GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-08-07 22:40:15 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JB-00ETA0 rev.77.07W77 Running: ule2gw9i.exe; Driver: C:\DOCUME~1\MK091A~1\USTAWI~1\Temp\kwadrfog.sys ---- System - GMER 1.0.15 ---- SSDT F8E8415E ZwCreateKey SSDT F8E84154 ZwCreateThread SSDT F8E84163 ZwDeleteKey SSDT F8E8416D ZwDeleteValueKey SSDT sptd.sys ZwEnumerateKey [0xF8732018] SSDT sptd.sys ZwEnumerateValueKey [0xF87323A6] SSDT F8E84172 ZwLoadKey SSDT sptd.sys ZwOpenKey [0xF86FDF80] SSDT F8E84140 ZwOpenProcess SSDT F8E84145 ZwOpenThread SSDT sptd.sys ZwQueryKey [0xF873247E] SSDT sptd.sys ZwQueryValueKey [0xF87322FE] SSDT F8E8417C ZwReplaceKey SSDT F8E84177 ZwRestoreKey SSDT F8E84168 ZwSetValueKey INT 0x62 ? 833A0CB8 INT 0x63 ? 83271CB8 INT 0x63 ? 83271CB8 INT 0x82 ? 833A0CB8 INT 0x83 ? 833A0CB8 INT 0x83 ? 833A0CB8 INT 0x83 ? 83271CB8 INT 0x83 ? 833A0CB8 INT 0xA4 ? 83271CB8 INT 0xB4 ? 83271CB8 Code \??\C:\DOCUME~1\MK091A~1\USTAWI~1\Temp\catchme.sys pIofCallDriver ---- Kernel code sections - GMER 1.0.15 ---- .text sptd.sys F86C1000 28 Bytes [30, 28, 70, 80, A6, 7B, 70, ...] .text sptd.sys F86C101D 3 Bytes [29, 70, 80] {SUB [EAX-0x80], ESI} .text sptd.sys F86C1024 8 Bytes [CA, 94, 50, 80, 05, 10, 55, ...] .text sptd.sys F86C102D 63 Bytes [20, 5D, 80, A5, A2, 4D, 80, ...] .text sptd.sys F86C106D 39 Bytes [91, 58, 80, 6D, A2, 4D, 80, ...] .text ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF876B9E3] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF74FC360, 0x24526E, 0xE8000020] .text USBPORT.SYS!DllUnload F74DC8AC 5 Bytes JMP 832711C8 ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 156280323 Disk \Device\Harddisk0\DR0 PE file @ sector 156280345 Disk \Device\Harddisk0\DR0 MBRoot/Sinowal@MBR code has been found <-- ROOTKIT !!! ---- Kernel code sections - GMER 1.0.15 ---- ? system32\drivers\xpsec.sys System nie może odnaleźć określonej ścieżki. ! ? system32\drivers\xcpip.sys System nie może odnaleźć określonej ścieżki. ! ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ? C:\DOCUME~1\MK091A~1\USTAWI~1\Temp\catchme.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\winlogon.exe[584] Secur32.dll!LsaLogonUser 77FE33F1 5 Bytes JMP 01442C81 .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1448] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01AA9F7E .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1448] WS2_32.dll!send 71A54C27 5 Bytes JMP 01AA9B1B .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1448] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01AA9E30 .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1448] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01AA9BFC .text C:\Program Files\Avira\AntiVir Desktop\sched.exe[1448] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01AA9CCF .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2076] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01299F7E .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2076] WS2_32.dll!send 71A54C27 5 Bytes JMP 01299B1B .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2076] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01299E30 .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2076] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01299BFC .text C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe[2076] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01299CCF .text C:\Program Files\CardDetector\HUAWEI1752_1552\CardDetector.exe[2204] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01059F7E .text C:\Program Files\CardDetector\HUAWEI1752_1552\CardDetector.exe[2204] WS2_32.dll!send 71A54C27 5 Bytes JMP 01059B1B .text C:\Program Files\CardDetector\HUAWEI1752_1552\CardDetector.exe[2204] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01059E30 .text C:\Program Files\CardDetector\HUAWEI1752_1552\CardDetector.exe[2204] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01059BFC .text C:\Program Files\CardDetector\HUAWEI1752_1552\CardDetector.exe[2204] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01059CCF .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2272] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00EF9F7E .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2272] WS2_32.dll!send 71A54C27 5 Bytes JMP 00EF9B1B .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2272] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00EF9E30 .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2272] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00EF9BFC .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2272] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00EF9CCF .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2332] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00E89F7E .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2332] WS2_32.dll!send 71A54C27 5 Bytes JMP 00E89B1B .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2332] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00E89E30 .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2332] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00E89BFC .text C:\Program Files\HP\Digital Imaging\bin\hpqbam08.exe[2332] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00E89CCF .text E:\Deskboard\deskboard.exe[2364] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 037F9F7E .text E:\Deskboard\deskboard.exe[2364] WS2_32.dll!send 71A54C27 5 Bytes JMP 037F9B1B .text E:\Deskboard\deskboard.exe[2364] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 037F9E30 .text E:\Deskboard\deskboard.exe[2364] WS2_32.dll!recv 71A5676F 5 Bytes JMP 037F9BFC .text E:\Deskboard\deskboard.exe[2364] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 037F9CCF .text C:\Program Files\Outlook Express\msimn.exe[2440] ws2_32.dll!closesocket 71A53E2B 5 Bytes JMP 03109F7E .text C:\Program Files\Outlook Express\msimn.exe[2440] ws2_32.dll!send 71A54C27 5 Bytes JMP 03109B1B .text C:\Program Files\Outlook Express\msimn.exe[2440] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 03109E30 .text C:\Program Files\Outlook Express\msimn.exe[2440] ws2_32.dll!recv 71A5676F 5 Bytes JMP 03109BFC .text C:\Program Files\Outlook Express\msimn.exe[2440] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 03109CCF .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2496] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01049F7E .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2496] WS2_32.dll!send 71A54C27 5 Bytes JMP 01049B1B .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2496] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01049E30 .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2496] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01049BFC .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2496] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01049CCF .text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00C89F7E .text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!send 71A54C27 5 Bytes JMP 00C89B1B .text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00C89E30 .text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00C89BFC .text C:\WINDOWS\System32\alg.exe[2508] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00C89CCF .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2552] ws2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01F09F7E .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2552] ws2_32.dll!send 71A54C27 5 Bytes JMP 01F09B1B .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2552] ws2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01F09E30 .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2552] ws2_32.dll!recv 71A5676F 5 Bytes JMP 01F09BFC .text C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe[2552] ws2_32.dll!WSASend 71A568FA 5 Bytes JMP 01F09CCF .text E:\systray\systrayapp.exe[2572] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01149F7E .text E:\systray\systrayapp.exe[2572] WS2_32.dll!send 71A54C27 5 Bytes JMP 01149B1B .text E:\systray\systrayapp.exe[2572] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01149E30 .text E:\systray\systrayapp.exe[2572] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01149BFC .text E:\systray\systrayapp.exe[2572] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01149CCF .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2624] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01BF9F7E .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2624] WS2_32.dll!send 71A54C27 5 Bytes JMP 01BF9B1B .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2624] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01BF9E30 .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2624] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01BF9BFC .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2624] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01BF9CCF .text C:\WINDOWS\explorer.exe[2848] USER32.dll!DisplayExitWindowsWarnings 7E3A9F91 5 Bytes JMP 00F72A93 .text C:\WINDOWS\explorer.exe[2848] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 019B9F7E .text C:\WINDOWS\explorer.exe[2848] WS2_32.dll!send 71A54C27 5 Bytes JMP 019B9B1B .text C:\WINDOWS\explorer.exe[2848] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 019B9E30 .text C:\WINDOWS\explorer.exe[2848] WS2_32.dll!recv 71A5676F 5 Bytes JMP 019B9BFC .text C:\WINDOWS\explorer.exe[2848] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 019B9CCF .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2888] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00F29F7E .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2888] WS2_32.dll!send 71A54C27 5 Bytes JMP 00F29B1B .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2888] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00F29E30 .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2888] WS2_32.dll!recv 71A5676F 5 Bytes JMP 00F29BFC .text C:\Program Files\HP\Digital Imaging\bin\hpqgpc01.exe[2888] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00F29CCF .text C:\Program Files\Java\jre6\bin\jqs.exe[3124] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 02019F7E .text C:\Program Files\Java\jre6\bin\jqs.exe[3124] WS2_32.dll!send 71A54C27 5 Bytes JMP 02019B1B .text C:\Program Files\Java\jre6\bin\jqs.exe[3124] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 02019E30 .text C:\Program Files\Java\jre6\bin\jqs.exe[3124] WS2_32.dll!recv 71A5676F 5 Bytes JMP 02019BFC .text C:\Program Files\Java\jre6\bin\jqs.exe[3124] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 02019CCF .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3276] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01459F7E .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3276] WS2_32.dll!send 71A54C27 5 Bytes JMP 01459B1B .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3276] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01459E30 .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3276] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01459BFC .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[3276] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01459CCF .text C:\Program Files\Mozilla Firefox\firefox.exe[3636] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\AlertModule\0\AlertModule.exe[3964] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01589F7E .text C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\AlertModule\0\AlertModule.exe[3964] WS2_32.dll!send 71A54C27 5 Bytes JMP 01589B1B .text C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\AlertModule\0\AlertModule.exe[3964] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01589E30 .text C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\AlertModule\0\AlertModule.exe[3964] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01589BFC .text C:\PROGRA~1\COMMON~1\France Telecom\Shared Modules\AlertModule\0\AlertModule.exe[3964] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01589CCF .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4216] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 021E9F7E .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4216] WS2_32.dll!send 71A54C27 5 Bytes JMP 021E9B1B .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4216] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 021E9E30 .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4216] WS2_32.dll!recv 71A5676F 5 Bytes JMP 021E9BFC .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4216] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 021E9CCF .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4216] USER32.dll!SetWindowLongA 7E37C29D 5 Bytes JMP 1068F0D7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4216] USER32.dll!SetWindowLongW 7E37C2BB 5 Bytes JMP 1068F069 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4216] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 104A56CB C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4216] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 104A5CE7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Documents and Settings\m k\Pulpit\OTL.exe[5320] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 01539F7E .text C:\Documents and Settings\m k\Pulpit\OTL.exe[5320] WS2_32.dll!send 71A54C27 5 Bytes JMP 01539B1B .text C:\Documents and Settings\m k\Pulpit\OTL.exe[5320] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 01539E30 .text C:\Documents and Settings\m k\Pulpit\OTL.exe[5320] WS2_32.dll!recv 71A5676F 5 Bytes JMP 01539BFC .text C:\Documents and Settings\m k\Pulpit\OTL.exe[5320] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 01539CCF .text E:\Launcher\Launcher.exe[5916] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 02889F7E .text E:\Launcher\Launcher.exe[5916] WS2_32.dll!send 71A54C27 5 Bytes JMP 02889B1B .text E:\Launcher\Launcher.exe[5916] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 02889E30 .text E:\Launcher\Launcher.exe[5916] WS2_32.dll!recv 71A5676F 5 Bytes JMP 02889BFC .text E:\Launcher\Launcher.exe[5916] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 02889CCF .text E:\connectivity\CoreCom\CoreCom.exe[6072] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 02889F7E .text E:\connectivity\CoreCom\CoreCom.exe[6072] WS2_32.dll!send 71A54C27 5 Bytes JMP 02889B1B .text E:\connectivity\CoreCom\CoreCom.exe[6072] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 02889E30 .text E:\connectivity\CoreCom\CoreCom.exe[6072] WS2_32.dll!recv 71A5676F 5 Bytes JMP 02889BFC .text E:\connectivity\CoreCom\CoreCom.exe[6072] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 02889CCF ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F86C320E] sptd.sys IAT \WINDOWS\System32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F86C270C] sptd.sys IAT \WINDOWS\System32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F86C2EEE] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F86C270C] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F86C28F0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F86C2832] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F86C30CC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F86C2EEE] sptd.sys IAT \WINDOWS\System32\drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 833A32F8 IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 832712F8 IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F86D6F56] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8339F1E8 Device \FileSystem\Fastfat \FatCdrom 825C61E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{BF52E857-29F9-4C1C-9120-70CE0D1CC64A} 82E991E8 Device \Driver\usbuhci \Device\USBPDO-0 832371E8 Device \Driver\usbuhci \Device\USBPDO-1 832371E8 Device \Driver\usbuhci \Device\USBPDO-2 832371E8 Device \Driver\usbuhci \Device\USBPDO-3 832371E8 Device \Driver\usbehci \Device\USBPDO-4 8321F430 Device \Driver\prodrv06 \Device\ProDrv06 E1F4CC30 Device \Driver\Cdrom \Device\CdRom0 8314D430 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F8652B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F8652B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F8652B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [F8652B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [F8652B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 [F8652B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\prohlp02 \Device\ProHlp02 E1019A30 Device \Driver\NetBT \Device\NetBt_Wins_Export 82E991E8 Device \Driver\NetBT \Device\NetbiosSmb 82E991E8 Device \Driver\USBSTOR \Device\00000087 8313A348 Device \Driver\USBSTOR \Device\00000087 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\USBSTOR \Device\00000088 8313A348 Device \Driver\USBSTOR \Device\00000088 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\usbuhci \Device\USBFDO-0 832371E8 Device \Driver\usbuhci \Device\USBFDO-1 832371E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82DE81E8 Device \Driver\usbuhci \Device\USBFDO-2 832371E8 Device \Driver\usbuhci \Device\USBFDO-3 832371E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 82DE81E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{C886F47E-0C9E-4C03-9DC3-3B57E6AC2451} 82E991E8 Device \Driver\usbehci \Device\USBFDO-4 8321F430 Device \FileSystem\Fastfat \Fat 825C61E8 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG) Device \FileSystem\Cdfs \Cdfs 830EB1E8 ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\System32\alg.exe? (*** hidden *** ) [MANUAL] ALG <-- ROOTKIT !!! Service C:\WINDOWS\system32\cisvc.exe? (*** hidden *** ) [MANUAL] CiSvc <-- ROOTKIT !!! Service C:\WINDOWS\system32\clipsrv.exe? (*** hidden *** ) [MANUAL] ClipSrv <-- ROOTKIT !!! Service C:\WINDOWS\system32\imapi.exe? (*** hidden *** ) [MANUAL] ImapiService <-- ROOTKIT !!! Service C:\WINDOWS\system32\lsass.exe? (*** hidden *** ) [AUTO] PolicyAgent <-- ROOTKIT !!! Service C:\WINDOWS\system32\lsass.exe? (*** hidden *** ) [AUTO] ProtectedStorage <-- ROOTKIT !!! Service C:\WINDOWS\system32\spoolsv.exe? (*** hidden *** ) [AUTO] Spooler <-- ROOTKIT !!! Service C:\WINDOWS\System32\ups.exe? (*** hidden *** ) [MANUAL] UPS <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\ControlSet005\Services\cvqzenwdj@DisplayName Helper Task Reg HKLM\SYSTEM\ControlSet005\Services\cvqzenwdj@Type 32 Reg HKLM\SYSTEM\ControlSet005\Services\cvqzenwdj@Start 2 Reg HKLM\SYSTEM\ControlSet005\Services\cvqzenwdj@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet005\Services\cvqzenwdj@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet005\Services\cvqzenwdj@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet005\Services\cvqzenwdj@Description Utrzymuje aktualn? list? komputer?w w sieci i dostarcza j? do komputer?w wyznaczonych jako przegl?darki. Je?li ta us?uga zostanie zatrzymana, lista nie b?dzie aktualizowana ani zachowywana. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\ControlSet005\Services\cvqzenwdj\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\cvqzenwdj\Parameters@ServiceDll C:\WINDOWS\system32\uhngqrp.dll ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 156280323 Disk \Device\Harddisk0\DR0 PE file @ sector 156280345 Disk \Device\Harddisk0\DR0 MBRoot/Sinowal@MBR code has been found <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ----