GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-01 11:00:35 Windows 5.2.3790 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS721010G9SA00 rev.MCZOC10H 93.16GB Running: ukk8pn46.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\kwlyqpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwAdjustPrivilegesToken [0xB8BBC250] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwClose [0xB8BBCA22] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwConnectPort [0xB8BBCE4A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateFile [0xB8BC0D9E] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateNamedPipeFile [0xB8BBC116] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateSymbolicLinkObject [0xB8BBDEF8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwCreateThread [0xB8BBC7C6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDebugActiveProcess [0xB8BBD92A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDeviceIoControlFile [0xB8BBCC1C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwDuplicateObject [0xB8BBE488] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwFsControlFile [0xB8BBCACE] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwLoadDriver [0xB8BBD9BC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenFile [0xB8BC0BE2] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenProcess [0xB8BBC480] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenSection [0xB8BBDF22] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwOpenThread [0xB8BBC382] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwQueueApcThread [0xB8BBDC50] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwReplaceKey [0xB8BBB5E6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRequestWaitReplyPort [0xB8BBD7B0] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwRestoreKey [0xB8BBB748] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwResumeThread [0xB8BBE2FC] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSaveKey [0xB8BBB3E8] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSecureConnectPort [0xB8BBCD0C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetContextThread [0xB8BBC8C6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSecurityObject [0xB8BBDAB6] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSetSystemInformation [0xB8BBDF4C] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendProcess [0xB8BBE030] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSuspendThread [0xB8BBE150] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwSystemDebugControl [0xB8BBD856] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateProcess [0xB8BBC61A] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwTerminateThread [0xB8BBC570] SSDT \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) ZwWriteVirtualMemory [0xB8BBC6FA] Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) FsRtlCheckLockForReadAccess Code \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) IoIsOperationSynchronous ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 808175B8 5 Bytes JMP B8BCF67C \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) .text ntkrnlpa.exe!IoIsOperationSynchronous 8081C796 5 Bytes JMP B8BCFA56 \SystemRoot\system32\DRIVERS\klif.sys (Klif Mini-Filter [fre_wnet_x86]/Kaspersky Lab) .text ntkrnlpa.exe!ZwYieldExecution + 108C 808345A8 12 Bytes [30, E0, BB, B8, 50, E1, BB, ...] {XOR AL, AH; MOV EBX, 0xbbe150b8; MOV EAX, 0xb8bbd856} ? alyh.sys Nie można odnaleźć określonego pliku. ! ? spiu.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload B922A4A8 5 Bytes JMP 8A37B4E0 init C:\WINDOWS\system32\DRIVERS\aksifdh.sys entry point in "init" section [0xF75E0090] ? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\winlogon.exe[500] ntdll.dll!NtCreateFile 7C936DDF 5 Bytes JMP 6340FDC0 c:\program files\uphclean\uphclean.dll (User Profile Hive Cleanup Service/Windows (R) Codename Longhorn DDK provider) .text C:\WINDOWS\system32\winlogon.exe[500] ntdll.dll!NtFlushKey 7C93709F 5 Bytes JMP 6340FCB0 c:\program files\uphclean\uphclean.dll (User Profile Hive Cleanup Service/Windows (R) Codename Longhorn DDK provider) .text C:\WINDOWS\system32\winlogon.exe[500] ntdll.dll!NtOpenFile 7C93730F 5 Bytes JMP 63411BF0 c:\program files\uphclean\uphclean.dll (User Profile Hive Cleanup Service/Windows (R) Codename Longhorn DDK provider) .text C:\WINDOWS\system32\winlogon.exe[500] ntdll.dll!NtSetInformationFile 7C9379FF 5 Bytes JMP 63411CA0 c:\program files\uphclean\uphclean.dll (User Profile Hive Cleanup Service/Windows (R) Codename Longhorn DDK provider) .text C:\WINDOWS\system32\winlogon.exe[500] ntdll.dll!NtUnloadKey 7C937C6F 5 Bytes JMP 6340E520 c:\program files\uphclean\uphclean.dll (User Profile Hive Cleanup Service/Windows (R) Codename Longhorn DDK provider) ---- Kernel IAT/EAT - GMER 2.1 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F728A046] spiu.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F728A142] spiu.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F728A0C4] spiu.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F728A7CE] spiu.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F728A6A4] spiu.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7295D7A] spiu.sys ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8A7E81F8 Device \Driver\usbuhci \Device\USBPDO-0 8A37A1F8 Device \Driver\usbuhci \Device\USBPDO-1 8A37A1F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A7951F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A7951F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A7951F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A7951F8 Device \Driver\usbuhci \Device\USBPDO-2 8A37A1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{56DE1F5E-C5EE-4ABD-B25F-F366A5061BA5} 8A118500 Device \Driver\usbehci \Device\USBPDO-3 8A3791F8 Device \Driver\usbuhci \Device\USBPDO-4 8A37A1F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A7961F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis) Device \Driver\Ftdisk \Device\HarddiskVolume2 8A7961F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis) Device \Driver\Cdrom \Device\CdRom0 8A3B5500 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F720CE60] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F720CE60] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F720CE60] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F720CE60] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 8A7961F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis) Device \Driver\Ftdisk \Device\HarddiskVolume4 8A7961F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 snapman.sys (Acronis Snapshot API/Acronis) Device \Driver\Ftdisk \Device\HarddiskVolume5 8A7961F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 snapman.sys (Acronis Snapshot API/Acronis) Device \Driver\NetBT \Device\NetBt_Wins_Export 8A118500 Device \Driver\NetBT \Device\NetbiosSmb 8A118500 Device \Driver\usbuhci \Device\USBFDO-0 8A37A1F8 Device \Driver\usbuhci \Device\USBFDO-1 8A37A1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A2BC1F8 Device \Driver\usbuhci \Device\USBFDO-2 8A37A1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A2BC1F8 Device \Driver\usbuhci \Device\USBFDO-3 8A37A1F8 Device \Driver\usbehci \Device\USBFDO-4 8A3791F8 Device \Driver\Ftdisk \Device\FtControl 8A7961F8 Device \FileSystem\Cdfs \Cdfs 8A1A4500 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spiu.sys >>UNKNOWN [0x8a737944]<< 8a737944 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a6ddab8] 8a6ddab8 Trace 3 CLASSPNP.SYS[f76ce601] -> nt!IofCallDriver -> \Device\00000072[0x8a70c5a8] 8a70c5a8 Trace 5 ACPI.sys[f723c3c0] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a6dc948] 8a6dc948 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x63 0xC7 0x10 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\ Reg HKLM\SYSTEM\CurrentControlSet\Services\@Parameters\0\x202e\x2764 3824 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x63 0xC7 0x10 0xD0 ... Reg HKLM\SYSTEM\ControlSet003\Services\ (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\@Parameters\0\x202e\x2764 3824 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability@LastAliveUptime 1715 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG08.00.00.01WORKSTATION 3DF9E1371A022A16D5386476905BC23F4D7FED0D5145F686356F27665ECB5039D48BDB961E6FCCDDA1F15D2E46C30632B15CF567EB58ED805276EB1893F41B38A3038F7F5CA99C6546CD645EB2A9EBED9E734E5D9AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933FEBC9E127BECC74CA6171C11EC38DE3DC038D530D6EB345216F6CEA6E26E0D9A8100F30329AF25A36123BB3FDB9B2B94C02AF1E105316188BC06895E80458ECF5934D4CD4236ECB9363C1BC2E6AFE0EA823B7523A07DFE3E51FA0399E0EAE444329FE391E4BA66429CE113C9092602CCAD567C6D686C26ECB8CBF3C6D77D52D49A33F17DA5A4782AF09CA8E2314E395A0DBE6150CADA69804893AC19F0026CDE1802E1854ABFDDDE851975E2825F87325FD8132268872CEC4B108F8568DE1C452343ADDF4DBD25561F2826E1D4F2C07855B0927B1413A7A4012695C5315FA0EE26D35F075DB13087763F7C3C34848C579572F6B95806E7241DDB495A6EB38A4602B398BB5C94B66DB976CC125EF7667B3AF06A7DF048CF6846DB49027CEE40B98A860E0161C2C387080B01474A919D1450A12B2D4DAA91F2977649C6E608FABC8893871D37FCB55A77DD96831C79D6575C9E8C71935E37C8209B116FEFDB48463747609BDBE7BE6D90F31F35313F0A7CD1257 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 8CF9DE0CFB6C21D841567E9DCBD9701B9428578241579AEFCB430D0257DEF9089FB0E29AC838411C757EEEDF562EF381B5CADC361C84EF08A2ADBFDBF94C0DAB4BEAF24584F641168B768E3C974ADF6C95CC6BE1DB17E0F2901332F1FECABF7ACF0CFE5B5BC95FA48460952B499B8CEF15AD2343EC67FE1BFA6E0DE3A5C0FDD42CB05A837BC3023E201221762C8477B5D82008E8BFC4007F8472DF282E89552EA924BC3896EDAF6A6897303D04D7C0FB490D86B7C8F0BDB116811D865F72F90D50E8C14563C29444A7AEA7F119E0AD13910FE9E501A2B5D8DD341A1C0241C28DEDB3E74F9DB280FE6D4A50FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452A9C6AECB7A5D14079DB7CE019D40AA5CB23471F211A25F790D6153A9F4F438A2086E1F97ADE42DA4B5B2ACA13A6DF27E54CF7FFEB67EEBF0666A22A01DBA6C349A7151AC5849D23805F4FC8B21B4E7F9A8090EFDB1541762CEC007C9434D6D3CAEB2F2F760A3F635668D991707D5586F4542179D158B4D25E2392CCE8C55655C0516F639A17AA0255F92663F9CD7C77292E089B0884D31F50E28ADF8B73D3498B00348D40E1B0BF6459AB7A02909F0F9CC4F48AF488817F3136A193A14B4EAD816E543D42B95A7F94645D7FD86FBBE5E067AAB342 ---- EOF - GMER 2.1 ----