GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-17 02:27:50 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP3T0L0-19 ST3250310AS rev.3.AAC Running: ee310ls6.exe; Driver: C:\DOCUME~1\Kris\USTAWI~1\Temp\kfporkob.sys ---- System - GMER 1.0.15 ---- SSDT spgc.sys ZwCreateKey [0xB9EB50E0] SSDT spgc.sys ZwEnumerateKey [0xB9ECDDA4] SSDT spgc.sys ZwEnumerateValueKey [0xB9ECE132] SSDT spgc.sys ZwOpenKey [0xB9EB50C0] SSDT spgc.sys ZwQueryKey [0xB9ECE20A] SSDT spgc.sys ZwQueryValueKey [0xB9ECE08A] SSDT spgc.sys ZwSetValueKey [0xB9ECE29C] INT 0x62 ? 8A55EBF8 INT 0x63 ? 8A38BBF8 INT 0x73 ? 8A38BBF8 INT 0x83 ? 8A55EBF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spgc.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload B99F78AC 5 Bytes JMP 8A38B1D8 .text C:\WINNT\system32\DRIVERS\ati2mtag.sys section is writeable [0xB94C3000, 0x1C5D38, 0xE8000020] .text aex44yx4.SYS B9475386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text aex44yx4.SYS B94753AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text aex44yx4.SYS B94753C4 3 Bytes [00, 80, 02] .text aex44yx4.SYS B94753C9 1 Byte [30] .text aex44yx4.SYS B94753C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[3036] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01269720 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3036] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 0149E21B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3036] kernel32.dll!MapViewOfFile 7C80B995 5 Bytes JMP 0149E1F4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3036] GDI32.dll!CreateDIBSection 77F19E09 5 Bytes JMP 0149E17E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3812] USER32.dll!SetWindowLongA 7E37C29D 5 Bytes JMP 106775F7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3812] USER32.dll!SetWindowLongW 7E37C2BB 5 Bytes JMP 10677589 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3812] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 1044FE0A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3812] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 104503C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spgc.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spgc.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spgc.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spgc.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spgc.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] spgc.sys IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88 IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[HAL.dll!KeGetCurrentIrql] 9E880000 IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[HAL.dll!KfRaiseIrql] 00001CB1 IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[HAL.dll!KfLowerIrql] 0E798366 IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[HAL.dll!HalGetInterruptVector] 74AAB000 IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[HAL.dll!HalTranslateBusAddress] 8986C636 IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6 IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000 IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[HAL.dll!READ_PORT_USHORT] 001C9686 IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200 IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2 IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[WMILIB.SYS!WmiSystemControl] 8800001C IAT \SystemRoot\System32\Drivers\aex44yx4.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1400] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A55D1F8 Device \Driver\PCI_PNP2026 \Device\00000041 spgc.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{FA88AC68-63A8-461C-9E6E-752E402169EB} 8905D1F8 Device \Driver\usbohci \Device\USBPDO-0 8A2A61F8 Device \Driver\usbehci \Device\USBPDO-1 8A2A21F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5CE1F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A5CE1F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A5CE1F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A5CE1F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A55F1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A55F1F8 Device \Driver\Cdrom \Device\CdRom0 8A37C1F8 Device \Driver\atapi \Device\Ide\IdePort0 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-19 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 8A55F1F8 Device \Driver\Cdrom \Device\CdRom1 8A37C1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8905D1F8 Device \Driver\USBSTOR \Device\00000085 8809C1F8 Device \Driver\NetBT \Device\NetbiosSmb 8905D1F8 Device \Driver\USBSTOR \Device\00000086 8809C1F8 Device \Driver\sptd \Device\1492187026 spgc.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{428FC791-F3EE-438B-A0E6-17F4088A4317} 8905D1F8 Device \Driver\usbohci \Device\USBFDO-0 8A2A61F8 Device \Driver\usbehci \Device\USBFDO-1 8A2A21F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 890551F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 890551F8 Device \Driver\Ftdisk \Device\FtControl 8A55F1F8 Device \Driver\aex44yx4 \Device\Scsi\aex44yx41 8A1C7500 Device \Driver\aex44yx4 \Device\Scsi\aex44yx41Port4Path0Target0Lun0 8A1C7500 Device \FileSystem\Cdfs \Cdfs 882731F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE7 0xF7 0x7A 0xE4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5A 0xEB 0x9B 0x4D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x08 0x23 0xD7 0xB4 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDF 0x6A 0x4D 0xDC ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5A 0xEB 0x9B 0x4D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x09 0x65 0x98 0x3B ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB8 0x8C 0x21 0x7A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x5A 0xEB 0x9B 0x4D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x08 0x23 0xD7 0xB4 ... ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\Kris\Dane aplikacji\OpenFM\CacheDir\covers\5c2de11631effadb184752b3ef2543b402888cac 3642 bytes ---- EOF - GMER 1.0.15 ----