZwCreateKey [0xB7EB50E0] SSDT spzj.sys ZwEnumerateKey [0xB7ECDDA4] SSDT spzj.sys ZwEnumerateValueKey [0xB7ECE132] SSDT spzj.sys ZwOpenKey [0xB7EB50C0] SSDT spzj.sys ZwQueryKey [0xB7ECE20A] SSDT spzj.sys ZwQueryValueKey [0xB7ECE08A] SSDT spzj.sys ZwSetValueKey [0xB7ECE29C] INT 0x62 ? 8A7A3BF8 INT 0x63 ? 8A767BF8 INT 0x73 ? 8A767BF8 INT 0x82 ? 8A7A3BF8 INT 0xB4 ? 8A767BF8 ---- Kernel code sections - GMER 2.1 ---- ? spzj.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB72783C0, 0x70A9FA, 0xE8000020] .text E:\programy uzytkowe\PowerDVD\PowerDVD10\NavFilter\000.fcl section is writeable [0xB396B000, 0x2892, 0xE8000020] .vmp2 E:\programy uzytkowe\PowerDVD\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0xB398E050] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[344] kernel32.dll!SetUnhandledExceptionFilter 7C8449CD 4 Bytes [C2, 04, 00, 00] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8A7A21F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys Device \Driver\usbuhci \Device\USBPDO-1 8A7181F8 Device \Driver\usbuhci \Device\USBPDO-2 8A7181F8 Device \Driver\usbuhci \Device\USBPDO-3 8A7181F8 Device \Driver\usbehci \Device\USBPDO-4 8A66A1F8 AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8171F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A8171F8 Device \Driver\Cdrom \Device\CdRom0 8A65B1F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 8A8171F8 Device \Driver\atapi \Device\Ide\IdePort0 [B7E2EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B7E2EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B7E2EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B7E2EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 [B7E2EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 89F951F8 Device \Driver\NetBT \Device\NetbiosSmb 89F951F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{1A5C6FCD-B8A1-4D28-A135-4AC0B840E017} 89F951F8 AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys Device \Driver\usbuhci \Device\USBFDO-0 8A7181F8 Device \Driver\usbuhci \Device\USBFDO-1 8A7181F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89F851F8 Device \Driver\usbuhci \Device\USBFDO-2 8A7181F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89F851F8 Device \Driver\usbuhci \Device\USBFDO-3 8A7181F8 Device \Driver\usbehci \Device\USBFDO-4 8A66A1F8 Device \Driver\Ftdisk \Device\FtControl 8A8171F8 Device \FileSystem\Cdfs \Cdfs 89F3E2D8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spzj.sys >>UNKNOWN [0x8a7c4938]<< 8a7c4938 Trace 1 nt!IofCallDriver -> \Device\Harddisk1\DR1[0x8a784ab8] 8a784ab8 Trace 3 CLASSPNP.SYS[b80e8fd7] -> nt!IofCallDriver -> \Device\00000071[0x8a7f71c0] 8a7f71c0 Trace 5 ACPI.sys[b7e73620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T1L0-c[0x8a763d98] 8a763d98 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Control\Video\{040D8BAF-BE51-4773-8505-B8C520384888}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet001\Control\Video\{040D8BAF-BE51-4773-8505-B8C520384888}\0001@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet001\Control\Video\{7E6E008A-AA30-464D-973D-D1EB58782280}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0015832a5d93 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0015832a5d93@0cddefb79f5e 0x49 0x5A 0x9D 0xB3 ... Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\0015832a5d93@0023b4c68220 0xA1 0x15 0xB9 0x71 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x4A 0x6B 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4E 0x63 0xE8 0x71 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{040D8BAF-BE51-4773-8505-B8C520384888}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{040D8BAF-BE51-4773-8505-B8C520384888}\0001@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{7E6E008A-AA30-464D-973D-D1EB58782280}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015832a5d93 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015832a5d93@0cddefb79f5e 0x49 0x5A 0x9D 0xB3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015832a5d93@0023b4c68220 0xA1 0x15 0xB9 0x71 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x4A 0x6B 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4E 0x63 0xE8 0x71 ... Reg HKLM\SYSTEM\ControlSet003\Control\Video\{040D8BAF-BE51-4773-8505-B8C520384888}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet003\Control\Video\{040D8BAF-BE51-4773-8505-B8C520384888}\0001@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet003\Control\Video\{7E6E008A-AA30-464D-973D-D1EB58782280}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015832a5d93 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015832a5d93@0cddefb79f5e 0x49 0x5A 0x9D 0xB3 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015832a5d93@0023b4c68220 0xA1 0x15 0xB9 0x71 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x4A 0x6B 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4E 0x63 0xE8 0x71 ... ---- Files - GMER 2.1 ---- File C:\Program Files\Google\Update\1.3.21.153 0 bytes File C:\Program Files\Google\Update\1.3.21.153\goopdateres_bg.dll 30600 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_bn.dll 29064 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_ca.dll 30088 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_cs.dll 29064 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_da.dll 29576 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_de.dll 31624 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_el.dll 31112 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_en-GB.dll 28552 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_en.dll 28040 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_es-419.dll 29576 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_es.dll 31624 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_et.dll 28552 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_fa.dll 28040 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_fi.dll 29576 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_fil.dll 30600 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_fr.dll 31112 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_hi.dll 29576 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_hr.dll 30088 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_hu.dll 30088 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_id.dll 28552 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_is.dll 29064 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_it.dll 31112 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_iw.dll 26504 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_ja.dll 24968 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_kn.dll 30088 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_ko.dll 23944 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_lt.dll 28552 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_lv.dll 30600 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_ml.dll 32136 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_mr.dll 29064 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_ms.dll 28552 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_nl.dll 30600 bytes executable File C:\Program Files\Google\Update\1.3.21.153\GoogleCrashHandler.exe 217992 bytes executable File C:\Program Files\Google\Update\1.3.21.153\GoogleCrashHandler64.exe 290696 bytes executable File C:\Program Files\Google\Update\1.3.21.153\GoogleUpdate.exe 116648 bytes executable File C:\Program Files\Google\Update\1.3.21.153\GoogleUpdateBroker.exe 59784 bytes executable File C:\Program Files\Google\Update\1.3.21.153\GoogleUpdateHelper.msi 26112 bytes File C:\Program Files\Google\Update\1.3.21.153\GoogleUpdateOnDemand.exe 59784 bytes executable File C:\Program Files\Google\Update\1.3.21.153\GoogleUpdateSetup.exe 784664 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdate.dll 853896 bytes File C:\Program Files\Google\Update\1.3.21.153\goopdateres_am.dll 25480 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_pl.dll 30600 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_pt-BR.dll 29576 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_pt-PT.dll 29576 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_ro.dll 30088 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_ru.dll 29064 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_sk.dll 30088 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_sl.dll 30088 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_sr.dll 29576 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_sv.dll 29576 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_sw.dll 29576 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_ta.dll 30600 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_te.dll 29576 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_th.dll 28040 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_tr.dll 29576 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_uk.dll 29064 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_ur.dll 29064 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_vi.dll 28552 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_zh-CN.dll 22408 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_zh-TW.dll 22408 bytes executable File C:\Program Files\Google\Update\1.3.21.153\npGoogleUpdate3.dll 592776 bytes executable File C:\Program Files\Google\Update\1.3.21.153\psmachine.dll 163208 bytes executable File C:\Program Files\Google\Update\1.3.21.153\psuser.dll 163208 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_ar.dll 27016 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_gu.dll 29064 bytes executable File C:\Program Files\Google\Update\1.3.21.153\goopdateres_no.dll 29576 bytes executable File C:\Program Files\Google\Update\Download 0 bytes File C:\Program Files\Google\Update\Download\{2BF2CA35-CCAF-4E58-BAB7-4163BFA03B88} 0 bytes File C:\Program Files\Google\Update\Download\{2BF2CA35-CCAF-4E58-BAB7-4163BFA03B88}\0.0.0.0 0 bytes File C:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D} 0 bytes File C:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.21.153 0 bytes File C:\Program Files\Google\Update\Download\{430FD4D0-B729-4F61-AA34-91526481799D}\1.3.21.153\GoogleUpdateSetup.exe 784664 bytes executable File C:\Program Files\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24} 0 bytes File C:\Program Files\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\7.5.4413.1752 0 bytes File C:\Program Files\Google\Update\Download\{F69EABDD-A4BB-4555-BE7E-1EA5F59BBA24}\7.5.4413.1752\GoogleToolbarInstaller_updater_signed.exe 530912 bytes executable File C:\Program Files\Google\Update\Download\{FAC06F60-2A65-4C2D-AA63-A803994B9E18} 0 bytes File C:\Program Files\Google\Update\Download\{FAC06F60-2A65-4C2D-AA63-A803994B9E18}\GoogleUpdateSetup.exe 589464 bytes File C:\Program Files\Google\Update\GoogleUpdate.exe 136176 bytes executable <-- ROOTKIT !!! File C:\Program Files\Google\Update\Install 0 bytes File C:\Program Files\Messenger\custsat.dll 33792 bytes executable File C:\Program Files\Messenger\logowin.gif 4821 bytes File C:\Program Files\Messenger\lvback.gif 7047 bytes File C:\Program Files\Messenger\msgsc.dll 83968 bytes executable File C:\Program Files\Messenger\msgslang.dll 180224 bytes executable File C:\Program Files\Messenger\msmsgs.exe 1695232 bytes executable File C:\Program Files\Messenger\newalert.wav 9306 bytes File C:\Program Files\Messenger\newemail.wav 18052 bytes File C:\Program Files\Messenger\online.wav 9306 bytes File C:\Program Files\Messenger\type.wav 4454 bytes File C:\Program Files\Messenger\xpmsgr.chm 135321 bytes File C:\WINDOWS\SoftwareDistribution\DataStore\DataStore.edb 12591104 bytes File C:\WINDOWS\SoftwareDistribution\DataStore\Logs 0 bytes File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.chk 8192 bytes File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb.log 131072 bytes File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb0015F.log 131072 bytes File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb00160.log 131072 bytes File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb00161.log 131072 bytes File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\edb00162.log 131072 bytes File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\res1.log 131072 bytes File C:\WINDOWS\SoftwareDistribution\DataStore\Logs\res2.log 131072 bytes File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.cat 10678 bytes File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.5512.Policy 621 bytes File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.6028.cat 7445 bytes File C:\WINDOWS\WinSxS\Policies\x86_policy.6.0.Microsoft.Windows.Common-Controls_6595b64144ccf1df_x-ww_5ddad775\6.0.2600.6028.Policy 621 bytes ---- Services - GMER 2.1 ---- Service C:\Program Files\Google\Update\GoogleUpdate.exe [DISABLED] gupdate <-- ROOTKIT !!! ---- EOF - GMER 2.1 ----