GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-05-23 19:58:53 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD5000AAKS-00A7B2 rev.01.03B01 Running: gmer.exe; Driver: C:\DOCUME~1\FFooXX\USTAWI~1\Temp\ugpyafow.sys ---- System - GMER 1.0.15 ---- SSDT spil.sys ZwCreateKey [0xB7EB50E0] SSDT spil.sys ZwEnumerateKey [0xB7ECDDA4] SSDT spil.sys ZwEnumerateValueKey [0xB7ECE132] SSDT spil.sys ZwOpenKey [0xB7EB50C0] SSDT spil.sys ZwQueryKey [0xB7ECE20A] SSDT spil.sys ZwQueryValueKey [0xB7ECE08A] SSDT spil.sys ZwSetValueKey [0xB7ECE29C] INT 0x62 ? 8A709BF8 INT 0x82 ? 8A709BF8 INT 0x83 ? 8A4E8DC8 INT 0xA4 ? 8A4E8DC8 INT 0xB4 ? 8A4E8DC8 ---- Kernel code sections - GMER 1.0.15 ---- ? spil.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6DA4360, 0x3E57A5, 0xE8000020] .text USBPORT.SYS!DllUnload B6D168AC 5 Bytes JMP 8A4E83A8 .text a7y4ii2b.SYS B6C8E386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text a7y4ii2b.SYS B6C8E3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text a7y4ii2b.SYS B6C8E3C4 3 Bytes [00, 80, 02] .text a7y4ii2b.SYS B6C8E3C9 1 Byte [30] .text a7y4ii2b.SYS B6C8E3C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\RTHDCPL.EXE[520] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\WINDOWS\RTHDCPL.EXE[520] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[528] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\DivX\DivX Update\DivXUpdate.exe[528] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\WINDOWS\system32\RUNDLL32.EXE[620] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\WINDOWS\system32\RUNDLL32.EXE[620] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[664] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\Renesas Electronics\USB 3.0 Host Controller Driver\Application\nusb3mon.exe[664] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\WINDOWS\system32\LVCOMSX.EXE[732] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\WINDOWS\system32\LVCOMSX.EXE[732] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[768] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[768] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\SweetIM\Messenger\SweetIM.exe[780] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\SweetIM\Messenger\SweetIM.exe[780] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe[816] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\SweetIM\Communicator\SweetPacksUpdateManager.exe[816] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\Western Digital\WD Quick View\WDDMStatus.exe[848] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\Western Digital\WD Quick View\WDDMStatus.exe[848] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\Eset\nod32kui.exe[864] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\Eset\nod32kui.exe[864] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\uTorrent\uTorrent.exe[1100] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\uTorrent\uTorrent.exe[1100] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1244] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1244] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1244] USER32.dll!SetWindowLongA 7E37C29D 5 Bytes JMP 10665EE6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1244] USER32.dll!SetWindowLongW 7E37C2BB 5 Bytes JMP 10665E78 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1244] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 10454822 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1244] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 10454DD6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\WINDOWS\system32\ctfmon.exe[1388] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\WINDOWS\system32\ctfmon.exe[1388] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\Vtune\TBPANEL.exe[1572] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\Vtune\TBPANEL.exe[1572] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\Gadu-Gadu 10\gg.exe[1588] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\Gadu-Gadu 10\gg.exe[1588] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[1940] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\Windows Media Player\WMPNSCFG.exe[1940] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\Mozilla Firefox\firefox.exe[2288] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 0126C930 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2288] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 0149E0AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2288] kernel32.dll!MapViewOfFile 7C80B9A5 5 Bytes JMP 0149E083 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2288] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 0149E00D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Eset\nod32.exe[2668] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\Eset\nod32.exe[2668] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Documents and Settings\FFooXX\Pulpit\gmer.exe[2724] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Documents and Settings\FFooXX\Pulpit\gmer.exe[2724] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\WINDOWS\system32\wuauclt.exe[3460] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\WINDOWS\system32\wuauclt.exe[3460] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] .text C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe[3804] kernel32.dll!TerminateProcess 7C801E1A 1 Byte [C3] .text C:\Program Files\TuneUp Utilities 2010\TuneUpUtilitiesApp32.exe[3804] kernel32.dll!TerminateThread 7C81CB3B 1 Byte [C3] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EB6042] spil.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EB613E] spil.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EB60C0] spil.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EB6800] spil.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EB66D6] spil.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EC5B90] spil.sys IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88 IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[HAL.dll!KeGetCurrentIrql] 9E880000 IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[HAL.dll!KfRaiseIrql] 00001CB1 IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[HAL.dll!KfLowerIrql] 0E798366 IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[HAL.dll!HalGetInterruptVector] 74AAB000 IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[HAL.dll!HalTranslateBusAddress] 8986C636 IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6 IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000 IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[HAL.dll!READ_PORT_USHORT] 001C9686 IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200 IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2 IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[WMILIB.SYS!WmiSystemControl] 8800001C IAT \SystemRoot\System32\Drivers\a7y4ii2b.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A7081F8 Device \FileSystem\Fastfat \FatCdrom 8854E1F8 Device \Driver\usbuhci \Device\USBPDO-0 8A3FC1F8 Device \Driver\usbuhci \Device\USBPDO-1 8A3FC1F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A69A1F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A69A1F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A69A1F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A69A1F8 Device \Driver\PCI_PNP1418 \Device\00000045 spil.sys Device \Driver\usbuhci \Device\USBPDO-2 8A3FC1F8 Device \Driver\usbuhci \Device\USBPDO-3 8A3FC1F8 Device \Driver\sptd \Device\357172668 spil.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{9C974794-2579-4E03-8FFB-17F4960CD98C} 89979500 Device \Driver\usbehci \Device\USBPDO-4 8A3E21F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A70A1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A70A1F8 Device \Driver\Cdrom \Device\CdRom0 8A49D1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B7E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B7E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e [B7E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 8A70A1F8 Device \Driver\Cdrom \Device\CdRom1 8A49D1F8 Device \Driver\Ftdisk \Device\HarddiskVolume4 8A70A1F8 Device \Driver\USBSTOR \Device\00000080 8A315500 Device \Driver\USBSTOR \Device\00000081 8A315500 Device \Driver\NetBT \Device\NetBt_Wins_Export 89979500 Device \Driver\USBSTOR \Device\00000084 8A315500 Device \Driver\USBSTOR \Device\00000085 8A315500 Device \Driver\NetBT \Device\NetbiosSmb 89979500 Device \Driver\USBSTOR \Device\00000086 8A315500 Device \Driver\usbuhci \Device\USBFDO-0 8A3FC1F8 Device \Driver\usbuhci \Device\USBFDO-1 8A3FC1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89A1E500 Device \Driver\usbuhci \Device\USBFDO-2 8A3FC1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89A1E500 Device \Driver\USBSTOR \Device\0000007c 8A315500 Device \Driver\usbuhci \Device\USBFDO-3 8A3FC1F8 Device \Driver\USBSTOR \Device\0000007d 8A315500 Device \Driver\usbehci \Device\USBFDO-4 8A3E21F8 Device \Driver\Ftdisk \Device\FtControl 8A70A1F8 Device \Driver\USBSTOR \Device\0000007e 8A315500 Device \Driver\USBSTOR \Device\0000007f 8A315500 Device \Driver\a7y4ii2b \Device\Scsi\a7y4ii2b1 8A38B1F8 Device \Driver\a7y4ii2b \Device\Scsi\a7y4ii2b1Port2Path0Target1Lun0 8A38B1F8 Device \FileSystem\Fastfat \Fat 8854E1F8 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 897EE500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x51 0xC8 0x49 0xE1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x91 0x98 0x86 0x9F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD0 0xB0 0x77 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x2C 0x2B 0x53 0xB7 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x51 0xC8 0x49 0xE1 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x91 0x98 0x86 0x9F ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD0 0xB0 0x77 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x2C 0x2B 0x53 0xB7 ... ---- EOF - GMER 1.0.15 ----