GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-08-31 19:08:14 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3160812A rev.3.AAD Running: gmer.exe; Driver: C:\%USERP~1\ffddrpod.sys ---- System - GMER 1.0.15 ---- SSDT sptd.sys ZwCreateKey [0xF77380B0] SSDT sptd.sys ZwEnumerateKey [0xF773D84C] SSDT sptd.sys ZwEnumerateValueKey [0xF773DBEC] SSDT sptd.sys ZwOpenKey [0xF7738090] SSDT sptd.sys ZwQueryKey [0xF773DCC4] SSDT sptd.sys ZwQueryValueKey [0xF773DB44] SSDT sptd.sys ZwSetValueKey [0xF773DD56] SSDT \SystemRoot\system32\DRIVERS\PSINProc.sys (PSINProc Filter Driver for XP32/Panda Security, S.L.) ZwTerminateProcess [0xB8659416] ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF64BA380, 0x566465, 0xE8000020] .text USBPORT.SYS!DllUnload F64778AC 5 Bytes JMP 864EF698 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] USER32.dll!SetWindowLongA 7E37C29D 5 Bytes JMP 106AA047 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] USER32.dll!SetWindowLongW 7E37C2BB 5 Bytes JMP 106A9FD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 104B1B87 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2380] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 104B2155 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 01340001 .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] WS2_32.dll!WSALookupServiceNextW 71A53181 6 Bytes JMP 71A90F5A .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] WS2_32.dll!WSALookupServiceEnd 71A5350E 6 Bytes JMP 71A20F5A .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] WS2_32.dll!WSALookupServiceBeginW 71A535EF 6 Bytes JMP 71AF0F5A .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] WS2_32.dll!send 71A54C27 6 Bytes JMP 719F0F5A .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] WS2_32.dll!WSARecv 71A54CB5 6 Bytes JMP 71960F5A .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] WS2_32.dll!recv 71A5676F 6 Bytes JMP 719C0F5A .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] WS2_32.dll!WSASend 71A568FA 6 Bytes JMP 71990F5A .text C:\Program Files\Mozilla Firefox\firefox.exe[3972] WS2_32.dll!WSAGetOverlappedResult 71A60D1B 6 Bytes JMP 71930F5A ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F774C580] sptd.sys IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F774C52C] sptd.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7766AB8] sptd.sys IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F774C580] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7738ABA] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7738C00] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F7738B82] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F773972E] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F7739604] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F774BB9A] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 867D31D8 Device \Driver\usbuhci \Device\USBPDO-0 864EE980 Device \Driver\usbuhci \Device\USBPDO-1 864EE980 Device \Driver\usbuhci \Device\USBPDO-2 864EE980 Device \Driver\usbuhci \Device\USBPDO-3 864EE980 Device \Driver\usbehci \Device\USBPDO-4 864EC7C0 Device \Driver\Ftdisk \Device\HarddiskVolume1 867D51D8 Device \Driver\Ftdisk \Device\HarddiskVolume2 867D51D8 Device \Driver\Cdrom \Device\CdRom0 864F51D8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F76B1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F76B1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F76B1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F76B1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 867D51D8 Device \Driver\NetBT \Device\NetBT_Tcpip_{44495403-86C9-47AB-9069-CA50CEC604F4} 86426530 Device \Driver\NetBT \Device\NetBt_Wins_Export 86426530 Device \Driver\NetBT \Device\NetbiosSmb 86426530 Device \Driver\usbuhci \Device\USBFDO-0 864EE980 Device \Driver\usbuhci \Device\USBFDO-1 864EE980 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86428470 Device \Driver\usbuhci \Device\USBFDO-2 864EE980 Device \FileSystem\MRxSmb \Device\LanmanRedirector 86428470 Device \Driver\usbuhci \Device\USBFDO-3 864EE980 Device \Driver\NetBT \Device\NetBT_Tcpip_{DFF53095-287A-4221-B7FC-90493D9884FB} 86426530 Device \Driver\usbehci \Device\USBFDO-4 864EC7C0 Device \Driver\Ftdisk \Device\FtControl 867D51D8 Device \Driver\viamraid \Device\Scsi\viamraid1 867D41D8 Device \FileSystem\Cdfs \Cdfs 863ED980 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 662052064 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1385402669 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEA 0x50 0x40 0x39 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEA 0x50 0x40 0x39 ... ---- EOF - GMER 1.0.15 ----