GMER 1.0.15.15627 - http://www.gmer.net Rootkit scan 2011-05-14 14:51:04 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD1600JB-00REA0 rev.20.00K20 Running: xgk7k30y.exe; Driver: C:\DOCUME~1\Marcin\USTAWI~1\Temp\pgtdypob.sys ---- System - GMER 1.0.15 ---- SSDT F8232CD6 ZwCreateKey SSDT F8232CCC ZwCreateThread SSDT F8232CDB ZwDeleteKey SSDT F8232CE5 ZwDeleteValueKey SSDT F8232CEA ZwLoadKey SSDT F8232CB8 ZwOpenProcess SSDT F8232CBD ZwOpenThread SSDT F8232CF4 ZwReplaceKey SSDT F8232CEF ZwRestoreKey SSDT F8232CE0 ZwSetValueKey SSDT F8232CC7 ZwTerminateProcess SSDT \??\C:\WINNT\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB85F96D0] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 250C 80501D44 4 Bytes [EA, 2C, 23, F8] .text C:\WINNT\system32\DRIVERS\nv4_mini.sys section is writeable [0xF65C2360, 0x3CDCE5, 0xE8000020] ? C:\WINNT\system32\Drivers\uphcleanhlp.sys Nie można odnaleźć określonego pliku. ! ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[488] @ C:\WINNT\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\prodrv06 \Device\ProDrv06 E1B1E940 Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\prohlp02 \Device\ProHlp02 E182C3E0 Device \Driver\nvgts \Device\Scsi\nvgts1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x75 0xB6 0x31 0x60 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 E:\Programy\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x4C 0x2B 0xEE 0x2C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0D 0x0D 0xAF 0x41 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x96 0x2E 0xF5 0x5C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x58 0x6D 0xEE 0x06 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 E:\Programy\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x4C 0x2B 0xEE 0x2C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xBB 0xED 0x40 0x4E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x21 0xB5 0x33 0xAE ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x75 0xB6 0x31 0x60 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 E:\Programy\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x4C 0x2B 0xEE 0x2C ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0D 0x0D 0xAF 0x41 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg41@ujdew 0x96 0x2E 0xF5 0x5C ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}@FriendlyName Windows Media Player Exception Pack Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}@ComponentGUID {CAC24AF7-5447-4F19-9FA6-F6E6E69D395E} Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}@Version 589824 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}@Sub-Version 2980 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}@ExceptionInfName C:\WINNT\RegisteredPackages\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}\wmexpack.inf Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\ExceptionComponents\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}@ExceptionCatalogName C:\WINNT\RegisteredPackages\{CAC24AF7-5447-4F19-9FA6-F6E6E69D395E}\wmexpack.cat Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwDir@Installed 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Setup\OptionalComponents\SwFlash@Installed 1 Reg HKLM\SOFTWARE\Microsoft\Windows Media Device Manager\Plugins\SP\NeroBurnPlugin@ProgID MDNeroBurnPlugin.MDNeroBurnPlugin Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F00226B-60BB-FE4A-3A73-BF007CCB7EA3} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F00226B-60BB-FE4A-3A73-BF007CCB7EA3}@damghene 0x64 0x62 0x64 0x66 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F00226B-60BB-FE4A-3A73-BF007CCB7EA3}@iahdfnhlhhapkmfalf 0x69 0x61 0x65 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5F00226B-60BB-FE4A-3A73-BF007CCB7EA3}@hajeplhdafhadcfc 0x69 0x61 0x65 0x65 ... ---- EOF - GMER 1.0.15 ----