GMER 1.0.15.15641 - httpwww.gmer.net Rootkit scan 2012-04-28 102848 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk1DR1 - DeviceIdeIdeDeviceP3T0L0-10 ST3250410AS rev.3.AAC Running ccz9bu8h.exe; Driver CDOCUME~1lukaszUSTAWI~1Tempafkdyaog.sys ---- System - GMER 1.0.15 ---- SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwAssignProcessToJobObject [0xF43404B0] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwCreateThread [0xF43407F0] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwDebugActiveProcess [0xF4340AB0] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwDuplicateObject [0xF43405D0] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwLoadDriver [0xF43408B0] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwOpenProcess [0xF4340350] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwOpenThread [0xF4340410] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwProtectVirtualMemory [0xF4340570] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwQueueApcThread [0xF4340630] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwSetContextThread [0xF4340530] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwSetInformationThread [0xF43404F0] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwSetSecurityObject [0xF4340670] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwSetSystemInformation [0xF4340870] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwSuspendProcess [0xF43403B0] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwSuspendThread [0xF4340430] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwSystemDebugControl [0xF4340830] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwTerminateProcess [0xF4340370] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwTerminateThread [0xF4340470] SSDT SystemRootsystem32DRIVERSehdrv.sys (ESET Helper driverESET) ZwWriteVirtualMemory [0xF43405F0] INT 0x62 867DBCB8 INT 0x63 865DBCB8 INT 0x73 865DBCB8 INT 0x73 865DBCB8 INT 0x82 867DBCB8 INT 0x83 867DBCB8 INT 0x83 867DBCB8 INT 0x83 865DBCB8 INT 0x83 867DBCB8 INT 0xB4 865DBCB8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [B0, 03, 34, F4, 30, 04, 34, ...] {MOV AL, 0x3; XOR AL, 0xf4; XOR [ESP+ESI], AL; HLT ; XOR [EAX], CL; XOR AL, 0xf4} .sptd1 CWINDOWSsystem32driverssptd.sys entry point in .sptd1 section [0xF77EAB2E] .text CWINDOWSsystem32DRIVERSnv4_mini.sys section is writeable [0xF68AB380, 0x550AF5, 0xE8000020] .text USBPORT.SYS!DllUnload F688B8AC 5 Bytes JMP 865DB1C8 ---- User code sections - GMER 1.0.15 ---- .text CProgram FilesESETESET Smart Securityekrn.exe[812] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00] ---- Kernel IATEAT - GMER 1.0.15 ---- IAT WINDOWSsystem32DRIVERSPCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F76F6232] sptd.sys (SCSI Pass Through Direct HostDuplex Secure Ltd.) IAT WINDOWSsystem32DRIVERSPCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F76F5730] sptd.sys (SCSI Pass Through Direct HostDuplex Secure Ltd.) IAT WINDOWSsystem32DRIVERSPCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F76F5F12] sptd.sys (SCSI Pass Through Direct HostDuplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F76F5730] sptd.sys (SCSI Pass Through Direct HostDuplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F76F5914] sptd.sys (SCSI Pass Through Direct HostDuplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F76F5856] sptd.sys (SCSI Pass Through Direct HostDuplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F76F60F0] sptd.sys (SCSI Pass Through Direct HostDuplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F76F5F12] sptd.sys (SCSI Pass Through Direct HostDuplex Secure Ltd.) IAT SystemRootsystem32DRIVERSUSBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 865DB2F8 IAT SystemRootsystem32DRIVERSi8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7709EB0] sptd.sys (SCSI Pass Through Direct HostDuplex Secure Ltd.) ---- Devices - GMER 1.0.15 ---- Device FileSystemNtfs Ntfs 867DA1E8 AttachedDevice FileSystemNtfs Ntfs eamon.sys (Amon monitorESET) AttachedDevice DriverTcpip DeviceIp epfwtdi.sys (ESET Personal Firewall TDI filterESET) Device Driverusbuhci DeviceUSBPDO-0 864301E8 Device Driverusbuhci DeviceUSBPDO-1 864301E8 Device DriverNetBT DeviceNetBT_Tcpip_{9B8B0359-0F89-49F6-BB98-41B2E7F3BC8A} 8583B1E8 Device Driverusbuhci DeviceUSBPDO-2 864301E8 Device Driverusbuhci DeviceUSBPDO-3 864301E8 Device Driverusbehci DeviceUSBPDO-4 864191E8 AttachedDevice DriverTcpip DeviceTcp epfwtdi.sys (ESET Personal Firewall TDI filterESET) Device DriverCdrom DeviceCdRom0 8625F1E8 Device Driveratapi DeviceIdeIdePort0 [F765FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device Driveratapi DeviceIdeIdePort1 [F765FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device Driveratapi DeviceIdeIdeDeviceP2T0L0-5 [F765FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device Driveratapi DeviceIdeIdePort2 [F765FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device Driveratapi DeviceIdeIdePort3 [F765FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device Driveratapi DeviceIdeIdeDeviceP1T0L0-1b [F765FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device Driveratapi DeviceIdeIdeDeviceP3T0L0-10 [F765FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device DriverUSBSTOR Device00000074 863A0430 Device DriverUSBSTOR Device00000075 863A0430 Device DriverNetBT DeviceNetBt_Wins_Export 8583B1E8 Device DriverNetBT DeviceNetbiosSmb 8583B1E8 AttachedDevice DriverTcpip DeviceUdp epfwtdi.sys (ESET Personal Firewall TDI filterESET) AttachedDevice DriverTcpip DeviceRawIp epfwtdi.sys (ESET Personal Firewall TDI filterESET) Device Driverusbuhci DeviceUSBFDO-0 864301E8 Device Driverusbuhci DeviceUSBFDO-1 864301E8 Device FileSystemMRxSmb DeviceLanmanDatagramReceiver 857CF1E8 Device Driverusbuhci DeviceUSBFDO-2 864301E8 Device FileSystemMRxSmb DeviceLanmanRedirector 857CF1E8 Device Driverusbuhci DeviceUSBFDO-3 864301E8 Device Driverusbehci DeviceUSBFDO-4 864191E8 Device FileSystemCdfs Cdfs 8639F430 ---- Registry - GMER 1.0.15 ---- Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4 Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLMSYSTEMCurrentControlSetServicessptdCfg19659239224E364682FA4BAF72C53EA4@khjeh 0x46 0x13 0x1D 0xCD ... Reg HKLMSYSTEMControlSet002ServicessptdCfg19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLMSYSTEMControlSet002ServicessptdCfg19659239224E364682FA4BAF72C53EA4@p0 CProgram FilesDAEMON Tools Reg HKLMSYSTEMControlSet002ServicessptdCfg19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLMSYSTEMControlSet002ServicessptdCfg19659239224E364682FA4BAF72C53EA4@khjeh 0xFE 0xAF 0x70 0x29 ... Reg HKLMSYSTEMControlSet002ServicessptdCfg19659239224E364682FA4BAF72C53EA400000001 (not active ControlSet) Reg HKLMSYSTEMControlSet002ServicessptdCfg19659239224E364682FA4BAF72C53EA400000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLMSYSTEMControlSet002ServicessptdCfg19659239224E364682FA4BAF72C53EA400000001@khjeh 0x4A 0x8D 0x1D 0x68 ... Reg HKLMSYSTEMControlSet002ServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf40 (not active ControlSet) Reg HKLMSYSTEMControlSet002ServicessptdCfg19659239224E364682FA4BAF72C53EA4000000010Jf40@khjeh 0x77 0x88 0xCB 0x47 ... Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLMSYSTEMControlSet003ServicessptdCfg19659239224E364682FA4BAF72C53EA4@khjeh 0x46 0x13 0x1D 0xCD ... ---- EOF - GMER 1.0.15 ----