GMER 1.0.15.15163 - http://www.gmer.net Rootkit scan 2009-11-03 19:53:53 Windows 6.0.6001 Service Pack 1 Running: yplwm1qb.exe; Driver: C:\Users\Bobby\AppData\Local\Temp\kglcqpog.sys ---- System - GMER 1.0.15 ---- SSDT 9D135E6C ZwCreateThread SSDT 9D135E58 ZwOpenProcess SSDT 9D135E5D ZwOpenThread SSDT 9D135E67 ZwTerminateProcess SSDT 9D135E62 ZwWriteVirtualMemory INT 0x51 ? 84FF0BF8 INT 0x62 ? 84FF0BF8 INT 0x72 ? 84FF0BF8 INT 0x94 ? 86A32F00 INT 0xA4 ? 86A32F00 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetTimerEx + 454 82706A18 4 Bytes [6C, 5E, 13, 9D] .text ntkrnlpa.exe!KeSetTimerEx + 624 82706BE8 4 Bytes [58, 5E, 13, 9D] .text ntkrnlpa.exe!KeSetTimerEx + 640 82706C04 4 Bytes [5D, 5E, 13, 9D] .text ntkrnlpa.exe!KeSetTimerEx + 854 82706E18 4 Bytes [67, 5E, 13, 9D] .text ntkrnlpa.exe!KeSetTimerEx + 8B4 82706E78 4 Bytes [62, 5E, 13, 9D] {BOUND EBX, [ESI+0x13]; POPF } ? System32\Drivers\spet.sys Das System kann den angegebenen Pfad nicht finden. ! .text USBPORT.SYS!DllUnload 8AB7E46F 5 Bytes JMP 86A324E0 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3480] USER32.dll!CreateWindowExW 77653D67 5 Bytes JMP 28003C20 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou) .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[3480] ole32.dll!CoInitializeEx 761FB89A 5 Bytes JMP 28002100 C:\Program Files\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8061B048] \SystemRoot\System32\Drivers\spet.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73297BA4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [732D98C5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7329D3C8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7328F527] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73297599] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7328E43D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [732CB33D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7329D68A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7329012E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73290095] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [732871F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7331D802] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [732B75E1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7328DAE1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7328668F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [732866BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2776] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73291E45] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18065_none_9e7abe2ec9c13222\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 85D461F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) Device \Driver\volmgr \Device\VolMgrControl 84FF21F8 Device \Driver\usbohci \Device\USBPDO-0 86D671F8 Device \Driver\usbehci \Device\USBPDO-1 86D681F8 Device \Driver\netbt \Device\NetBT_Tcpip_{42395A4B-CBC6-41B5-B625-5927D4013190} 88348500 Device \Driver\volmgr \Device\HarddiskVolume1 84FF21F8 Device \Driver\volmgr \Device\HarddiskVolume2 84FF21F8 Device \Driver\cdrom \Device\CdRom0 86D7A1F8 Device \Driver\volmgr \Device\HarddiskVolume3 84FF21F8 Device \Driver\cdrom \Device\CdRom1 86D7A1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 85D451F8 Device \Driver\atapi \Device\Ide\IdePort0 85D451F8 Device \Driver\atapi \Device\Ide\IdePort1 85D451F8 Device \Driver\atapi \Device\Ide\IdePort2 85D451F8 Device \Driver\atapi \Device\Ide\IdePort3 85D451F8 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-5 85D451F8 Device \Driver\netbt \Device\NetBT_Tcpip_{7DFA8138-F1C7-4989-8DE2-F5FF3480A373} 88348500 Device \Driver\netbt \Device\NetBt_Wins_Export 88348500 Device \Driver\Smb \Device\NetbiosSmb 88308500 Device \Driver\iScsiPrt \Device\RaidPort0 86DC01F8 Device \Driver\sptd \Device\3343441415 spet.sys Device \Driver\usbohci \Device\USBFDO-0 86D671F8 Device \Driver\PCI_PNP3397 \Device\0000012d spet.sys Device \Driver\usbehci \Device\USBFDO-1 86D681F8 Device \Driver\a6yld1hu \Device\Scsi\a6yld1hu1Port5Path0Target0Lun0 86D901F8 Device \Driver\a6yld1hu \Device\Scsi\a6yld1hu1 86D901F8 Device \FileSystem\cdfs \Cdfs A19561F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0x2E 0x40 0x44 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA3 0xB9 0x9C 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFD 0x83 0x04 0xE4 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC8 0x2E 0x40 0x44 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA3 0xB9 0x9C 0x27 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFD 0x83 0x04 0xE4 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 6C338DED51E45C5B69A2FA1EC97CA2137F164223F09DE59D14B7CF790ABFEF83533314DA3790FDC5128237378B3CD59B0E398D3C67D52ACA717769742E3C4A842D56B6EE3F9DB0D9217465F8CE85CB42130829EB81FA2D277A0C0285DDACF48B966E9CD08E349DBA555BFB256EDF8B111316782CEE9574C51859087E43BB9053FA51614E633EA56BC32263A0DD18D17364FC5019F6F2B89A864A5F551758F37C1D5A17540EEB58544FB0F7F3223D8BBB35597BFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79339DB7CE019D40AA5CA9C6AECB7A5D14078EDD5E5BE2F6E667A2DA9CC2D0A088B7704BDD6084BB05205CDCDD2C882CBA7B209E350D0A2F9FE4020DFEF0FE3E42B54C26AC5AE249A30C5C44DD4A8FBC981136D4D2709A5CC31437D1ECB44B689CFE481C35041B9C0289311183FC49F0E6CBE88128E0FC3602980A72AC56767F9928C62A9F02D558D51AF413F7E7E7CE2C3D2B6D7D1E8BC9502BE6C94AD6A535C0B94AE1DA33A0F4D6B4663329E201B4716713F1609E06F92CFEDC4893E85F0FA032FCE713256CBDC2C266E9C8FA0F534541DB00240B907B103620F21D7011E9C481ACF6BF9C0FD2D8A1FA464AF1712E3937651ADE423158826909E13D0A0CF3C48C485A9710C127DEA3CEEA683A692062A631D76AD45 ---- EOF - GMER 1.0.15 ----