GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-08 14:54:48 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_HD321KJ rev.CP100-10 298,09GB Running: 74bdtw0j.exe; Driver: C:\Users\sebek\AppData\Local\Temp\ugloapow.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82E80A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EBA212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text sptd.sys 8C8C0001 31 Bytes [F7, E0, 82, 34, 92, E1, 82, ...] .text sptd.sys 8C8C0024 10 Bytes [B5, EA, ED, 82, 05, 30, F6, ...] {MOV CH, 0xea; IN EAX, DX; ADD BYTE [0x4582f630], 0xb5} .text sptd.sys 8C8C002F 103 Bytes [83, 68, B5, E7, 82, 11, 89, ...] .text sptd.sys 8C8C0097 49 Bytes [83, 74, CD, EB, 82, E0, B9, ...] .text sptd.sys 8C8C00C9 259 Bytes [BB, E7, 82, B8, 8F, EB, 82, ...] .text ... .sptd2 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd2" section [0x8C96C1AA] ? C:\Windows\System32\Drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[460] USER32.dll!DialogBoxParamW 77B33B9B 5 Bytes JMP 75965820 c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll .text C:\Windows\system32\services.exe[520] USER32.dll!DialogBoxParamW 77B33B9B 5 Bytes JMP 75965820 c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll .text C:\Windows\system32\lsass.exe[536] USER32.dll!DialogBoxParamW 77B33B9B 5 Bytes JMP 75965820 c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll .text C:\Windows\system32\winlogon.exe[576] USER32.dll!DialogBoxParamW 77B33B9B 5 Bytes JMP 75965820 c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll .text C:\Windows\system32\svchost.exe[692] USER32.dll!DialogBoxParamW 77B33B9B 5 Bytes JMP 75965820 c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll .text ... ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\services.exe[520] @ C:\Windows\system32\services.exe [ntdll.dll!NtDeleteFile] [7596B000] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\services.exe[520] @ C:\Windows\system32\services.exe [ntdll.dll!NtQueryInformationFile] [7596A510] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\services.exe[520] @ C:\Windows\system32\services.exe [ntdll.dll!NtSetInformationFile] [7596B060] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\services.exe[520] @ C:\Windows\system32\services.exe [ntdll.dll!NtDeleteKey] [7596ED10] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\services.exe[520] @ C:\Windows\system32\services.exe [ntdll.dll!NtOpenKey] [7596EBC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\services.exe[520] @ C:\Windows\system32\services.exe [ntdll.dll!NtEnumerateKey] [7596E990] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\services.exe[520] @ C:\Windows\system32\services.exe [ntdll.dll!NtDeleteValueKey] [7596ED70] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\services.exe[520] @ C:\Windows\system32\services.exe [ntdll.dll!NtSetValueKey] [7596EAE0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\services.exe[520] @ C:\Windows\system32\services.exe [ntdll.dll!NtQueryValueKey] [7596EA70] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\services.exe[520] @ C:\Windows\system32\services.exe [ntdll.dll!NtCreateKey] [7596EB50] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\services.exe[520] @ C:\Windows\system32\services.exe [ntdll.dll!NtOpenFile] [7596AE90] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\services.exe[520] @ C:\Windows\system32\services.exe [ntdll.dll!NtQueryKey] [7596A4D0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\services.exe[520] @ C:\Windows\system32\services.exe [ntdll.dll!NtClose] [7596EC90] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\winlogon.exe[576] @ C:\Windows\system32\winlogon.exe [ntdll.dll!NtClose] [7596EC90] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\winlogon.exe[576] @ C:\Windows\system32\winlogon.exe [KERNEL32.dll!LoadLibraryExA] [7596ABC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\winlogon.exe[576] @ C:\Windows\system32\winlogon.exe [KERNEL32.dll!TerminateProcess] [7596A3E0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\winlogon.exe[576] @ C:\Windows\system32\winlogon.exe [KERNEL32.dll!OpenProcess] [7596A390] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\winlogon.exe[576] @ C:\Windows\system32\winlogon.exe [KERNEL32.dll!LoadLibraryW] [7596ACE0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[692] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [7596ABC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[692] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7596AC20] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[824] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [7596ABC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[824] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7596AC20] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\System32\svchost.exe[924] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [7596ABC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\System32\svchost.exe[924] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7596AC20] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\System32\svchost.exe[960] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [7596ABC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\System32\svchost.exe[960] @ C:\Windows\System32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7596AC20] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[1020] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [7596ABC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[1020] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7596AC20] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[1052] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [7596ABC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[1052] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7596AC20] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[1308] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [7596ABC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[1308] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7596AC20] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[1652] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [7596ABC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[1652] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7596AC20] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[2008] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [7596ABC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[2008] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7596AC20] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[2752] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [7596ABC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[2752] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7596AC20] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[2812] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [7596ABC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[2812] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7596AC20] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[3456] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExA] [7596ABC0] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll IAT C:\Windows\system32\svchost.exe[3456] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [7596AC20] c:\progra~2\bitguard\271769~1.27\{c16c1~1\bitguard.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 85AF61E8 Device \Driver\usbuhci \Device\USBPDO-0 86E93430 Device \Driver\usbuhci \Device\USBPDO-1 86E93430 Device \Driver\usbuhci \Device\USBPDO-2 86E93430 Device \Driver\usbuhci \Device\USBPDO-3 86E93430 Device \Driver\usbehci \Device\USBPDO-4 86E3F430 Device \Driver\PCI_PNP4436 \Device\00000055 sptd.sys Device \Driver\PCI_PNP4436 \Device\00000055 sptd.sys AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys Device \Driver\PCI_PNP4436 \Device\00000056 sptd.sys Device \Driver\PCI_PNP4436 \Device\00000056 sptd.sys Device \Driver\cdrom \Device\CdRom0 86B5C430 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 85AF41E8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 85AF41E8 Device \Driver\atapi \Device\Ide\IdePort0 85AF41E8 Device \Driver\atapi \Device\Ide\IdePort1 85AF41E8 Device \Driver\atapi \Device\Ide\IdePort2 85AF41E8 Device \Driver\atapi \Device\Ide\IdePort3 85AF41E8 Device \Driver\cdrom \Device\CdRom1 86B5C430 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl 86E95430 Device \Driver\NetBT \Device\NetBt_Wins_Export 86C011E8 Device \Driver\USBSTOR \Device\00000079 878251E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{9A8A4AF6-B3B3-46E5-9E37-49508358C7D0} 86C011E8 AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys Device \Driver\usbuhci \Device\USBFDO-0 86E93430 Device \Driver\usbuhci \Device\USBFDO-1 86E93430 Device \Driver\USBSTOR \Device\0000007a 878251E8 Device \Driver\usbuhci \Device\USBFDO-2 86E93430 Device \Driver\USBSTOR \Device\0000007b 878251E8 Device \Driver\usbuhci \Device\USBFDO-3 86E93430 Device \Driver\USBSTOR \Device\0000007c 878251E8 Device \Driver\usbehci \Device\USBFDO-4 86E3F430 Device \Driver\USBSTOR \Device\0000007d 878251E8 Device \Driver\aoeed9q4 \Device\Scsi\aoeed9q41Port4Path0Target0Lun0 86E5B430 Device \Driver\aoeed9q4 \Device\Scsi\aoeed9q41 86E5B430 Device \Driver\agikmrvl \Device\Scsi\agikmrvl1 86E79430 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x85af41e8]<< 85af41e8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x869b97a0] 869b97a0 Trace 3 CLASSPNP.SYS[8cdde59e] -> nt!IofCallDriver -> [0x86883388] 86883388 Trace 5 ACPI.sys[8ca163d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-2[0x86870330] 86870330 Trace \Driver\atapi[0x86849ce0] -> IRP_MJ_CREATE -> 0x85af41e8 85af41e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD8 0xD5 0x01 0x51 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xFD 0xD8 0xA4 0x69 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x2E 0xDD 0x8D 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x05 0xF1 0xF4 0xC0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x7F 0x7A 0x73 0x11 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDD 0xE2 0xD6 0x54 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD8 0xD5 0x01 0x51 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xFD 0xD8 0xA4 0x69 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x2E 0xDD 0x8D 0xE3 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB9 0x2D 0x6C 0x9E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x7F 0x7A 0x73 0x11 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDD 0xE2 0xD6 0x54 ... ---- EOF - GMER 2.1 ----