GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-09-19 02:57:18 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS543232L9A300 rev.FB4OC40C Running: 7xxuprx6.exe; Driver: C:\DOCUME~1\Kinga_PN\USTAWI~1\Temp\uxtdrpoc.sys ---- System - GMER 1.0.15 ---- SSDT B873166C ZwClose SSDT B8731626 ZwCreateKey SSDT B8731676 ZwCreateSection SSDT B873161C ZwCreateThread SSDT B873162B ZwDeleteKey SSDT B8731635 ZwDeleteValueKey SSDT B8731667 ZwDuplicateObject SSDT sptd.sys ZwEnumerateKey [0xB7F08698] SSDT sptd.sys ZwEnumerateValueKey [0xB7F08A26] SSDT B873163A ZwLoadKey SSDT sptd.sys ZwOpenKey [0xB7ED4F80] SSDT B8731608 ZwOpenProcess SSDT B873160D ZwOpenThread SSDT sptd.sys ZwQueryKey [0xB7F08AFE] SSDT sptd.sys ZwQueryValueKey [0xB7F0897E] SSDT B8731644 ZwReplaceKey SSDT B873163F ZwRestoreKey SSDT B873167B ZwSetContextThread SSDT B8731630 ZwSetValueKey SSDT B8731617 ZwTerminateProcess INT 0x63 ? 8AB50F00 INT 0x83 ? 8AB50F00 INT 0x84 ? 8AB50F00 INT 0xA4 ? 8AB50F00 INT 0xB4 ? 8AE4CCB8 INT 0xB4 ? 8AE4CCB8 INT 0xB4 ? 8AE4CCB8 INT 0xB4 ? 8AE4CCB8 INT 0xB4 ? 8AB50F00 INT 0xB4 ? 8AB50F00 INT 0xB4 ? 8AE4CCB8 ---- Kernel code sections - GMER 1.0.15 ---- .text sptd.sys B7E98000 28 Bytes [30, 78, 6E, 80, A2, CB, 6E, ...] .text sptd.sys B7E9801D 3 Bytes [79, 6E, 80] .text sptd.sys B7E98024 120 Bytes [D8, 52, 53, 80, 68, B9, 54, ...] .text sptd.sys B7E9809D 124 Bytes [97, 53, 80, A0, 98, 53, 80, ...] .text sptd.sys B7E9811A 178 Bytes [4F, 80, 82, F8, 4E, 80, 3E, ...] .text ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB7F441AA] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6C423A0, 0x5FE082, 0xE8000020] .text USBPORT.SYS!DllUnload B6BED8AC 5 Bytes JMP 8AB50410 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B7E9A20E] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B7E9970C] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B7E99EEE] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7E9970C] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7E998F0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7E99832] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7E9A0CC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7E99EEE] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EADF56] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8AE4B1E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{5D54FEF7-6F96-4AAA-9513-BBB403958CE4} 88C0E1E8 Device \Driver\usbuhci \Device\USBPDO-0 8AB4E1E8 Device \Driver\usbuhci \Device\USBPDO-1 8AB4E1E8 Device \Driver\usbuhci \Device\USBPDO-2 8AB4E1E8 Device \Driver\usbehci \Device\USBPDO-3 8AB2B1E8 Device \Driver\usbuhci \Device\USBPDO-4 8AB4E1E8 Device \Driver\usbehci \Device\USBPDO-5 8AB2B1E8 Device \Driver\usbuhci \Device\USBPDO-6 8AB4E1E8 Device \Driver\usbuhci \Device\USBPDO-7 8AB4E1E8 Device \Driver\Cdrom \Device\CdRom0 8AAD11E8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7E03B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B7E03B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B7E03B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B7E03B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B7E03B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B7E03B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBT_Tcpip_{910D09D0-3470-4CF0-929F-A063F587E877} 88C0E1E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 88C0E1E8 Device \Driver\NetBT \Device\NetbiosSmb 88C0E1E8 Device \Driver\usbuhci \Device\USBFDO-0 8AB4E1E8 Device \Driver\usbuhci \Device\USBFDO-1 8AB4E1E8 Device \Driver\usbuhci \Device\USBFDO-2 8AB4E1E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88C081E8 Device \Driver\usbehci \Device\USBFDO-3 8AB2B1E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 88C081E8 Device \Driver\usbuhci \Device\USBFDO-4 8AB4E1E8 Device \Driver\usbuhci \Device\USBFDO-5 8AB4E1E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{BA662ACF-609E-47F1-B17C-11A1AA07AA33} 88C0E1E8 Device \Driver\usbuhci \Device\USBFDO-6 8AB4E1E8 Device \Driver\usbehci \Device\USBFDO-7 8AB2B1E8 Device \FileSystem\Cdfs \Cdfs 8A9D2430 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 ---- EOF - GMER 1.0.15 ----