GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-11-12 23:56:17 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD400BB-60DGA0 rev.05.03E05 Running: toy9ct7d.exe; Driver: C:\DOCUME~1\Prezes\USTAWI~1\Temp\uwriapow.sys ---- System - GMER 1.0.15 ---- INT 0x62 ? 823DDBF8 INT 0x63 ? 8232EF00 INT 0x73 ? 8232EF00 INT 0x82 ? 823DDBF8 INT 0xB4 ? 8232EF00 ---- Kernel code sections - GMER 1.0.15 ---- ? spni.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload F7FC88AC 5 Bytes JMP 8232E4E0 .text asl6ar0e.SYS F7E52386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text asl6ar0e.SYS F7E523AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text asl6ar0e.SYS F7E523C4 3 Bytes [00, 80, 02] .text asl6ar0e.SYS F7E523C9 1 Byte [30] .text asl6ar0e.SYS F7E523C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ? C:\WINDOWS\System32\Drivers\asl6ar0e.SYS Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xF4706400, 0x7960C, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF47A8420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF47A8420] .protect˙˙˙˙hardlockunknown last code section [0xF47A8200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xF47A8200, 0x5049, 0xE0000020] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 823725E0 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F844EDDC] spni.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F844EE30] spni.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8232E5E0 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8433B90] spni.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[700] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[700] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8236E1F8 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) Device \FileSystem\Fastfat \FatCdrom 81E78500 Device \FileSystem\Fastfat \FatCdrom 81CF15C8 AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbuhci \Device\USBPDO-0 822CC500 Device \Driver\dmio \Device\DmControl\DmIoDaemon 823701F8 Device \Driver\dmio \Device\DmControl\DmConfig 823701F8 Device \Driver\dmio \Device\DmControl\DmPnP 823701F8 Device \Driver\dmio \Device\DmControl\DmInfo 823701F8 Device \Driver\usbuhci \Device\USBPDO-1 822CC500 Device \Driver\usbuhci \Device\USBPDO-2 822CC500 Device \Driver\usbehci \Device\USBPDO-3 822131F8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\Ftdisk \Device\HarddiskVolume1 823DE1F8 Device \Driver\Cdrom \Device\CdRom0 82125910 Device \Driver\Ftdisk \Device\HarddiskVolume2 823DE1F8 Device \FileSystem\Rdbss \Device\FsWrap 81ECC240 Device \Driver\atapi \Device\Ide\IdePort0 82147248 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 82147248 Device \Driver\atapi \Device\Ide\IdePort1 82147248 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 82147248 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 82147248 Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 82147248 Device \Driver\Cdrom \Device\CdRom1 82125910 Device \Driver\Ftdisk \Device\HarddiskVolume3 823DE1F8 Device \Driver\Cdrom \Device\CdRom2 82125910 Device \Driver\Ftdisk \Device\HarddiskVolume4 823DE1F8 Device \Driver\Ftdisk \Device\HarddiskVolume5 823DE1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{615A46AD-608B-413E-97C5-F234071B4019} 81EA01F8 Device \Driver\Ftdisk \Device\HarddiskVolume6 823DE1F8 Device \Driver\Ftdisk \Device\HarddiskVolume7 823DE1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 81EA01F8 Device \Driver\NetBT \Device\NetbiosSmb 81EA01F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{EFE11BA4-B66A-4E81-8D45-E9D022F2F670} 81EA01F8 Device \FileSystem\Srv \Device\LanmanServer 81BB5C18 Device \Driver\PCI_PNP7900 \Device\0000005c spni.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbuhci \Device\USBFDO-0 822CC500 Device \Driver\usbuhci \Device\USBFDO-1 822CC500 Device \Driver\sptd \Device\1822852900 spni.sys Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81E511F8 Device \Driver\usbuhci \Device\USBFDO-2 822CC500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 81E511F8 Device \Driver\usbehci \Device\USBFDO-3 822131F8 Device \FileSystem\Npfs \Device\NamedPipe 81FFBE50 Device \Driver\Ftdisk \Device\FtControl 823DE1F8 Device \FileSystem\Msfs \Device\Mailslot 81ED0150 Device \Driver\asl6ar0e \Device\Scsi\asl6ar0e1 82031720 Device \Driver\a347scsi \Device\Scsi\a347scsi1 81919760 Device \Driver\asl6ar0e \Device\Scsi\asl6ar0e1Port2Path0Target0Lun0 82031720 Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 81919760 Device \FileSystem\Fastfat \Fat 81E78500 Device \FileSystem\Fastfat \Fat 81CF15C8 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 821CF6A8 Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 821CF6A8 Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 821CF6A8 Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 821CF6A8 Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 821CF6A8 Device \FileSystem\Cdfs \Cdfs 81E7E500 ---- Modules - GMER 1.0.15 ---- Module _________ F8345000-F835D000 (98304 bytes) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE9 0x44 0x89 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xED 0x55 0x78 0x77 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFD 0x21 0xA3 0xAA ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE9 0x44 0x89 0x2D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xED 0x55 0x78 0x77 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFD 0x21 0xA3 0xAA ... ---- EOF - GMER 1.0.15 ----