GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-19 06:30:07 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.892C Running: s1uzvpn3.exe; Driver: C:\DOCUME~1\KONICZ~1.PC1\USTAWI~1\Temp\fxddypow.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwCreateKey [0xA1438152] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwDeleteKey [0xA14383D6] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwDeleteValueKey [0xA14383F8] SSDT spbr.sys ZwEnumerateKey [0xF72A4CA4] SSDT spbr.sys ZwEnumerateValueKey [0xF72A5032] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwOpenKey [0xA1438294] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwOpenProcess [0xA143800E] SSDT spbr.sys ZwQueryKey [0xF72A510A] SSDT spbr.sys ZwQueryValueKey [0xF72A4F8A] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwSetValueKey [0xA14383A8] INT 0x62 ? 8A0A8BF8 INT 0x63 ? 8A037BF8 INT 0x73 ? 8959EF00 INT 0x84 ? 8959EF00 INT 0x94 ? 8959EF00 ---- Kernel code sections - GMER 1.0.15 ---- ? spbr.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload F57ED8AC 5 Bytes JMP 8959E4E0 ? C:\WINDOWS\system32\drivers\mbam.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0x984FA300, 0x3ACC8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF776F300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[832] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 01269720 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[832] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 0149E21B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[832] kernel32.dll!MapViewOfFile 7C80B9A5 5 Bytes JMP 0149E1F4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[832] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 0149E17E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1324] USER32.dll!SetWindowLongA 7E37C29D 5 Bytes JMP 106775F7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1324] USER32.dll!SetWindowLongW 7E37C2BB 5 Bytes JMP 10677589 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1324] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 1044FE0A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1324] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 104503C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4680] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 104503C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7287042] spbr.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F728713E] spbr.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72870C0] spbr.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7287800] spbr.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72876D6] spbr.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7296E9C] spbr.sys ---- Devices - GMER 1.0.15 ---- Device 8A0361F8 Device Ntfs.sys (NT File System Driver/Microsoft Corporation) Device 88E46500 Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation) Device \Driver\Tcpip \Device\Ip GDTdiIcpt.sys (G Data Software AG) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.) Device \Driver\NetBT \Device\NetBT_Tcpip_{26A55E20-96B5-412E-8DCF-47F4E51F784A} 89187500 Device \Driver\usbuhci \Device\USBPDO-0 895D9500 Device \Driver\usbuhci \Device\USBPDO-1 895D9500 Device \Driver\usbuhci \Device\USBPDO-2 895D9500 Device \Driver\usbuhci \Device\USBPDO-3 895D9500 Device \Driver\usbehci \Device\USBPDO-4 895D6500 Device \Driver\Tcpip \Device\Tcp GDTdiIcpt.sys (G Data Software AG) Device \Driver\Ftdisk \Device\HarddiskVolume1 8A0381F8 Device \Driver\Cdrom \Device\CdRom0 895D7500 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A0381F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{B5009795-9907-408A-830A-EEBDC65FBC0F} 89187500 Device \Driver\iaStor \Device\Ide\iaStor0 [F71437B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F71E1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F71E1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [F71437B0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 8A0381F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 89187500 Device \Driver\NetBT \Device\NetBT_Tcpip_{F0283770-CCC8-4B26-BA53-BE970580F3D7} 89187500 Device \Driver\NetBT \Device\NetbiosSmb 89187500 Device \Driver\Tcpip \Device\Udp GDTdiIcpt.sys (G Data Software AG) Device \Driver\Tcpip \Device\RawIp GDTdiIcpt.sys (G Data Software AG) Device \Driver\usbuhci \Device\USBFDO-0 895D9500 Device \Driver\usbuhci \Device\USBFDO-1 895D9500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8922C500 Device \Driver\Tcpip \Device\IPMULTICAST GDTdiIcpt.sys (G Data Software AG) Device \Driver\usbuhci \Device\USBFDO-2 895D9500 Device 8922C500 Device \Driver\usbuhci \Device\USBFDO-3 895D9500 Device \Driver\usbehci \Device\USBFDO-4 895D6500 Device \Driver\Ftdisk \Device\FtControl 8A0381F8 Device 891FA500 ---- Processes - GMER 1.0.15 ---- Library C:\WINDOWS\system32\AcSignIcon.dll (*** hidden *** ) @ C:\Program Files\ABBYY PDF Transformer 2.0\PDF X-Change\pdfSaver\pdfSaver3a.exe [5496] 0x10000000 Library C:\Program (*** hidden *** ) @ C:\Program Files\ABBYY PDF Transformer 2.0\PDF X-Change\pdfSaver\pdfSaver3a.exe [5496] 0x03610000 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE7 0x49 0x93 0xC7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x63 0x46 0x8E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE7 0x49 0x93 0xC7 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x93 0x63 0x46 0x8E ... ---- Files - GMER 1.0.15 ---- File C:\System Volume Information\catalog.wci\CiFLfffc.000 0 bytes File C:\System Volume Information\catalog.wci\CiFLfffc.001 0 bytes File C:\System Volume Information\catalog.wci\CiFLfffc.002 0 bytes ---- EOF - GMER 1.0.15 ----