GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-19 20:32:53 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\00000067 ST932032 rev.0002 Running: noyvvruw.exe; Driver: C:\Users\Marcin\AppData\Local\Temp\kwxdrpoc.sys ---- System - GMER 1.0.15 ---- SSDT 9502018E ZwCreateSection SSDT 95020198 ZwRequestWaitReplyPort SSDT 95020193 ZwSetContextThread SSDT 9502019D ZwSetSecurityObject SSDT 950201A2 ZwSystemDebugControl SSDT 9502012F ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 830583D9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83091D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 83098EEC 4 Bytes [8E, 01, 02, 95] .text ntkrnlpa.exe!KeRemoveQueueEx + 1553 83099248 4 Bytes [98, 01, 02, 95] {CWDE ; ADD [EDX], EAX; XCHG EBP, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1597 8309928C 4 Bytes [93, 01, 02, 95] {XCHG EBX, EAX; ADD [EDX], EAX; XCHG EBP, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1613 83099308 4 Bytes [9D, 01, 02, 95] {POPF ; ADD [EDX], EAX; XCHG EBP, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 8309935C 4 Bytes [A2, 01, 02, 95] .text ... ? System32\Drivers\spin.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91E27000, 0x37D761, 0xE8000020] .text USBPORT.SYS!DllUnload 92A76DB9 5 Bytes JMP 870A51D8 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8C013042] \SystemRoot\System32\Drivers\spin.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8C0136D6] \SystemRoot\System32\Drivers\spin.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8C013800] \SystemRoot\System32\Drivers\spin.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8C01313E] \SystemRoot\System32\Drivers\spin.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [745D2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [745B5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [745B56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [745D24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [745C8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [745C4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [745C506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [745C5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [745C6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [745C826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [745C87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [745C901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [745CE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1744] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [745C4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2372] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758BFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2372] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758BFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2372] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758BFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2372] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758BFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2372] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [758BFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2372] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [758BFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3776] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758BFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3776] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758BFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3776] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758BFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[3776] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758BFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 85D641F8 Device \FileSystem\fastfat \FatCdrom 8B742500 Device \Driver\volmgr \Device\VolMgrControl 85D5E1F8 Device \Driver\usbohci \Device\USBPDO-0 870A71F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{8E07C906-D0D5-484C-87A6-9CE3430E1AC2} 86FC81F8 Device \Driver\usbohci \Device\USBPDO-1 870A71F8 Device \Driver\usbehci \Device\USBPDO-2 870AC1F8 Device \Driver\usbohci \Device\USBPDO-3 870A71F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{6F57BC09-FA37-4880-BF30-2D5AE00EFEE2} 86FC81F8 Device \Driver\usbehci \Device\USBPDO-4 870AC1F8 Device \Driver\usbohci \Device\USBPDO-5 870A71F8 Device \Driver\volmgr \Device\HarddiskVolume1 85D5E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000058 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume2 85D5E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 86F091F8 Device \Driver\volmgr \Device\HarddiskVolume3 85D5E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{71E9711A-F0D3-45A1-9515-9BECBA08A857} 86FC81F8 Device \Driver\amdsata \Device\00000067 85D621F8 Device \Driver\amdsata \Device\00000068 85D621F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86FC81F8 Device \Driver\amdsata \Device\RaidPort0 85D621F8 Device \Driver\usbohci \Device\USBFDO-0 870A71F8 Device \Driver\usbohci \Device\USBFDO-1 870A71F8 Device \Driver\usbehci \Device\USBFDO-2 870AC1F8 Device \Driver\usbohci \Device\USBFDO-3 870A71F8 Device \Driver\usbehci \Device\USBFDO-4 870AC1F8 Device \Driver\usbohci \Device\USBFDO-5 870A71F8 Device \FileSystem\fastfat \Fat 8B742500 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x26 0xAD 0x31 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x26 0xAD 0x31 0xD8 ... ---- EOF - GMER 1.0.15 ----