GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-26 19:35:14 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7 WDC_WD3200AAKS-00B3A0 rev.01.03A01 Running: 6k995e8j.exe; Driver: C:\DOCUME~1\Ja\USTAWI~1\Temp\pxtdypog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xAC209610] SSDT spev.sys ZwCreateKey [0xB9EB50E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xAC209C10] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xAC209730] SSDT spev.sys ZwEnumerateKey [0xB9ECDDA4] SSDT spev.sys ZwEnumerateValueKey [0xB9ECE132] SSDT spev.sys ZwOpenKey [0xB9EB50C0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xAC2094B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xAC209570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xAC2096D0] SSDT spev.sys ZwQueryKey [0xB9ECE20A] SSDT spev.sys ZwQueryValueKey [0xB9ECE08A] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xAC209790] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xAC209690] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xAC209650] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xAC2097D0] SSDT spev.sys ZwSetValueKey [0xB9ECE29C] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xAC209510] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xAC209590] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xAC2094D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xAC2095D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xAC209750] INT 0x63 ? 89E52BF8 INT 0x63 ? 89E52BF8 INT 0x63 ? 89E52BF8 INT 0x63 ? 89E52BF8 INT 0x63 ? 89E52BF8 INT 0x83 ? 89E52BF8 INT 0x83 ? 89E52BF8 INT 0x83 ? 89E51BF8 INT 0x84 ? 89E51BF8 INT 0x94 ? 89E51BF8 INT 0xA4 ? 89E51BF8 INT 0xA4 ? 89E51BF8 INT 0xA4 ? 89E51BF8 INT 0xA4 ? 89E51BF8 INT 0xB4 ? 89E51BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spev.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8E02000, 0x230C27, 0xE8000020] .text USBPORT.SYS!DllUnload B8DB98AC 5 Bytes JMP 89E511D8 .text a7c9lm12.SYS B8D04386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text a7c9lm12.SYS B8D043AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text a7c9lm12.SYS B8D043C4 3 Bytes [00, 80, 02] .text a7c9lm12.SYS B8D043C9 1 Byte [30] .text a7c9lm12.SYS B8D043C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[736] kernel32.dll!SetUnhandledExceptionFilter 7C844935 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3492] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 0126C930 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3492] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 0149E0AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3492] kernel32.dll!MapViewOfFile 7C80B9A5 5 Bytes JMP 0149E083 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3492] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 0149E00D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spev.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spev.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spev.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spev.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spev.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] spev.sys IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88 IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[HAL.dll!KeGetCurrentIrql] 9E880000 IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[HAL.dll!KfRaiseIrql] 00001CB1 IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[HAL.dll!KfLowerIrql] 0E798366 IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[HAL.dll!HalGetInterruptVector] 74AAB000 IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[HAL.dll!HalTranslateBusAddress] 8986C636 IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6 IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000 IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[HAL.dll!READ_PORT_USHORT] 001C9686 IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200 IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2 IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[WMILIB.SYS!WmiSystemControl] 8800001C IAT \SystemRoot\System32\Drivers\a7c9lm12.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89DDF1F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \Driver\NetBT \Device\NetBT_Tcpip_{46CDEEE3-9561-4688-BA63-2180F9B35BF2} 88FD11F8 Device \Driver\usbuhci \Device\USBPDO-0 89C4B1F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 89DE41F8 Device \Driver\dmio \Device\DmControl\DmConfig 89DE41F8 Device \Driver\dmio \Device\DmControl\DmPnP 89DE41F8 Device \Driver\dmio \Device\DmControl\DmInfo 89DE41F8 Device \Driver\usbuhci \Device\USBPDO-1 89C4B1F8 Device \Driver\usbuhci \Device\USBPDO-2 89C4B1F8 Device \Driver\usbehci \Device\USBPDO-3 89BB01F8 Device \Driver\usbuhci \Device\USBPDO-4 89C4B1F8 AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) Device \Driver\usbuhci \Device\USBPDO-5 89C4B1F8 Device \Driver\PCI_PNP1198 \Device\00000049 spev.sys Device \Driver\usbuhci \Device\USBPDO-6 89C4B1F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 89E531F8 Device \Driver\usbehci \Device\USBPDO-7 89BB01F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 89E531F8 Device \Driver\Cdrom \Device\CdRom0 89B711F8 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-12 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-7 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort4 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort5 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 89B711F8 Device \Driver\Cdrom \Device\CdRom2 89B711F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 88FD11F8 Device \Driver\sptd \Device\2622714948 spev.sys Device \Driver\NetBT \Device\NetbiosSmb 88FD11F8 Device \Driver\usbuhci \Device\USBFDO-0 89C4B1F8 Device \Driver\usbuhci \Device\USBFDO-1 89C4B1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88FC51F8 Device \Driver\usbuhci \Device\USBFDO-2 89C4B1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 88FC51F8 Device \Driver\usbehci \Device\USBFDO-3 89BB01F8 Device \Driver\usbuhci \Device\USBFDO-4 89C4B1F8 Device \Driver\Ftdisk \Device\FtControl 89E531F8 Device \Driver\usbuhci \Device\USBFDO-5 89C4B1F8 Device \Driver\usbuhci \Device\USBFDO-6 89C4B1F8 Device \Driver\usbehci \Device\USBFDO-7 89BB01F8 Device \Driver\a7c9lm12 \Device\Scsi\a7c9lm121Port6Path0Target1Lun0 89B231F8 Device \Driver\a7c9lm12 \Device\Scsi\a7c9lm121Port6Path0Target0Lun0 89B231F8 Device \Driver\a7c9lm12 \Device\Scsi\a7c9lm121 89B231F8 Device \FileSystem\Cdfs \Cdfs 89B2D1F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB3 0x5F 0x11 0xDD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x03 0x14 0x7C 0x3C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5C 0xB2 0x34 0x91 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xD6 0x3E 0x0C 0x14 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB3 0x5F 0x11 0xDD ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x03 0x14 0x7C 0x3C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5C 0xB2 0x34 0x91 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xD6 0x3E 0x0C 0x14 ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 625121283 ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\Ja\Pulpit\Nowy folder (6)\Nowy folder\Nowy folder (12)\Nowy folder (10)\Nowy folder (5)\Nowy folder (3)\Ferguson_AF\Lista Ferguson AFxx18_ Hotbird by JAKITAKI_08-02-2010\DarHol_Channel_Editor_0.8\DarHol Channel Editor 0.8\dhce0.8\lang\polski.lang 17228 bytes File C:\Documents and Settings\Ja\Pulpit\Nowy folder (6)\Nowy folder\Nowy folder (12)\Nowy folder (10)\Nowy folder (5)\Nowy folder (3)\Ferguson_AF\Lista Ferguson AFxx18_ Hotbird by JAKITAKI_08-02-2010\DarHol_Channel_Editor_0.8\DarHol Channel Editor 0.8\dhce0.8\sdx\0130.sdx 781952 bytes ---- EOF - GMER 1.0.15 ----