GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-07 02:10:18 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST9160827AS rev.3.AAA Running: 1f0s4504.exe; Driver: C:\DOCUME~1\Monika\USTAWI~1\Temp\uxtdypod.sys ---- System - GMER 1.0.15 ---- SSDT BA78217C ZwClose SSDT BA782136 ZwCreateKey SSDT BA782186 ZwCreateSection SSDT BA78212C ZwCreateThread SSDT BA78213B ZwDeleteKey SSDT BA782145 ZwDeleteValueKey SSDT BA782177 ZwDuplicateObject SSDT BA78214A ZwLoadKey SSDT BA782118 ZwOpenProcess SSDT BA78211D ZwOpenThread SSDT BA782154 ZwReplaceKey SSDT BA78214F ZwRestoreKey SSDT BA78218B ZwSetContextThread SSDT BA782140 ZwSetValueKey SSDT BA782127 ZwTerminateProcess INT 0x62 ? 8A4B7CB8 INT 0x63 ? 8A33DCB8 INT 0x83 ? 8A4B7CB8 INT 0x83 ? 8A4B7CB8 INT 0x83 ? 8A33DCB8 INT 0x83 ? 8A33DCB8 INT 0x83 ? 8A4B7CB8 ---- Kernel code sections - GMER 1.0.15 ---- .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xB9FA1089] .text USBPORT.SYS!DllUnload B9CDD8AC 5 Bytes JMP 8A33D1C8 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9489360, 0x305987, 0xE8000020] .text a61if6aj.SYS!A0DB34FC6FE35D429A28ADDE5467D4D7 B93D19B0 48 Bytes [13, 9C, 5F, 6D, F2, 45, D5, ...] INIT a61if6aj.SYS!A0DB34FC6FE35D429A28ADDE5467D4D7 + 968E B93DB03E 32 Bytes [00, 00, 00, 00, 00, 00, 00, ...] INIT a61if6aj.SYS!A0DB34FC6FE35D429A28ADDE5467D4D7 + 9EC4 B93DB874 3 Bytes [00, 00, 00] INIT a61if6aj.SYS!A0DB34FC6FE35D429A28ADDE5467D4D7 + 9EE2 B93DB892 2 Bytes [3D, B9] INIT a61if6aj.SYS!A0DB34FC6FE35D429A28ADDE5467D4D7 + 9EE6 B93DB896 2 Bytes [3D, B9] INIT ... ? C:\WINDOWS\System32\Drivers\a61if6aj.SYS suspicious PE modification ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1960] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01265B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B9E8F232] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B9E8E730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B9E8EF12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9E8E730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9E8E914] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9E8E856] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9E8F0F0] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9E8EF12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EA2EA6] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 88D37430 Device \FileSystem\Fastfat \FatCdrom 8A4B61E8 AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\NetBT \Device\NetBT_Tcpip_{EE9BD93F-3A93-40D6-BCE6-FE6C29B041A8} 890871E8 Device \Driver\usbohci \Device\USBPDO-0 8A28B1E8 Device \Driver\usbehci \Device\USBPDO-1 8A3351E8 Device \Driver\usbohci \Device\USBPDO-2 8A28B1E8 Device \Driver\PCI_PNP0576 \Device\00000046 sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) Device \Driver\PCI_PNP0576 \Device\00000046 sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) Device \Driver\usbehci \Device\USBPDO-3 8A3351E8 Device \Driver\Cdrom \Device\CdRom0 8A3201E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{4220C96D-37B5-4769-842D-167676227ABB} 890871E8 Device \Driver\atapi \Device\Ide\IdePort0 [B9E1EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E1EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9E1EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9E1EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9E1EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [B9E1EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 8A3201E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 890871E8 Device \Driver\NetBT \Device\NetbiosSmb 890871E8 Device \Driver\usbohci \Device\USBFDO-0 8A28B1E8 Device \Driver\usbehci \Device\USBFDO-1 8A3351E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88D471E8 Device \Driver\usbohci \Device\USBFDO-2 8A28B1E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 88D471E8 Device \Driver\usbehci \Device\USBFDO-3 8A3351E8 Device \Driver\a61if6aj \Device\Scsi\a61if6aj1Port4Path0Target0Lun0 8A1331E8 Device \Driver\a61if6aj \Device\Scsi\a61if6aj1 8A1331E8 Device \FileSystem\Fastfat \Fat 8A4B61E8 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 88D391E8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x38 0x13 0xDB 0x37 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDC 0xF7 0x90 0x2B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFD 0x2D 0xC6 0x34 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x38 0x13 0xDB 0x37 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDC 0xF7 0x90 0x2B ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFD 0x2D 0xC6 0x34 ... ---- EOF - GMER 1.0.15 ----