1.
2.
3.
4.
5.
6.
7.
8.
9.
10.
11.
12.
13.
14.
15.
16.
17.
18.
19.
20.
21.
22.
23.
24.
25.
26.
27.
28.
29.
30.
31.
32.
33.
34.
35.
36.
37.
38.
39.
40.
41.
42.
43.
44.
45.
46.
47.
48.
49.
50.
51.
52.
53.
54.
55.
56.
57.
58.
59.
60.
61.
62.
63.
64.
65.
66.
67.
68.
69.
70.
71.
72.
73.
74.
75.
76.
77.
78.
79.
80.
81.
82.
83.
84.
85.
86.
87.
88.
89.
90.
91.
92.
93.
94.
95.
96.
97.
98.
99.
100.
101.
102.
103.
104.
105. | GMER 1.0.15.15530 - http://www.gmer.net
Rootkit scan 2011-01-21 20:32:56
Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 SAMSUNG_HD321KJ rev.CP100-13
Running: gmer.exe; Driver: C:\Users\Daniel\AppData\Local\Temp\kwworpog.sys
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83855599 1 Byte [06]
.text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83879F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8FA17000, 0x331A84, 0xE8000020]
? C:\Windows\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. !
---- User code sections - GMER 1.0.15 ----
.text D:\Program Files\Mozilla Firefox\plugin-container.exe[1172] USER32.dll!TrackPopupMenu 771A4B3B 5 Bytes JMP 64262342 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation)
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1624] kernel32.dll!SetUnhandledExceptionFilter 777A3162 4 Bytes [C2, 04, 00, 00]
.text D:\Program Files\Mozilla Firefox\firefox.exe[2960] ntdll.dll!LdrLoadDll 7788F625 5 Bytes JMP 00FE13F0 D:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
---- User IAT/EAT - GMER 1.0.15 ----
IAT C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1700] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758D5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
IAT C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1700] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758D5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
IAT C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1700] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758D5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
IAT C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1700] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [758D5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
IAT C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1700] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [758D5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
IAT C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1700] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758D5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
IAT C:\Program Files\Microsoft SQL Server\MSSQL10.SQLEXPRESS\MSSQL\Binn\sqlservr.exe[1700] @ C:\Windows\system32\ole32.dll [ntdll.dll!EtwRegisterTraceGuidsW] [7129B0C6] C:\Windows\AppPatch\AcXtrnal.dll (Windows Compatibility DLL/Microsoft Corporation)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
Device \Driver\ACPI_HAL \Device\00000050 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001167000000 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\001167000000@00164ed68cf8 0xE6 0xF7 0xF9 0x4D ...
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\0011678c47cf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\0011678c47cf@0002eead0df1 0xB6 0x47 0x28 0x27 ...
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\0011678c47cf@a8f27402700e 0x2B 0x3E 0xDA 0x99 ...
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\0011678c47cf@444e1a3a28e4 0x20 0x55 0x49 0x4A ...
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\0011678c47cf@00164ed68cf8 0x82 0x36 0x6A 0xB5 ...
Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\0011678c47cf@001adc9be16d 0x56 0xEF 0x82 0x29 ...
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE4 0x69 0xB3 0x99 ...
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD8 0x31 0x3F 0x5C ...
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAD 0x63 0xE0 0xEA ...
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0011678c47cf (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0011678c47cf@0002eead0df1 0xB6 0x47 0x28 0x27 ...
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0011678c47cf@a8f27402700e 0x41 0x4B 0x93 0xC6 ...
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0011678c47cf@444e1a3a28e4 0x20 0x55 0x49 0x4A ...
Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\0011678c47cf@00164ed68cf8 0x43 0x5A 0x24 0x5D ...
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE4 0x69 0xB3 0x99 ...
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD8 0x31 0x3F 0x5C ...
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAD 0x63 0xE0 0xEA ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167000000
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167000000@00164ed68cf8 0xE6 0xF7 0xF9 0x4D ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011678c47cf
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011678c47cf@0002eead0df1 0xB6 0x47 0x28 0x27 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011678c47cf@a8f27402700e 0x2B 0x3E 0xDA 0x99 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011678c47cf@444e1a3a28e4 0x20 0x55 0x49 0x4A ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011678c47cf@00164ed68cf8 0x82 0x36 0x6A 0xB5 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0011678c47cf@001adc9be16d 0x56 0xEF 0x82 0x29 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE4 0x69 0xB3 0x99 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD8 0x31 0x3F 0x5C ...
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAD 0x63 0xE0 0xEA ...
---- Files - GMER 1.0.15 ----
File C:\ProgramData\ESET\ESET NOD32 Antivirus\Charon\FND6.NFI 586 bytes
File C:\ProgramData\ESET\ESET NOD32 Antivirus\Charon\FND7.NFI 657 bytes
File C:\ProgramData\ESET\ESET NOD32 Antivirus\Charon\FND8.NFI 1004 bytes
File C:\ProgramData\ESET\ESET NOD32 Antivirus\Charon\FND9.NFI 577 bytes
File C:\ProgramData\ESET\ESET NOD32 Antivirus\Charon\FNDA.NFI 500 bytes
File C:\ProgramData\ESET\ESET NOD32 Antivirus\Charon\FNDB.NFI 762 bytes
---- EOF - GMER 1.0.15 ----
|
