GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-01 23:11:37 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-10 ST3160815AS rev.3.AAD Running: movv0mhp.exe; Driver: C:\DOCUME~1\dom\USTAWI~1\Temp\pfriiaoc.sys ---- System - GMER 1.0.15 ---- SSDT a347bus.sys ZwClose [0xB7EA2028] SSDT a347bus.sys ZwCreateKey [0xB7EA1FE0] SSDT a347bus.sys ZwCreatePagingFile [0xB7E95B00] SSDT a347bus.sys ZwEnumerateKey [0xB7E965DC] SSDT a347bus.sys ZwEnumerateValueKey [0xB7EA2120] SSDT a347bus.sys ZwOpenFile [0xB7E95B40] SSDT a347bus.sys ZwOpenKey [0xB7EA1FA4] SSDT a347bus.sys ZwQueryKey [0xB7E965FC] SSDT a347bus.sys ZwQueryValueKey [0xB7EA2076] SSDT a347bus.sys ZwSetSystemPowerState [0xB7EA1550] SSDT sptd.sys ZwSetValueKey [0xB7EDA0EC] ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ? C:\WINDOWS\System32\Drivers\SPTD8413.SYS Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ? a347bus.sys Nie można odnaleźć określonego pliku. ! ? a347scsi.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6F5D3C0, 0x95B7EA, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[660] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 011AFA35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[660] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 014507C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[660] kernel32.dll!MapViewOfFile 7C80B995 5 Bytes JMP 0145079E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[660] GDI32.dll!CreateDIBSection 77F19E09 5 Bytes JMP 01450728 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89E440E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 89E1BC78 Device \Driver\dmio \Device\DmControl\DmConfig 89E1BC78 Device \Driver\dmio \Device\DmControl\DmPnP 89E1BC78 Device \Driver\dmio \Device\DmControl\DmInfo 89E1BC78 Device \Driver\Ftdisk \Device\HarddiskVolume1 89E1BEB0 Device \FileSystem\Rdbss \Device\FsWrap 89630758 Device \Driver\Cdrom \Device\CdRom0 89D061E0 Device \Driver\Ftdisk \Device\HarddiskVolume2 89E1BEB0 Device \Driver\atapi \Device\Ide\IdePort0 89C4A398 Device \Driver\atapi \Device\Ide\IdePort1 89C4A398 Device \Driver\atapi \Device\Ide\IdePort2 89C4A398 Device \Driver\atapi \Device\Ide\IdePort3 89C4A398 Device \Driver\atapi \Device\Ide\IdePort4 89C4A398 Device \Driver\atapi \Device\Ide\IdePort5 89C4A398 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-10 89C4A398 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 89C4A398 Device \Driver\Ftdisk \Device\HarddiskVolume3 89E1BEB0 Device \Driver\NetBT \Device\NetBt_Wins_Export 894454D0 Device \Driver\usbstor \Device\00000084 89B56EB0 Device \FileSystem\Srv \Device\LanmanServer 892BA5B0 Device \Driver\Disk \Device\Harddisk0\DR0 89E1B550 Device \Driver\Disk \Device\Harddisk1\DR4 89E1B550 Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+5 89E1B550 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89641AA8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8943B3A8 Device \Driver\NetBT \Device\NetBT_Tcpip_{88ECDFFD-2469-498A-A70B-8E7BC6C7695C} 894454D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89641AA8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8943B3A8 Device \FileSystem\Npfs \Device\NamedPipe 8963D4F0 Device \Driver\Ftdisk \Device\FtControl 89E1BEB0 Device \Driver\usbstor \Device\0000007d 89B56EB0 Device \FileSystem\Msfs \Device\Mailslot 8963D0E8 Device \FileSystem\Msfs \Device\Mailslot 89B94400 Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 89BCD230 Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 89BCD230 Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 89BCD230 Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 89BCD230 Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 89BCD230 Device \FileSystem\Cdfs \Cdfs 89441850 ---- Modules - GMER 1.0.15 ---- Module _________ B7DF7000-B7E0F000 (98304 bytes) ---- Processes - GMER 1.0.15 ---- Library c:\windows\system32\n (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1100] 0x45670000 Library c:\windows\system32\n (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1688] 0x45670000 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 -609475382 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1750605306 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1927879191 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x13 0xAC 0xD7 0xA8 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x13 0xAC 0xD7 0xA8 ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 PE file @ sector 312560640 ---- EOF - GMER 1.0.15 ----