GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-10-04 21:21:27 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD3200BEVE-00A0HT0 rev.11.01A11 Running: q0d8d74y.exe; Driver: C:\DOCUME~1\PAWE~1\USTAWI~1\Temp\kgtdapow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xAFF4F610] SSDT spoy.sys ZwCreateKey [0xB9EB50E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xAFF4FC10] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xAFF4F730] SSDT spoy.sys ZwEnumerateKey [0xB9ECDDA4] SSDT spoy.sys ZwEnumerateValueKey [0xB9ECE132] SSDT spoy.sys ZwOpenKey [0xB9EB50C0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xAFF4F4B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xAFF4F570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xAFF4F6D0] SSDT spoy.sys ZwQueryKey [0xB9ECE20A] SSDT spoy.sys ZwQueryValueKey [0xB9ECE08A] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xAFF4F790] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xAFF4F690] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xAFF4F650] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xAFF4F7D0] SSDT spoy.sys ZwSetValueKey [0xB9ECE29C] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xAFF4F510] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xAFF4F590] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xAFF4F4D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xAFF4F5D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xAFF4F750] INT 0x62 ? 8A666BF8 INT 0x83 ? 8A339F00 INT 0xA4 ? 8A339F00 INT 0xB4 ? 8A339F00 ---- Kernel code sections - GMER 1.0.15 ---- ? spoy.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload B65418AC 5 Bytes JMP 8A3394E0 ? System32\Drivers\hiber_WMILIB.SYS System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1948] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spoy.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spoy.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spoy.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spoy.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spoy.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] spoy.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A6651F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \FileSystem\Fastfat \FatCdrom 8A13E500 Device \Driver\NetBT \Device\NetBT_Tcpip_{44ADE8C1-8476-4CA1-8009-A459A00C4066} 899771F8 AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) Device \Driver\usbuhci \Device\USBPDO-0 8A2A6500 Device \Driver\usbuhci \Device\USBPDO-1 8A2A6500 Device \Driver\usbuhci \Device\USBPDO-2 8A2A6500 Device \Driver\usbuhci \Device\USBPDO-3 8A2A6500 Device \Driver\usbehci \Device\USBPDO-4 8A30B500 AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6D51F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6D51F8 Device \Driver\Cdrom \Device\CdRom0 8A2E3500 Device \Driver\atapi \Device\Ide\IdePort0 [B9E10B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B9E10B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B9E10B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 8A2E3500 Device \Driver\NetBT \Device\NetBt_Wins_Export 899771F8 Device \Driver\NetBT \Device\NetbiosSmb 899771F8 AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) Device \Driver\NetBT \Device\NetBT_Tcpip_{40F6099E-C820-4206-A92E-620EA154B037} 899771F8 Device \Driver\usbuhci \Device\USBFDO-0 8A2A6500 Device \Driver\usbuhci \Device\USBFDO-1 8A2A6500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A0B21F8 Device \Driver\usbuhci \Device\USBFDO-2 8A2A6500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A0B21F8 Device \Driver\usbuhci \Device\USBFDO-3 8A2A6500 Device \Driver\usbehci \Device\USBFDO-4 8A30B500 Device \Driver\Ftdisk \Device\FtControl 8A6D51F8 Device \FileSystem\Fastfat \Fat 8A13E500 AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET) Device \FileSystem\Cdfs \Cdfs 899261F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x69 0xCC 0x9C 0xB5 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x69 0xCC 0x9C 0xB5 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x69 0xCC 0x9C 0xB5 ... ---- EOF - GMER 1.0.15 ----