GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-09-28 23:47:05 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP2T0L0-1f ST3320613AS rev.SD11 Running: jdby774d.exe; Driver: C:\DOCUME~1\1\USTAWI~1\Temp\awldikob.sys ---- System - GMER 1.0.15 ---- SSDT B872329E ZwCreateKey SSDT B8723294 ZwCreateThread SSDT B87232A3 ZwDeleteKey SSDT B87232AD ZwDeleteValueKey SSDT spom.sys ZwEnumerateKey [0xB7EC6CA2] SSDT spom.sys ZwEnumerateValueKey [0xB7EC7030] SSDT B87232B2 ZwLoadKey SSDT spom.sys ZwOpenKey [0xB7EA80C0] SSDT B8723280 ZwOpenProcess SSDT B8723285 ZwOpenThread SSDT spom.sys ZwQueryKey [0xB7EC7108] SSDT spom.sys ZwQueryValueKey [0xB7EC6F88] SSDT B87232BC ZwReplaceKey SSDT B87232B7 ZwRestoreKey SSDT B87232A8 ZwSetValueKey INT 0x62 ? 8B098BF8 INT 0x63 ? 8AE16F00 INT 0x73 ? 8B098BF8 INT 0x73 ? 8B098BF8 INT 0x73 ? 8B098BF8 INT 0x73 ? 8B098BF8 INT 0x73 ? 8AE16F00 INT 0x73 ? 8B098BF8 INT 0x82 ? 8B098BF8 INT 0xA4 ? 8AE16F00 INT 0xA4 ? 8AE16F00 INT 0xA4 ? 8AE16F00 INT 0xA4 ? 8AE16F00 INT 0xB4 ? 8AE16F00 ---- Kernel code sections - GMER 1.0.15 ---- ? spom.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6FB3360, 0x3E57A5, 0xE8000020] .text USBPORT.SYS!DllUnload B6F938AC 5 Bytes JMP 8AE164E0 .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB3AE3300, 0x3AE88, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8390300, 0x1B7E, 0xE8000020] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EA9040] spom.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EA913C] spom.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EA90BE] spom.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EA97FC] spom.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EA96D2] spom.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB9048] spom.sys ---- Devices - GMER 1.0.15 ---- Device 8B0971F8 Device Ntfs.sys (NT File System Driver/Microsoft Corporation) Device 8AD55500 Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation) Device \Driver\usbuhci \Device\USBPDO-0 8ADBD500 Device \Driver\usbuhci \Device\USBPDO-1 8ADBD500 Device \Driver\usbehci \Device\USBPDO-2 8AD611F8 Device \Driver\usbuhci \Device\USBPDO-3 8ADBD500 Device \Driver\usbuhci \Device\USBPDO-4 8ADBD500 Device \Driver\usbehci \Device\USBPDO-5 8AD611F8 Device \Driver\usbuhci \Device\USBPDO-6 8ADBD500 Device \Driver\Ftdisk \Device\HarddiskVolume1 8B1081F8 Device \Driver\usbuhci \Device\USBPDO-7 8ADBD500 Device \Driver\Ftdisk \Device\HarddiskVolume2 8B1081F8 Device \Driver\Cdrom \Device\CdRom0 8AE36500 Device \Driver\atapi \Device\Ide\IdePort0 [B7E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B7E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B7E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B7E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1f [B7E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort4 [B7E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort5 [B7E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-12 [B7E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-7 [B7E21B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 8B1081F8 Device \Driver\Ftdisk \Device\HarddiskVolume4 8B1081F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8AD60500 Device \Driver\NetBT \Device\NetbiosSmb 8AD60500 Device \Driver\USBSTOR \Device\00000089 8A3613C0 Device \Driver\usbuhci \Device\USBFDO-0 8ADBD500 Device \Driver\usbuhci \Device\USBFDO-1 8ADBD500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8ADFF500 Device \Driver\usbuhci \Device\USBFDO-2 8ADBD500 Device \Driver\usbehci \Device\USBFDO-3 8AD611F8 Device \Driver\usbuhci \Device\USBFDO-4 8ADBD500 Device \Driver\Ftdisk \Device\FtControl 8B1081F8 Device \Driver\USBSTOR \Device\0000008a 8A3613C0 Device \Driver\usbuhci \Device\USBFDO-5 8ADBD500 Device \Driver\usbuhci \Device\USBFDO-6 8ADBD500 Device \Driver\usbehci \Device\USBFDO-7 8AD611F8 AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x55 0x83 0x18 0xDB ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x55 0x83 0x18 0xDB ... Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x30 0xD4 0xCB 0x17 ... ---- EOF - GMER 1.0.15 ----