GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-02 08:31:36 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2500JS-60MHB5 rev.10.02E04 Running: Gmer.exe; Driver: C:\DOCUME~1\kkk\USTAWI~1\Temp\pfgdrpod.sys ---- System - GMER 1.0.15 ---- SSDT sptd.sys ZwCreateKey [0xF72C50B0] SSDT F7B6016C ZwCreateThread SSDT sptd.sys ZwEnumerateKey [0xF72CA84E] SSDT sptd.sys ZwEnumerateValueKey [0xF72CABEE] SSDT sptd.sys ZwOpenKey [0xF72C5090] SSDT F7B60158 ZwOpenProcess SSDT F7B6015D ZwOpenThread SSDT sptd.sys ZwQueryKey [0xF72CACC6] SSDT sptd.sys ZwQueryValueKey [0xF72CAB46] SSDT sptd.sys ZwSetValueKey [0xF72CAD58] SSDT F7B60167 ZwTerminateProcess SSDT F7B60162 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF62C0360, 0x240F7E, 0xE8000020] .text USBPORT.SYS!DllUnload F62A08AC 5 Bytes JMP 86D351B8 ? System32\Drivers\arp9s83h.SYS System nie może odnaleźć określonej ścieżki. ! ? C:\WINDOWS\system32\drivers\blzblk.sys Nie można odnaleźć określonego pliku. ! init C:\WINDOWS\System32\atkosdmini.dll entry point in "init" section [0xBF050480] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72C5ABA] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72C5C00] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72C5B82] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72C672E] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72C6604] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72D8A9A] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 86F5D1D8 Device \FileSystem\Fastfat \FatCdrom 86200980 Device \FileSystem\Udfs \UdfsCdRom 86A23980 Device \FileSystem\Udfs \UdfsDisk 86A23980 Device \Driver\USBSTOR \Device\0000008f 861FF570 Device \Driver\usbuhci \Device\USBPDO-0 86D341D8 Device \Driver\usbuhci \Device\USBPDO-1 86D341D8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F5F1D8 Device \Driver\dmio \Device\DmControl\DmConfig 86F5F1D8 Device \Driver\dmio \Device\DmControl\DmPnP 86F5F1D8 Device \Driver\dmio \Device\DmControl\DmInfo 86F5F1D8 Device \Driver\usbehci \Device\USBPDO-2 86D1D1D8 Device \Driver\usbuhci \Device\USBPDO-3 86D341D8 Device \Driver\usbuhci \Device\USBPDO-4 86D341D8 Device \Driver\usbuhci \Device\USBPDO-5 86D341D8 Device \Driver\usbehci \Device\USBPDO-6 86D1D1D8 Device \Driver\NetBT \Device\NetBT_Tcpip_{13EC7901-7D3B-4B66-8716-AE3897991354} 86B17980 Device \Driver\Ftdisk \Device\HarddiskVolume1 86FD21D8 Device \Driver\Ftdisk \Device\HarddiskVolume2 86FD21D8 Device \Driver\Cdrom \Device\CdRom0 86D111D8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7218B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F7218B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7218B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [F7218B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [F7218B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 86D111D8 Device \Driver\Cdrom \Device\CdRom2 86D111D8 Device \Driver\USBSTOR \Device\00000090 861FF570 Device \Driver\NetBT \Device\NetBt_Wins_Export 86B17980 Device \Driver\NetBT \Device\NetbiosSmb 86B17980 Device \Driver\NetBT \Device\NetBT_Tcpip_{D002C1DA-1703-4E07-AA33-1427AD7CBBEE} 86B17980 Device \Driver\00000048 \Device\0000004f sptd.sys Device \Driver\usbuhci \Device\USBFDO-0 86D341D8 Device \Driver\usbuhci \Device\USBFDO-1 86D341D8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86B44980 Device \Driver\usbehci \Device\USBFDO-2 86D1D1D8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 86B44980 Device \Driver\usbuhci \Device\USBFDO-3 86D341D8 Device \Driver\usbuhci \Device\USBFDO-4 86D341D8 Device \Driver\Ftdisk \Device\FtControl 86FD21D8 Device \Driver\usbuhci \Device\USBFDO-5 86D341D8 Device \Driver\usbehci \Device\USBFDO-6 86D1D1D8 Device \Driver\arp9s83h \Device\Scsi\arp9s83h1Port5Path0Target0Lun0 86AD6810 Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target0Lun0 86F5E1D8 Device \Driver\JRAID \Device\Scsi\JRAID1 86F5E1D8 Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target1Lun0 86F5E1D8 Device \Driver\arp9s83h \Device\Scsi\arp9s83h1 86AD6810 Device \FileSystem\Fastfat \Fat 86200980 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 86BD01D8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1190547817 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1583019703 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 F:\Program Files\deamon tools\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0x8C 0x15 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE1 0x4F 0x24 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDF 0x6B 0x87 0xCE ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 F:\Program Files\deamon tools\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0x8C 0x15 0xD1 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE1 0x4F 0x24 0xFB ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDF 0x6B 0x87 0xCE ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 F:\Program Files\deamon tools\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x66 0x8C 0x15 0xD1 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xE1 0x4F 0x24 0xFB ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xDF 0x6B 0x87 0xCE ... ---- EOF - GMER 1.0.15 ----