GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-06 10:38:35 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHW2120BH rev.00000012 Running: rn2oo9c5.exe; Driver: C:\DOCUME~1\TEMP\USTAWI~1\Temp\pwgdykow.sys ---- System - GMER 1.0.15 ---- SSDT sptd.sys ZwCreateKey [0xF7400AC8] SSDT sptd.sys ZwEnumerateKey [0xF7400C22] SSDT sptd.sys ZwEnumerateValueKey [0xF7400F9A] SSDT sptd.sys ZwOpenKey [0xF740098E] SSDT sptd.sys ZwQueryKey [0xF7401064] SSDT sptd.sys ZwQueryValueKey [0xF7400EFC] SSDT sptd.sys ZwSetValueKey [0xF74010EC] ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ? C:\WINDOWS\System32\Drivers\SPTD9261.SYS Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 F50BE4F0 16 Bytes [B8, 7B, F0, 82, 69, 91, 74, ...] .text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 F50BE501 31 Bytes [D0, 0B, F5, 34, C6, 11, 5B, ...] ? C:\WINDOWS\System32\Drivers\dtscsi.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F740989E] sptd.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F741FD86] sptd.sys IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F7409E24] sptd.sys IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F7409D28] sptd.sys IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F7409EF4] sptd.sys IAT dmio.sys[ntoskrnl.exe!IofCallDriver] [F7409EF4] sptd.sys IAT dmio.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F7409E24] sptd.sys IAT dmio.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F7409D28] sptd.sys IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F741F1AE] sptd.sys IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F7409A5A] sptd.sys IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F741F04A] sptd.sys IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F74098F2] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73FCAD2] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73FCC0E] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73FCB96] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73FD76C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73FD642] sptd.sys IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F741FE4A] sptd.sys IAT \WINDOWS\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F740E8C6] sptd.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F741F04A] sptd.sys IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F741FE4A] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F741F056] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 853A0EB0 Device \FileSystem\Fastfat \FatCdrom 84EBAEB0 Device \Driver\usbstor \Device\0000008e 850BE4E0 Device \Driver\usbstor \Device\0000008f 850BE4E0 AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\00000450 \Device\00000051 sptd.sys Device \Driver\dmio \Device\DmControl\DmIoDaemon 853A1708 Device \Driver\dmio \Device\DmControl\DmConfig 853A1708 Device \Driver\dmio \Device\DmControl\DmPnP 853A1708 Device \Driver\dmio \Device\DmControl\DmInfo 853A1708 Device \Driver\Ftdisk \Device\HarddiskVolume1 853A19C0 Device \Driver\Ftdisk \Device\HarddiskVolume2 853A19C0 Device \Driver\Cdrom \Device\CdRom0 852AF780 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F734FB40] atapi.sys[unknown section] {MOV EAX, 0x853a1370; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7410e12; RET } Device \Driver\atapi \Device\Ide\IdePort0 [F734FB40] atapi.sys[unknown section] {MOV EAX, 0x853a1370; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7410e12; RET } Device \Driver\atapi \Device\Ide\IdePort1 [F734FB40] atapi.sys[unknown section] {MOV EAX, 0x853a1370; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7410e12; RET } Device \Driver\atapi \Device\Ide\IdePort2 [F734FB40] atapi.sys[unknown section] {MOV EAX, 0x853a1370; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7410e12; RET } Device \Driver\atapi \Device\Ide\IdePort3 [F734FB40] atapi.sys[unknown section] {MOV EAX, 0x853a1370; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7410e12; RET } Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 [F734FB40] atapi.sys[unknown section] {MOV EAX, 0x853a1370; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7410e12; RET } Device \Driver\Cdrom \Device\CdRom1 852AF780 Device \Driver\Disk \Device\Harddisk0\DR0 853A00E8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 1817177610 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -530487965 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 208027848 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programy\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDE 0x95 0x96 0xA9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x06 0x9B 0x5C 0xEE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA0 0xF0 0x89 0xF4 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programy\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xDE 0x95 0x96 0xA9 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x06 0x9B 0x5C 0xEE ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xA0 0xF0 0x89 0xF4 ... ---- EOF - GMER 1.0.15 ----