GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-03-26 20:38:19 Windows 6.1.7601 Service Pack 1 Harddisk1\DR1 -> \Device\Ide\IdePort0 SAMSUNG_HD252HJ rev.1AC01118 Running: old5iufe.exe; Driver: C:\Users\AMP\AppData\Local\Temp\uwliapow.sys ---- System - GMER 1.0.15 ---- SSDT 87857A48 ZwAlertResumeThread SSDT 87857B28 ZwAlertThread SSDT 8782C480 ZwAllocateVirtualMemory SSDT 877F4FB0 ZwAlpcConnectPort SSDT 878571F0 ZwAssignProcessToJobObject SSDT 87857798 ZwCreateMutant SSDT 87826F18 ZwCreateSymbolicLinkObject SSDT 87855B90 ZwCreateThread SSDT 87826008 ZwCreateThreadEx SSDT 878572D0 ZwDebugActiveProcess SSDT 8782C650 ZwDuplicateObject SSDT 87858688 ZwFreeVirtualMemory SSDT 87857888 ZwImpersonateAnonymousToken SSDT 87857968 ZwImpersonateThread SSDT 87683048 ZwLoadDriver SSDT 87858588 ZwMapViewOfSection SSDT 878576B8 ZwOpenEvent SSDT 87855A58 ZwOpenProcess SSDT 8782C570 ZwOpenProcessToken SSDT 878574F8 ZwOpenSection SSDT 8782C740 ZwOpenThread SSDT 87857100 ZwProtectVirtualMemory SSDT 87858038 ZwResumeThread SSDT 878582D8 ZwSetContextThread SSDT 878583B8 ZwSetInformationProcess SSDT 878573B0 ZwSetSystemInformation SSDT 878575D8 ZwSuspendProcess SSDT 87858118 ZwSuspendThread SSDT 878589E0 ZwTerminateProcess SSDT 878581F8 ZwTerminateThread SSDT 878584A8 ZwUnmapViewOfSection SSDT 87858778 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 83477339 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 834B0D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 834B7DD0 8 Bytes [48, 7A, 85, 87, 28, 7B, 85, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 834B7DE8 4 Bytes [80, C4, 82, 87] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 834B7DF4 4 Bytes [B0, 4F, 7F, 87] {MOV AL, 0x4f; JG 0xffffffffffffff8b} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 834B7E48 4 Bytes [F0, 71, 85, 87] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 834B7EC4 4 Bytes [98, 77, 85, 87] .text ... .text sptd.sys 83CB6000 8 Bytes [8E, 7A, 40, 83, A0, 57, 40, ...] .text sptd.sys 83CB6009 23 Bytes [57, 40, 83, 34, F2, 40, 83, ...] .text sptd.sys 83CB6024 4 Bytes [44, 25, DE, 83] .text sptd.sys 83CB602C 96 Bytes [7D, 24, 60, 83, D8, 1E, 47, ...] .text sptd.sys 83CB608D 91 Bytes [55, 47, 83, 1A, 05, 47, 83, ...] .text ... .sptd2 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd2" section [0x83D900AD] ? C:\Windows\System32\Drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. PAGE PCIIDEX.SYS!DllUnload 83E60606 5 Bytes JMP 863401C8 .text USBPORT.SYS!DllUnload 9A945CA0 5 Bytes JMP 87A0F1C8 .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xAC763300, 0x3B6D8, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xAC7BC300, 0x1BEE, 0xE8000020] .text C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl section is writeable [0xADF4B000, 0x2892, 0xE8000020] .vmp2 C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0xADF6E050] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtProtectVirtualMemory 77285F18 5 Bytes JMP 0015000A .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!NtWriteVirtualMemory 77286A98 5 Bytes JMP 002B000A .text C:\Windows\system32\svchost.exe[1068] ntdll.dll!KiUserExceptionDispatcher 77287008 5 Bytes JMP 0014000A .text C:\Windows\system32\svchost.exe[1068] ole32.dll!CoCreateInstance 76BF9D0B 5 Bytes JMP 00C6000A .text C:\Windows\system32\svchost.exe[1068] USER32.dll!GetCursorPos 75BBA4B3 5 Bytes JMP 0109000A .text C:\Program Files\Opera\opera.exe[1320] ntdll.dll!NtProtectVirtualMemory 77285F18 5 Bytes JMP 003A000A .text C:\Program Files\Opera\opera.exe[1320] ntdll.dll!NtWriteVirtualMemory 77286A98 5 Bytes JMP 005C000A .text C:\Program Files\Opera\opera.exe[1320] ntdll.dll!KiUserExceptionDispatcher 77287008 5 Bytes JMP 001A000A .text C:\Program Files\Opera\opera.exe[1320] USER32.dll!GetMessageA 75BC1899 10 Bytes JMP 6EC88110 C:\Program Files\KeyScrambler\KeyScramblerIE.DLL (KeyScrambler Program DLL/QFX Software Corporation) .text C:\Program Files\Opera\opera.exe[1320] USER32.dll!PeekMessageA 75BC19A5 10 Bytes JMP 6EC88270 C:\Program Files\KeyScrambler\KeyScramblerIE.DLL (KeyScrambler Program DLL/QFX Software Corporation) .text C:\Program Files\Opera\opera.exe[1320] USER32.dll!PeekMessageW 75BC634A 10 Bytes JMP 6EC88330 C:\Program Files\KeyScrambler\KeyScramblerIE.DLL (KeyScrambler Program DLL/QFX Software Corporation) .text C:\Program Files\Opera\opera.exe[1320] USER32.dll!GetMessageW 75BCCDE8 10 Bytes JMP 6EC881C0 C:\Program Files\KeyScrambler\KeyScramblerIE.DLL (KeyScrambler Program DLL/QFX Software Corporation) .text G:\PROGRAMY\Tworzenie logów\OTL.exe[1832] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 0078008D .text G:\PROGRAMY\Tworzenie logów\OTL.exe[1832] ws2_32.dll!connect 77386BDD 5 Bytes JMP 0078002D .text G:\PROGRAMY\Tworzenie logów\OTL.exe[1832] ws2_32.dll!getpeername 77387147 5 Bytes JMP 007800BD .text G:\PROGRAMY\Tworzenie logów\OTL.exe[1832] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 0078005D .text C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe[2088] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 05B6008D .text C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe[2088] ws2_32.dll!connect 77386BDD 5 Bytes JMP 05B6002D .text C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe[2088] ws2_32.dll!getpeername 77387147 5 Bytes JMP 05B600BD .text C:\Program Files\Norton Internet Security\Engine\18.5.0.125\ccSvcHst.exe[2088] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 05B6005D .text C:\Windows\system32\taskhost.exe[2100] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 0169008D .text C:\Windows\system32\taskhost.exe[2100] ws2_32.dll!connect 77386BDD 5 Bytes JMP 0169002D .text C:\Windows\system32\taskhost.exe[2100] ws2_32.dll!getpeername 77387147 5 Bytes JMP 016900BD .text C:\Windows\system32\taskhost.exe[2100] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 0169005D .text C:\Windows\system32\Dwm.exe[2300] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 0355008D .text C:\Windows\system32\Dwm.exe[2300] ws2_32.dll!connect 77386BDD 5 Bytes JMP 0355002D .text C:\Windows\system32\Dwm.exe[2300] ws2_32.dll!getpeername 77387147 5 Bytes JMP 035500BD .text C:\Windows\system32\Dwm.exe[2300] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 0355005D .text C:\Windows\Explorer.EXE[2328] ntdll.dll!NtProtectVirtualMemory 77285F18 5 Bytes JMP 0058000A .text C:\Windows\Explorer.EXE[2328] ntdll.dll!NtWriteVirtualMemory 77286A98 5 Bytes JMP 005A000A .text C:\Windows\Explorer.EXE[2328] ntdll.dll!KiUserExceptionDispatcher 77287008 5 Bytes JMP 0057000A .text C:\Windows\System32\Ctxfihlp.exe[2720] WS2_32.dll!getsockname 773830AF 5 Bytes JMP 020F008D .text C:\Windows\System32\Ctxfihlp.exe[2720] WS2_32.dll!connect 77386BDD 5 Bytes JMP 020F002D .text C:\Windows\System32\Ctxfihlp.exe[2720] WS2_32.dll!getpeername 77387147 5 Bytes JMP 020F00BD .text C:\Windows\System32\Ctxfihlp.exe[2720] WS2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 020F005D .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2728] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 0012008D .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2728] ws2_32.dll!connect 77386BDD 5 Bytes JMP 0012002D .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2728] ws2_32.dll!getpeername 77387147 5 Bytes JMP 001200BD .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[2728] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 0012005D .text C:\Program Files\KeyScrambler\KeyScrambler.exe[2744] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 005D008D .text C:\Program Files\KeyScrambler\KeyScrambler.exe[2744] ws2_32.dll!connect 77386BDD 5 Bytes JMP 005D002D .text C:\Program Files\KeyScrambler\KeyScrambler.exe[2744] ws2_32.dll!getpeername 77387147 5 Bytes JMP 005D00BD .text C:\Program Files\KeyScrambler\KeyScrambler.exe[2744] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 005D005D .text C:\Program Files\RocketDock\RocketDock.exe[3004] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 02CC008D .text C:\Program Files\RocketDock\RocketDock.exe[3004] ws2_32.dll!connect 77386BDD 5 Bytes JMP 02CC002D .text C:\Program Files\RocketDock\RocketDock.exe[3004] ws2_32.dll!getpeername 77387147 5 Bytes JMP 02CC00BD .text C:\Program Files\RocketDock\RocketDock.exe[3004] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 02CC005D .text C:\Windows\SYSTEM32\CTXFISPI.EXE[3112] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 01EE008D .text C:\Windows\SYSTEM32\CTXFISPI.EXE[3112] ws2_32.dll!connect 77386BDD 5 Bytes JMP 01EE002D .text C:\Windows\SYSTEM32\CTXFISPI.EXE[3112] ws2_32.dll!getpeername 77387147 5 Bytes JMP 01EE00BD .text C:\Windows\SYSTEM32\CTXFISPI.EXE[3112] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 01EE005D .text C:\Program Files\OSCAR Editor X7\OscarEditor.exe[3632] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 0002008D .text C:\Program Files\OSCAR Editor X7\OscarEditor.exe[3632] ws2_32.dll!connect 77386BDD 5 Bytes JMP 0002002D .text C:\Program Files\OSCAR Editor X7\OscarEditor.exe[3632] ws2_32.dll!getpeername 77387147 5 Bytes JMP 000200BD .text C:\Program Files\OSCAR Editor X7\OscarEditor.exe[3632] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 0002005D .text C:\Program Files\LG Soft India\EasySetPackage\bin\EasySetPackage.exe[3700] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 0129008D .text C:\Program Files\LG Soft India\EasySetPackage\bin\EasySetPackage.exe[3700] ws2_32.dll!connect 77386BDD 5 Bytes JMP 0129002D .text C:\Program Files\LG Soft India\EasySetPackage\bin\EasySetPackage.exe[3700] ws2_32.dll!getpeername 77387147 5 Bytes JMP 012900BD .text C:\Program Files\LG Soft India\EasySetPackage\bin\EasySetPackage.exe[3700] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 0129005D .text C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe[3880] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 0021008D .text C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe[3880] ws2_32.dll!connect 77386BDD 5 Bytes JMP 0021002D .text C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe[3880] ws2_32.dll!getpeername 77387147 5 Bytes JMP 002100BD .text C:\Program Files\Raxco\PerfectDisk\PDAgentS1.exe[3880] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 0021005D .text C:\Program Files\LG Soft India\EasySetPackage\bin\TestDDCCI.exe[4008] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 003E008D .text C:\Program Files\LG Soft India\EasySetPackage\bin\TestDDCCI.exe[4008] ws2_32.dll!connect 77386BDD 5 Bytes JMP 003E002D .text C:\Program Files\LG Soft India\EasySetPackage\bin\TestDDCCI.exe[4008] ws2_32.dll!getpeername 77387147 5 Bytes JMP 003E00BD .text C:\Program Files\LG Soft India\EasySetPackage\bin\TestDDCCI.exe[4008] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 003E005D .text C:\Windows\notepad.exe[5144] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 0017008D .text C:\Windows\notepad.exe[5144] ws2_32.dll!connect 77386BDD 5 Bytes JMP 0017002D .text C:\Windows\notepad.exe[5144] ws2_32.dll!getpeername 77387147 5 Bytes JMP 001700BD .text C:\Windows\notepad.exe[5144] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 0017005D .text G:\PROGRAMY\Tworzenie logów\old5iufe.exe[5564] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 0033008D .text G:\PROGRAMY\Tworzenie logów\old5iufe.exe[5564] ws2_32.dll!connect 77386BDD 5 Bytes JMP 0033002D .text G:\PROGRAMY\Tworzenie logów\old5iufe.exe[5564] ws2_32.dll!getpeername 77387147 5 Bytes JMP 003300BD .text G:\PROGRAMY\Tworzenie logów\old5iufe.exe[5564] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 0033005D .text C:\Windows\notepad.exe[6056] ws2_32.dll!getsockname 773830AF 5 Bytes JMP 0027008D .text C:\Windows\notepad.exe[6056] ws2_32.dll!connect 77386BDD 5 Bytes JMP 0027002D .text C:\Windows\notepad.exe[6056] ws2_32.dll!getpeername 77387147 5 Bytes JMP 002700BD .text C:\Windows\notepad.exe[6056] ws2_32.dll!WSAConnect 7738CC3F 5 Bytes JMP 0027005D ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [83CB771C] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [83CB7F0E] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [83CB822E] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [83CB80EC] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [83CB7910] \SystemRoot\System32\Drivers\sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 863451E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{0A1FBDFE-1558-40FA-8C26-FEC95A62E891} 877E41E8 Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskSAMSUNG_HD252HJ_________________________1AC01118#5&2710d646&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167b68e75 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158338f13a Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158338f13a@68ebaedcbfec 0x22 0xAC 0x1C 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xDE 0xDF 0x47 0x45 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x17 0xDF 0x9D 0x33 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x03 0xA0 0xEB 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5F 0xBD 0x93 0x49 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167b68e75 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158338f13a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158338f13a@68ebaedcbfec 0x22 0xAC 0x1C 0x0D ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xDE 0xDF 0x47 0x45 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x17 0xDF 0x9D 0x33 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x03 0xA0 0xEB 0x5D ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5F 0xBD 0x93 0x49 ... Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\8DCD8441-C90C-4539-8C2D-1154575F1E0B@IPAddress ::1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D3526281-9778-85AB-8B4F-9D8C1E165D13} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D3526281-9778-85AB-8B4F-9D8C1E165D13}@maojanmddeodpeiencfdpccmdj 0x6F 0x61 0x70 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D3526281-9778-85AB-8B4F-9D8C1E165D13}@abpjdnkjjjiokgfobendobndggcbiemmph 0x69 0x61 0x6D 0x69 ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk1\DR1 TDL4@MBR code has been found <-- ROOTKIT !!! Disk \Device\Harddisk1\DR1 sector 00: rootkit-like behavior ---- Files - GMER 1.0.15 ---- File C:\Users\AMP\AppData\Local\Xenocode\Sandbox\ Alcohol 120% 2.0.1.2031 Retail\2.0.1.2031\2010.09.14T23.23\Virtual\SXS\Alcohol Soft Development Team@1.0.0.\Alcohol Soft Development Team.manifest 588 bytes File C:\Users\AMP\AppData\Local\Xenocode\Sandbox\ Alcohol 120% 2.0.1.2031 Retail\2.0.1.2031\2010.09.14T23.23\Virtual\SXS\Alcohol Soft Development Team@1.0.0.\Alcohol Soft Development Team@1.0.0..manifest 588 bytes File C:\Users\AMP\AppData\Local\Xenocode\Sandbox\ Alcohol 120% 2.0.1.2031 Retail\2.0.1.2031\2010.09.14T23.23\Virtual\SXS\Alcohol Soft Development Team@1.9.7.\Alcohol Soft Development Team.manifest 588 bytes File C:\Users\AMP\AppData\Local\Xenocode\Sandbox\ Alcohol 120% 2.0.1.2031 Retail\2.0.1.2031\2010.09.14T23.23\Virtual\SXS\Alcohol Soft Development Team@1.9.7.\Alcohol Soft Development Team@1.9.7..manifest 588 bytes File C:\Users\AMP\AppData\Local\Xenocode\Sandbox\ Alcohol 120% 2.0.1.2031 Retail\2.0.1.2031\2010.09.14T23.23\Virtual\SXS\Alcohol Soft Development Team@1.9.9.\Alcohol Soft Development Team.manifest 588 bytes File C:\Users\AMP\AppData\Local\Xenocode\Sandbox\ Alcohol 120% 2.0.1.2031 Retail\2.0.1.2031\2010.09.14T23.23\Virtual\SXS\Alcohol Soft Development Team@1.9.9.\Alcohol Soft Development Team@1.9.9..manifest 588 bytes ---- EOF - GMER 1.0.15 ----