GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-02-22 13:14:26 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e SAMSUNG_HD501LJ rev.CR100-12 Running: gmer.exe; Driver: C:\DOCUME~1\KRZYSZ~1\USTAWI~1\Temp\pxtdqpow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xAC6116B8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xAC611574] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xAC611A52] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xAC61114C] SSDT spgz.sys ZwEnumerateKey [0xB9ECDDA4] SSDT spgz.sys ZwEnumerateValueKey [0xB9ECE132] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xAC61164E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xAC61108C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xAC6110F0] SSDT spgz.sys ZwQueryKey [0xB9ECE20A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xAC61176E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xAC61172E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xAC6118AE] INT 0x62 ? 89D5CBF8 INT 0x73 ? 89D5CBF8 INT 0x73 ? 89D5CBF8 INT 0x73 ? 89B48F00 INT 0x73 ? 89D5CBF8 INT 0xB4 ? 89B48F00 ---- Kernel code sections - GMER 1.0.15 ---- ? spgz.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload B971162C 5 Bytes JMP 89B484E0 .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8F42000, 0x2A1A98, 0xE8000020] .text a9af14m2.SYS B8EF4386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text a9af14m2.SYS B8EF43AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text a9af14m2.SYS B8EF43C4 3 Bytes [00, 80, 02] .text a9af14m2.SYS B8EF43C9 1 Byte [30] .text a9af14m2.SYS B8EF43C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[3592] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 01265B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spgz.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spgz.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spgz.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spgz.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spgz.sys IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46 IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[HAL.dll!READ_PORT_UCHAR] B48B8932 IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[HAL.dll!KeGetCurrentIrql] 89000001 IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[HAL.dll!KfRaiseIrql] 0001C083 IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[HAL.dll!KfLowerIrql] 24468B00 IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[HAL.dll!HalGetInterruptVector] 89820C8D IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639 IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[HAL.dll!KfReleaseSpinLock] 000000BD IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 020CB389 IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[HAL.dll!READ_PORT_USHORT] 83660000 IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320 IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00 IAT \SystemRoot\System32\Drivers\a9af14m2.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[672] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[672] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89D5B1F8 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbohci \Device\USBPDO-0 89C011F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 89DCE1F8 Device \Driver\dmio \Device\DmControl\DmConfig 89DCE1F8 Device \Driver\dmio \Device\DmControl\DmPnP 89DCE1F8 Device \Driver\dmio \Device\DmControl\DmInfo 89DCE1F8 Device \Driver\usbehci \Device\USBPDO-1 89B2D1F8 Device \Driver\PCI_PNP7024 \Device\00000048 spgz.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbstor \Device\00000070 89B40500 Device \Driver\NetBT \Device\NetBT_Tcpip_{D14D2A9C-CEA2-4127-A2A1-50F5A495E383} 888621F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 89D5D1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 89D5D1F8 Device \Driver\Cdrom \Device\CdRom0 89B241F8 Device \Driver\atapi \Device\Ide\IdePort0 89D5C1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89D5C1F8 Device \Driver\atapi \Device\Ide\IdePort1 89D5C1F8 Device \Driver\atapi \Device\Ide\IdePort2 89D5C1F8 Device \Driver\atapi \Device\Ide\IdePort3 89D5C1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e 89D5C1F8 Device \Driver\Cdrom \Device\CdRom1 89B241F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 888621F8 Device \Driver\sptd \Device\3667475774 spgz.sys Device \Driver\usbstor \Device\00000079 89B40500 Device \Driver\NetBT \Device\NetbiosSmb 888621F8 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbohci \Device\USBFDO-0 89C011F8 Device \Driver\usbstor \Device\0000007a 89B40500 Device \Driver\usbehci \Device\USBFDO-1 89B2D1F8 Device \Driver\usbstor \Device\0000007b 89B40500 Device \Driver\NetBT \Device\NetBT_Tcpip_{00268462-81A4-4109-87D9-4CB314A01D02} 888621F8 Device \Driver\usbstor \Device\0000007c 89B40500 Device \Driver\Ftdisk \Device\FtControl 89D5D1F8 Device \Driver\a9af14m2 \Device\Scsi\a9af14m21Port4Path0Target0Lun0 89A06500 Device \Driver\a9af14m2 \Device\Scsi\a9af14m21 89A06500 Device \FileSystem\Cdfs \Cdfs 899DB500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF2 0xCA 0x07 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0B 0x17 0x99 0x34 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7C 0xB0 0x08 0xA2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xD1 0x3E 0x2F 0x6C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x92 0x2E 0xCC 0x72 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x87 0x68 0x5F 0x8A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xF2 0xCA 0x07 0x50 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0B 0x17 0x99 0x34 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7C 0xB0 0x08 0xA2 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xD1 0x3E 0x2F 0x6C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x92 0x2E 0xCC 0x72 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq3@hdf12 0x87 0x68 0x5F 0x8A ... ---- EOF - GMER 1.0.15 ----