GMER 1.0.15.15507 - http://www.gmer.net Rootkit scan 2010-11-06 23:04:35 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-12 ST3500820AS SD81 Running: 6m1zhbup.exe; Driver: C:\DOCUME~1\Buki\USTAWI~1\Temp\pxtdqpog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xB5EA0610] SSDT spnw.sys ZwCreateKey [0xB9EA70E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xB5EA0C10] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xB5EA0730] SSDT spnw.sys ZwEnumerateKey [0xB9EC5CA4] SSDT spnw.sys ZwEnumerateValueKey [0xB9EC6032] SSDT spnw.sys ZwOpenKey [0xB9EA70C0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xB5EA04B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xB5EA0570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xB5EA06D0] SSDT spnw.sys ZwQueryKey [0xB9EC610A] SSDT spnw.sys ZwQueryValueKey [0xB9EC5F8A] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xB5EA0690] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xB5EA0650] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xB5EA07D0] SSDT spnw.sys ZwSetValueKey [0xB9EC619C] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xB5EA0510] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xB5EA0590] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xB5EA04D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xB5EA05D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xB5EA0750] INT 0x62 ? 8ACC9BF8 INT 0x63 ? 8ACC9BF8 INT 0x63 ? 8ACC9BF8 INT 0x63 ? 8AAB4BF8 INT 0x63 ? 8ACC9BF8 INT 0x82 ? 8ACC9BF8 INT 0x83 ? 8ACC9BF8 INT 0x83 ? 8ACC9BF8 INT 0x83 ? 8AAB4BF8 INT 0x83 ? 8ACC9BF8 INT 0x84 ? 8AAB4BF8 INT 0xA4 ? 8AAB4BF8 INT 0xA4 ? 8AAB4BF8 INT 0xA4 ? 8AAB4BF8 INT 0xA4 ? 8AAB4BF8 INT 0xB4 ? 8AAB4BF8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 8 Bytes JMP EA0590B5 .text ntkrnlpa.exe!ZwCallbackReturn + 2FE8 80504884 8 Bytes JMP EA05D0B5 ? spnw.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9488380, 0x34C81F, 0xE8000020] .text USBPORT.SYS!DllUnload B94688AC 5 Bytes JMP 8AAB41D8 .text apjvc44y.SYS B939E386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text apjvc44y.SYS B939E3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text apjvc44y.SYS B939E3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH} .text apjvc44y.SYS B939E3C9 1 Byte [30] .text apjvc44y.SYS B939E3C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[360] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00] .text E:\Program Files\Mozilla Firefox\plugin-container.exe[3140] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 10405CF5 E:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text E:\Program Files\Mozilla Firefox\firefox.exe[3224] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 E:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA8042] spnw.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA813E] spnw.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA80C0] spnw.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA8800] spnw.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA86D6] spnw.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB7E9C] spnw.sys IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[HAL.dll!READ_PORT_UCHAR] 1C8D9E88 IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[HAL.dll!KeGetCurrentIrql] 9E880000 IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[HAL.dll!KfRaiseIrql] 00001CA9 IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[HAL.dll!KfLowerIrql] 0E798366 IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[HAL.dll!HalGetInterruptVector] 74AAB000 IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[HAL.dll!HalTranslateBusAddress] 8186C636 IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[HAL.dll!KfReleaseSpinLock] 1C8386C6 IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000 IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[HAL.dll!READ_PORT_USHORT] 001C8E86 IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200 IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CAA IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[WMILIB.SYS!WmiSystemControl] 8800001C IAT \SystemRoot\System32\Drivers\apjvc44y.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB19E ---- Devices - GMER 1.0.15 ---- Device 8ACC81F8 Device Ntfs.sys (NT File System Driver/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) Device \Driver\NetBT \Device\NetBT_Tcpip_{43019691-9C9A-42E2-988C-30ABF6D3AD9D} 8A6CF500 Device \Driver\usbuhci \Device\USBPDO-0 8AAE71F8 Device \Driver\sptd \Device\133462722 spnw.sys Device \Driver\usbuhci \Device\USBPDO-1 8AAE71F8 Device \Driver\usbuhci \Device\USBPDO-2 8AAE71F8 Device \Driver\usbehci \Device\USBPDO-3 8AAE21F8 Device \Driver\usbuhci \Device\USBPDO-4 8AAE71F8 Device \Driver\PCI_PNP8972 \Device\00000048 spnw.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) Device \Driver\usbuhci \Device\USBPDO-5 8AAE71F8 Device \Driver\usbuhci \Device\USBPDO-6 8AAE71F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8AC561F8 Device \Driver\usbehci \Device\USBPDO-7 8AAE21F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8AC561F8 Device \Driver\Cdrom \Device\CdRom0 8ABB2500 Device \Driver\atapi \Device\Ide\IdePort0 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-1f [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort4 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort5 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-12 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-7 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 8AC561F8 Device \Driver\Cdrom \Device\CdRom1 8ABB2500 Device \Driver\NetBT \Device\NetBt_Wins_Export 8A6CF500 AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) Device \Driver\usbuhci \Device\USBFDO-0 8AAE71F8 Device \Driver\usbuhci \Device\USBFDO-1 8AAE71F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A8E91F8 Device \Driver\usbuhci \Device\USBFDO-2 8AAE71F8 Device 8A8E91F8 Device \Driver\usbehci \Device\USBFDO-3 8AAE21F8 Device \Driver\usbuhci \Device\USBFDO-4 8AAE71F8 Device \Driver\Ftdisk \Device\FtControl 8AC561F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{6C8F9AA6-FC9F-4FBA-946F-9070D26E63A0} 8A6CF500 Device \Driver\usbuhci \Device\USBFDO-5 8AAE71F8 Device \Driver\usbuhci \Device\USBFDO-6 8AAE71F8 Device \Driver\usbehci \Device\USBFDO-7 8AAE21F8 Device \Driver\apjvc44y \Device\Scsi\apjvc44y1 8AA521F8 Device \Driver\apjvc44y \Device\Scsi\apjvc44y1Port6Path0Target0Lun0 8AA521F8 Device 8A6DC500 Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x01 0x5C 0xD5 0x23 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xFA 0x60 0xA2 0xF4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE3 0x9E 0x54 0xB8 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x01 0x5C 0xD5 0x23 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xFA 0x60 0xA2 0xF4 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xE3 0x9E 0x54 0xB8 ... ---- EOF - GMER 1.0.15 ----