GMER 1.0.14.14536 -
http://www.gmer.netRootkit scan 2009-02-09 00:03:45
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.14 ----
SSDT sptd.sys ZwCreateKey [0xF729D0D0]
SSDT sptd.sys ZwEnumerateKey [0xF72A2FB2]
SSDT sptd.sys ZwEnumerateValueKey [0xF72A3340]
SSDT sptd.sys ZwOpenKey [0xF729D0B0]
SSDT sptd.sys ZwQueryKey [0xF72A3418]
SSDT sptd.sys ZwQueryValueKey [0xF72A3298]
SSDT sptd.sys ZwSetValueKey [0xF72A34AA]
Code 8620D18F pIofCallDriver
---- Kernel code sections - GMER 1.0.14 ----
? C:\WINDOWS\system32\drivers\sptd.sys Impossibile accedere al file. Il file è utilizzato da un altro processo.
PAGE CLASSPNP.SYS!ClassInitialize + F4 F754E42C 4 Bytes [ 94, 96, 46, 86 ]
PAGE CLASSPNP.SYS!ClassInitialize + FF F754E437 4 Bytes [ DE, 51, 46, 86 ]
PAGE CLASSPNP.SYS!ClassInitialize + 10A F754E442 4 Bytes [ A6, 96, 46, 86 ]
PAGE CLASSPNP.SYS!ClassInitialize + 111 F754E449 4 Bytes [ 9A, 96, 46, 86 ]
PAGE CLASSPNP.SYS!ClassInitialize + 118 F754E450 4 Bytes [ A0, 96, 46, 86 ]
PAGE ...
.text USBPORT.SYS!DllUnload F5B4E8AC 5 Bytes JMP 86D221C8
.text tcpip.sys!IPTransmit + 10FC F2E21D3A 6 Bytes CALL 8620D172
.text tcpip.sys!IPTransmit + 2A52 F2E23690 6 Bytes CALL 8620D172
.text tcpip.sys!IPRegisterProtocol + 930 F2E39454 6 Bytes CALL 8620D172
.text wanarp.sys F76CC3FD 7 Bytes CALL 8620D17F
---- User code sections - GMER 1.0.14 ----
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] ADVAPI32.dll!CryptDestroyKey 77F59E9C 7 Bytes JMP 01DB2DFD
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] ADVAPI32.dll!CryptDecrypt 77F5A109 7 Bytes JMP 01DB2DBA
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] ADVAPI32.dll!CryptEncrypt 77F5E340 7 Bytes JMP 01DB2D7E
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!DialogBoxParamW 7E3A47AB 5 Bytes JMP 435FF301 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!DialogBoxIndirectParamW 7E3B2072 5 Bytes JMP 4379179F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!MessageBoxIndirectA 7E3BA082 5 Bytes JMP 43791720 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!DialogBoxParamA 7E3BB144 5 Bytes JMP 43791764 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!MessageBoxExW 7E3D0838 5 Bytes JMP 437916AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!MessageBoxExA 7E3D085C 5 Bytes JMP 437916E6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!DialogBoxIndirectParamA 7E3D6D7D 5 Bytes JMP 437917DA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 436216B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation)
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] WININET.dll!InternetCloseHandle 4330DA59 5 Bytes JMP 01DB3352
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] WININET.dll!HttpOpenRequestA 43314341 5 Bytes JMP 01DB3055
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] WININET.dll!InternetConnectA 4331499A 5 Bytes JMP 01DB2E18
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] WININET.dll!InternetReadFile 4331ABB4 5 Bytes JMP 01DB32FD
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] WININET.dll!HttpSendRequestA 4331CD40 5 Bytes JMP 01DB31B4
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] WININET.dll!HttpSendRequestW 43330825 5 Bytes JMP 01DB3CB1
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] CRYPT32.dll!CertGetCertificateChain 77A62F67 5 Bytes JMP 01DB3832
.text C:\Programmi\Internet Explorer\IEXPLORE.EXE[424] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A6B76F 5 Bytes JMP 01DB383B
.text C:\Programmi\ESET\ESET NOD32 Antivirus\ekrn.exe[744] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [ C2, 04, 00, 00 ]
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] kernel32.dll!LoadResource 7C80A045 7 Bytes JMP 28001CD0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] kernel32.dll!FindResourceExW 7C80AD18 7 Bytes JMP 28001B10 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] kernel32.dll!FindResourceW 7C80BC5E 7 Bytes JMP 28001A90 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] kernel32.dll!SizeofResource 7C80BCF9 7 Bytes JMP 28001D90 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] kernel32.dll!FindResourceA 7C80BF19 7 Bytes JMP 28001BA0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] kernel32.dll!LockResource 7C80CD27 5 Bytes JMP 28001E00 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] kernel32.dll!CreateEventA 7C83089D 5 Bytes JMP 28001850 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] kernel32.dll!FindResourceExA 7C835F90 7 Bytes JMP 28001C30 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] ADVAPI32.dll!CryptDeriveKey 77F59FDD 7 Bytes JMP 28001000 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] ADVAPI32.dll!CryptDecrypt 77F5A109 7 Bytes JMP 28001060 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] USER32.dll!PeekMessageW 7E39929B 5 Bytes JMP 28004430 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] USER32.dll!SetWindowPlacement 7E39DE46 5 Bytes JMP 28005C10 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] USER32.dll!CreateDialogParamW 7E39EA3B 5 Bytes JMP 28005E90 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] USER32.dll!LoadImageW 7E3A7B97 5 Bytes JMP 280064E0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 28003AF0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] USER32.dll!SetWindowRgn 7E3AE528 7 Bytes JMP 28005D50 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] USER32.dll!LoadIconW 7E3AE8BC 5 Bytes JMP 280066D0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 28006080 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] USER32.dll!TrackPopupMenuEx 7E3ECF62 5 Bytes JMP 28004D10 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 2800B920 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] WS2_32.dll!send 71A34C27 5 Bytes JMP 2800B500 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 2800B2E0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] WS2_32.dll!recv 71A3676F 5 Bytes JMP 2800B140 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 2800B6E0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] SHELL32.dll!Shell_NotifyIconW 7CA3A52F 5 Bytes JMP 280032B0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] ole32.dll!CoInitializeEx 774CEF7B 5 Bytes JMP 28002110 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] ole32.dll!CoCreateInstance 774D057E 5 Bytes JMP 280024B0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] ole32.dll!CoRegisterClassObject 774E7E90 5 Bytes JMP 28002210 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] WININET.dll!InternetCloseHandle 4330DA59 5 Bytes JMP 2800A2A0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] WININET.dll!HttpOpenRequestA 43314341 5 Bytes JMP 28009F60 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] WININET.dll!InternetReadFile 4331ABB4 5 Bytes JMP 2800A0F0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[988] WININET.dll!HttpSendRequestA 4331CD40 5 Bytes JMP 2800A1D0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Patchou)
.text C:\WINDOWS\explorer.exe[4048] ADVAPI32.dll!CryptDestroyKey 77F59E9C 7 Bytes JMP 01842DFD
.text C:\WINDOWS\explorer.exe[4048] ADVAPI32.dll!CryptDecrypt 77F5A109 7 Bytes JMP 01842DBA
.text C:\WINDOWS\explorer.exe[4048] ADVAPI32.dll!CryptEncrypt 77F5E340 7 Bytes JMP 01842D7E
.text C:\WINDOWS\explorer.exe[4048] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 01842D63
.text C:\WINDOWS\explorer.exe[4048] WS2_32.dll!send 71A34C27 5 Bytes JMP 01842BEF
.text C:\WINDOWS\explorer.exe[4048] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 01842CE1
.text C:\WINDOWS\explorer.exe[4048] WS2_32.dll!recv 71A3676F 5 Bytes JMP 01842C27
.text C:\WINDOWS\explorer.exe[4048] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 01842C5F
.text C:\Programmi\Mozilla Firefox 3 Beta 4\firefox.exe[4812] ADVAPI32.dll!CryptDestroyKey 77F59E9C 7 Bytes JMP 03402DFD
.text C:\Programmi\Mozilla Firefox 3 Beta 4\firefox.exe[4812] ADVAPI32.dll!CryptDecrypt 77F5A109 7 Bytes JMP 03402DBA
.text C:\Programmi\Mozilla Firefox 3 Beta 4\firefox.exe[4812] ADVAPI32.dll!CryptEncrypt 77F5E340 7 Bytes JMP 03402D7E
.text C:\Programmi\Mozilla Firefox 3 Beta 4\firefox.exe[4812] WS2_32.dll!closesocket 71A33E2B 5 Bytes JMP 03402D63
.text C:\Programmi\Mozilla Firefox 3 Beta 4\firefox.exe[4812] WS2_32.dll!send 71A34C27 5 Bytes JMP 03402BEF
.text C:\Programmi\Mozilla Firefox 3 Beta 4\firefox.exe[4812] WS2_32.dll!WSARecv 71A34CB5 5 Bytes JMP 03402CE1
.text C:\Programmi\Mozilla Firefox 3 Beta 4\firefox.exe[4812] WS2_32.dll!recv 71A3676F 5 Bytes JMP 03402C27
.text C:\Programmi\Mozilla Firefox 3 Beta 4\firefox.exe[4812] WS2_32.dll!WSASend 71A368FA 5 Bytes JMP 03402C5F
---- Kernel IAT/EAT - GMER 1.0.14 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F729DAD4] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F729DC1A] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F729DB9C] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F729E748] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F729E61E] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72B329A] sptd.sys
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] 8620C4DB
IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] 8620C4D1
---- User IAT/EAT - GMER 1.0.14 ----
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegQueryValueA] 011306A0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [ADVAPI32.dll!RegCreateKeyExW] 01130390
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcAddress] 01128E80
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryA] 0112A3C0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CloseHandle] 0112D530
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FreeLibrary] 0112B110
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryW] 0112A6F0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileW] 0112C870
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalUnlock] 0112F870
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalLock] 0112F8B0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetProcessHeap] 011309F0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FindFirstFileW] 0112F460
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!DuplicateHandle] 0112D490
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateThread] 0112BC30
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] 0112ADC0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetEnvironmentStringsW] 0112B6B0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!IsDebuggerPresent] 01130F70
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!ReadFile] 0112CBC0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!SetFilePointer] 0112D2F0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFileEx] 0112DF20
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingW] 0112DA00
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!MapViewOfFile] 0112DEA0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!OpenFileMappingW] 0112E9C0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!UnmapViewOfFile] 0112E090
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExA] 0112AA70
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!TerminateProcess] 0112BAE0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GlobalAlloc] 0112F990
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!FlushViewOfFile] 0112DB40
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileSize] 0112D430
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!WriteFile] 0112CFF0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetFileType] 0112D640
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!GetACP] 01130A10
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!CreateFileMappingA] 0112D940
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadIconW] 01130CB0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadCursorW] 01130C50
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!CreateDialogParamW] 01130EA0
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!DialogBoxParamW] 01130F40
IAT C:\Programmi\DAP\DAP.EXE[2748] @ C:\WINDOWS\system32\ole32.dll [USER32.dll!LoadStringW] 01130D70
---- Devices - GMER 1.0.14 ----
Device \FileSystem\Ntfs \Ntfs 86F111E8
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
Device \FileSystem\Fastfat \FatCdrom 85EAD790
Device \Driver\usbuhci \Device\USBPDO-0 86D21538
Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F2B1E8
Device \Driver\dmio \Device\DmControl\DmConfig 86F2B1E8
Device \Driver\dmio \Device\DmControl\DmPnP 86F2B1E8
Device \Driver\dmio \Device\DmControl\DmInfo 86F2B1E8
Device \Driver\usbuhci \Device\USBPDO-1 86D21538
Device \Driver\usbuhci \Device\USBPDO-2 86D21538
Device \Driver\usbehci \Device\USBPDO-3 86CF1768
Device \Driver\usbuhci \Device\USBPDO-4 86D21538
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys
Device \Driver\prodrv06 \Device\ProDrv06 E216F008
Device \Driver\Ftdisk \Device\HarddiskVolume1 86F9E1E8
Device \Driver\Ftdisk \Device\HarddiskVolume2 86F9E1E8
Device \Driver\Cdrom \Device\CdRom0 86D6D790
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort2 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdePort3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology)
Device \Driver\prohlp02 \Device\ProHlp02 E19C9D48
Device \Driver\Disk \Device\Harddisk0\DR0 86469694
Device \Driver\usbuhci \Device\USBFDO-0 86D21538
Device \Driver\usbuhci \Device\USBFDO-1 86D21538
Device \Driver\usbuhci \Device\USBFDO-2 86D21538
Device \Driver\usbuhci \Device\USBFDO-3 86D21538
Device \Driver\Ftdisk \Device\FtControl 86F9E1E8
Device \Driver\usbehci \Device\USBFDO-4 86CF1768
Device \FileSystem\Fastfat \Fat 85EAD790
AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET)
Device \FileSystem\Cdfs \Cdfs 868F8698
---- Threads - GMER 1.0.14 ----
Thread 4:784 864A0190
Thread 4:788 8648E1B0
Thread 4:792 864D35F0
Thread 4:796 86471540
Thread 4:3504 864A0190
Thread 4:3508 8648E1B0
Thread 4:3512 864D35F0
Thread 4:3516 86471540
---- Registry - GMER 1.0.14 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00025b1309db
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00025b1309db
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x71 0x3B 0x04 0x66 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ...
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ...
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0x51 0xFA 0x6E 0x91 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0x3D 0xCE 0xEA 0x26 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ...
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL
Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ...
---- Disk sectors - GMER 1.0.14 ----
Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!!
Disk \Device\Harddisk0\DR0 sector 02: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 14: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 15: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 16: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 17: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 18: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 22: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 23: rootkit-like behavior; copy of MBR
Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior;
Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0x1d1c06c0 size 0x1be
Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR