GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-07 16:27:13 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK4058GSX rev.FF012A Running: jy5b0piu.exe; Driver: C:\Users\Renata\AppData\Local\Temp\pxldypog.sys ---- System - GMER 1.0.15 ---- SSDT 997F9976 ZwCreateSection SSDT 997F9980 ZwRequestWaitReplyPort SSDT 997F997B ZwSetContextThread SSDT 997F9985 ZwSetSecurityObject SSDT 997F998A ZwSystemDebugControl SSDT 997F9917 ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E465D9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E6B092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 370 82E729B0 4 Bytes [76, 99, 7F, 99] {JBE 0xffffffffffffff9b; JG 0xffffffffffffff9d} .text ntkrnlpa.exe!RtlSidHashLookup + 6CC 82E72D0C 4 Bytes [80, 99, 7F, 99] .text ntkrnlpa.exe!RtlSidHashLookup + 711 82E72D51 3 Bytes [99, 7F, 99] {CDQ ; JG 0xffffffffffffff9c} .text ntkrnlpa.exe!RtlSidHashLookup + 78C 82E72DCC 4 Bytes [85, 99, 7F, 99] .text ntkrnlpa.exe!RtlSidHashLookup + 7E0 82E72E20 4 Bytes [8A, 99, 7F, 99] .text ... ? System32\Drivers\spso.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90E0A000, 0x2D5378, 0xE8000020] .text USBPORT.SYS!DllUnload 8FB4DD18 5 Bytes JMP 868521D8 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8B285042] \SystemRoot\System32\Drivers\spso.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8B2856D6] \SystemRoot\System32\Drivers\spso.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8B285800] \SystemRoot\System32\Drivers\spso.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8B28513E] \SystemRoot\System32\Drivers\spso.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 855491F8 Device \FileSystem\udfs \UdfsCdRom 883A61F8 Device \FileSystem\udfs \UdfsDisk 883A61F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) Device \Driver\volmgr \Device\VolMgrControl 855441F8 Device \Driver\usbuhci \Device\USBPDO-0 868571F8 Device \Driver\usbuhci \Device\USBPDO-1 868571F8 Device \Driver\usbuhci \Device\USBPDO-2 868571F8 Device \Driver\usbehci \Device\USBPDO-3 86287500 Device \Driver\usbuhci \Device\USBPDO-4 868571F8 Device \Driver\usbuhci \Device\USBPDO-5 868571F8 Device \Driver\usbuhci \Device\USBPDO-6 868571F8 Device \Driver\volmgr \Device\HarddiskVolume1 855441F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-7 86287500 Device \Driver\volmgr \Device\HarddiskVolume2 855441F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 865561F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 855461F8 Device \Driver\atapi \Device\Ide\IdePort0 855461F8 Device \Driver\atapi \Device\Ide\IdePort1 855461F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 855461F8 Device \Driver\msahci \Device\Ide\PciIde0Channel0 855471F8 Device \Driver\msahci \Device\Ide\PciIde0Channel1 855471F8 Device \Driver\volmgr \Device\HarddiskVolume3 855441F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume4 855441F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 865E31F8 Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbuhci \Device\USBFDO-0 868571F8 Device \Driver\usbuhci \Device\USBFDO-1 868571F8 Device \Driver\usbuhci \Device\USBFDO-2 868571F8 Device \Driver\usbehci \Device\USBFDO-3 86287500 Device \Driver\usbuhci \Device\USBFDO-4 868571F8 Device \Driver\usbuhci \Device\USBFDO-5 868571F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{509E80A9-3326-4BE6-AAE7-65A3B31E867F} 865E31F8 Device \Driver\usbuhci \Device\USBFDO-6 868571F8 Device \Driver\usbehci \Device\USBFDO-7 86287500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7D 0xCE 0x46 0x90 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7D 0xCE 0x46 0x90 ... ---- EOF - GMER 1.0.15 ----