GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-06 13:51:09 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD502HJ rev.1AJ10001 Running: 9dhm2xcq.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E8A3C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EC3D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text sptd.sys 8C692000 8 Bytes [34, 22, E2, 82, A0, 87, E1, ...] .text sptd.sys 8C692009 23 Bytes [87, E1, 82, 48, AB, E1, 82, ...] .text sptd.sys 8C692024 4 Bytes [44, 15, 7C, 8C] .text sptd.sys 8C69202C 18 Bytes [B1, 17, 0B, 83, C4, D9, 02, ...] {MOV CL, 0x17; OR EAX, [EBX-0x7cfd263c]; CMC ; ADD AL, [EBX+EAX*4]; AND [EBX-0x18], CH; XOR BL, 0x28} .text sptd.sys 8C69203F 91 Bytes [83, 5A, 35, E8, 82, C7, 35, ...] .text ... .sptd2 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd2" section [0x8C789D38] ? C:\Windows\System32\Drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. PAGE PCIIDEX.SYS!DllUnload 8C8BF606 5 Bytes JMP 858E81D8 .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x93011000, 0x2C21AE, 0xE8000020] .text USBPORT.SYS!DllUnload 928A3DB9 5 Bytes JMP 86C271D8 .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x81FC7300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text D:\Programy\Eset\ekrn.exe[1740] kernel32.dll!SetUnhandledExceptionFilter 7667F4FB 4 Bytes [C2, 04, 00, 00] .text D:\Programy\Kies\External\FirmwareUpdate\KiesPDLR.exe[2656] ntdll.dll!DbgUiRemoteBreakin 777EF17D 1 Byte [C3] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8C6930C0] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8C693FE0] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [8C693574] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8C6941BC] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8C693362] \SystemRoot\System32\Drivers\sptd.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\rundll32.exe[1720] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1720] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1720] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1720] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [743924CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [7437562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [743756EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74392546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [743885AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74384D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74385105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [743851DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74386707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74388301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74388850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [743890B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7438E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1856] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74384C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\System32\XSrvSetup.exe[1900] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\XSrvSetup.exe[1900] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\XSrvSetup.exe[1900] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\XSrvSetup.exe[1900] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\XSrvSetup.exe[1900] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\XSrvSetup.exe[1900] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT D:\Programy\Gadu-Gadu 10\gg.exe[2596] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT D:\Programy\Gadu-Gadu 10\gg.exe[2596] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT D:\Programy\Gadu-Gadu 10\gg.exe[2596] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT D:\Programy\Gadu-Gadu 10\gg.exe[2596] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT D:\Programy\Gadu-Gadu 10\gg.exe[2596] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT D:\Programy\Gadu-Gadu 10\gg.exe[2596] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [757DFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 858EC1F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \Driver\usbehci \Device\USBPDO-0 86BF81F8 Device \Driver\PCI_PNP6595 \Device\00000051 sptd.sys Device \Driver\PCI_PNP6595 \Device\00000051 sptd.sys Device \Driver\usbehci \Device\USBPDO-1 86BF81F8 Device \Driver\ACPI_HAL \Device\00000047 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{5BEA921A-DD7D-4706-9989-CE76F8B73528} 86B3C1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{25925F17-91D3-42C9-BB86-178145E9C1DD} 86B3C1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 866201F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 858EA1F8 Device \Driver\atapi \Device\Ide\IdePort0 858EA1F8 Device \Driver\atapi \Device\Ide\IdePort1 858EA1F8 Device \Driver\atapi \Device\Ide\IdePort2 858EA1F8 Device \Driver\atapi \Device\Ide\IdePort3 858EA1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 858EA1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom1 866201F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 86B3C1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{2032BB37-CAD3-492E-B17F-F350581381C7} 86B3C1F8 Device \Driver\usbehci \Device\USBFDO-0 86BF81F8 Device \Driver\usbehci \Device\USBFDO-1 86BF81F8 Device \Driver\accfrx56 \Device\Scsi\accfrx561 86C4C1F8 Device \Driver\accfrx56 \Device\Scsi\accfrx561Port5Path0Target0Lun0 86C4C1F8 ---- Threads - GMER 1.0.15 ---- Thread System [4:2580] A29A2F2E ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x08 0xDC 0xD4 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4A 0x94 0x72 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB1 0xDD 0x3A 0x2D ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x08 0xDC 0xD4 0x47 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x4A 0x94 0x72 0xD0 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB1 0xDD 0x3A 0x2D ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\2A7527EE2A93F2D4D9CA9F2FB5A81E8D\Usage@Phone 1088815247 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{86D38FCA-C037-19EC-BF41-F8EEC7D49A9E} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{86D38FCA-C037-19EC-BF41-F8EEC7D49A9E}@iajmpclmaiadllnnmi 0x6B 0x61 0x6E 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{86D38FCA-C037-19EC-BF41-F8EEC7D49A9E}@hahmbefgpeaegcfo 0x6B 0x61 0x6E 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{86D38FCA-C037-19EC-BF41-F8EEC7D49A9E}@oakmjdpohejmaigkhaocnabjiehjlm 0x61 0x69 0x69 0x6C ... ---- EOF - GMER 1.0.15 ----