GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-09-02 13:56:12 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST3160023A rev.8.01 Running: o1vbxn9i.exe; Driver: C:\DOCUME~1\Mama\USTAWI~1\Temp\fwldypoc.sys ---- System - GMER 1.0.15 ---- SSDT spvg.sys ZwCreateKey [0xF758E0E0] SSDT spvg.sys ZwEnumerateKey [0xF75ACCA4] SSDT spvg.sys ZwEnumerateValueKey [0xF75AD032] SSDT spvg.sys ZwOpenKey [0xF758E0C0] SSDT spvg.sys ZwQueryKey [0xF75AD10A] SSDT spvg.sys ZwQueryValueKey [0xF75ACF8A] SSDT spvg.sys ZwSetValueKey [0xF75AD19C] INT 0x3A ? 83974BF8 INT 0x3A ? 83974BF8 INT 0x3A ? 83974BF8 INT 0x3A ? 83974BF8 INT 0x3A ? 83974BF8 INT 0x3A ? 83974BF8 INT 0x3E ? 83BDDBF8 INT 0x3F ? 83BDDBF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spvg.sys Nie mo?na odnale?? okre?lonego pliku. ! ? Combo-Fix.sys Nie mo?na odnale?? okre?lonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6FAB000, 0x1C5D58, 0xE8000020] .text USBPORT.SYS!DllUnload F6F8A8AC 5 Bytes JMP 839741D8 ? C:\ComboFix\catchme.sys System nie mo?e odnale?? okre?lonej ?cie?ki. ! ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Nie mo?na odnale?? okre?lonego pliku. ! ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 83B722D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F75BFC4C] spvg.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F75BFCA0] spvg.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F758F042] spvg.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F758F13E] spvg.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F758F0C0] spvg.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F758F800] spvg.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F758F6D6] spvg.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 839742D8 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F759EE9C] spvg.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 83BDC1F8 Device \Driver\usbuhci \Device\USBPDO-0 839731F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 83B701F8 Device \Driver\dmio \Device\DmControl\DmConfig 83B701F8 Device \Driver\dmio \Device\DmControl\DmPnP 83B701F8 Device \Driver\dmio \Device\DmControl\DmInfo 83B701F8 Device \Driver\usbuhci \Device\USBPDO-1 839731F8 Device \Driver\usbehci \Device\USBPDO-2 8395B1F8 Device \Driver\usbuhci \Device\USBPDO-3 839731F8 Device \Driver\usbuhci \Device\USBPDO-4 839731F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{50875BFE-063E-4D85-8B0F-A57CB91BBEB0} 835021F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 83BDE1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 83BDE1F8 Device \Driver\Cdrom \Device\CdRom0 8394D1F8 Device \Driver\atapi \Device\Ide\IdePort0 [F74E1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F74E1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F74E1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F74E1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 [F74E1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 83BDE1F8 Device \Driver\Ftdisk \Device\HarddiskVolume4 83BDE1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 835021F8 Device \Driver\NetBT \Device\NetbiosSmb 835021F8 Device \Driver\usbuhci \Device\USBFDO-0 839731F8 Device \Driver\usbuhci \Device\USBFDO-1 839731F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 834E31F8 Device \Driver\usbehci \Device\USBFDO-2 8395B1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 834E31F8 Device \Driver\usbuhci \Device\USBFDO-3 839731F8 Device \Driver\usbuhci \Device\USBFDO-4 839731F8 Device \Driver\Ftdisk \Device\FtControl 83BDE1F8 Device \Driver\00001024 \GLOBAL??\6c5259e2 8389A880 Device \FileSystem\Cdfs \Cdfs 83A07500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBC 0x9E 0xF9 0x8E ... Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xE2 0x63 0x26 0xF1 ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x6A 0x9C 0xD6 0x61 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ... ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\Mama\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\lpf1lhup.default\Cache.Trash11872\9\80\FFA98d01 242040 bytes File C:\Documents and Settings\Mama\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\lpf1lhup.default\Cache.Trash11872\E\11\01E7Fd01 33285 bytes File C:\Program Files\Mozilla Firefox\AccessibleMarshal.dll 18912 bytes executable File C:\Program Files\Mozilla Firefox\application.ini 455 bytes File C:\Program Files\Mozilla Firefox\blocklist.xml 23999 bytes File C:\Program Files\Mozilla Firefox\breakpadinjector.dll 73696 bytes executable File C:\Program Files\Mozilla Firefox\chrome 0 bytes File C:\Program Files\Mozilla Firefox\chrome\icons 0 bytes File C:\Program Files\Mozilla Firefox\chrome\icons\default 0 bytes File C:\Program Files\Mozilla Firefox\chrome\icons\default\dlg_skype_about.ico 7782 bytes File C:\Program Files\Mozilla Firefox\chrome.manifest 36 bytes File C:\Program Files\Mozilla Firefox\components 0 bytes File C:\Program Files\Mozilla Firefox\components\nsIQTScriptablePlugin.xpt 2394 bytes File C:\Program Files\Mozilla Firefox\uninstall 0 bytes File C:\Program Files\Mozilla Firefox\uninstall\shortcuts_log.ini 322 bytes File C:\Program Files\Mozilla Firefox\uninstall\uninstall.log 264 bytes File C:\Program Files\Mozilla Firefox\install.log 3974 bytes File C:\Program Files\Mozilla Firefox\Nowy folder 0 bytes File C:\Program Files\Mozilla Firefox\plugins 0 bytes File C:\Program Files\Mozilla Firefox\plugins\NPOFFICE.DLL 17248 bytes executable File C:\Program Files\Mozilla Firefox\plugins\nppdf32.dll 103864 bytes executable File C:\Program Files\Mozilla Firefox\plugins\npqtplugin.dll 159744 bytes executable File C:\Program Files\Mozilla Firefox\plugins\npqtplugin2.dll 159744 bytes executable File C:\Program Files\Mozilla Firefox\plugins\npqtplugin3.dll 159744 bytes executable File C:\Program Files\Mozilla Firefox\plugins\npqtplugin4.dll 159744 bytes executable File C:\Program Files\Mozilla Firefox\plugins\npqtplugin5.dll 159744 bytes executable File C:\Program Files\Mozilla Firefox\plugins\npqtplugin6.dll 159744 bytes executable File C:\Program Files\Mozilla Firefox\plugins\npqtplugin7.dll 159744 bytes executable File C:\Program Files\Mozilla Firefox\plugins\npwachk.dll 12800 bytes executable File C:\Program Files\Mozilla Firefox\plugins\QuickTimePlugin.class 4208 bytes File C:\Program Files\Mozilla Firefox\searchplugins 0 bytes File C:\Program Files\Mozilla Firefox\searchplugins\avg-secure-search.xml 3750 bytes File C:\Program Files\Mozilla Firefox\searchplugins\Search_Results.xml 2515 bytes File C:\Program Files\Mozilla Firefox\searchplugins\yahoo.xml 888 bytes File C:\Program Files\Mozilla Firefox\firefox.exe 913888 bytes executable File C:\Program Files\Mozilla Firefox\freerl3.chk 478 bytes File C:\Program Files\Mozilla Firefox\freebl3.dll 258528 bytes executable File C:\Program Files\Mozilla Firefox\gkmedias.dll 624608 bytes executable File C:\Program Files\Mozilla Firefox\hs_ebr_pid2376.lg 11987 bytes File C:\Program Files\Mozilla Firefox\hs_ebr_pid31!6.log 11867 bytes File C:\Program Files\Mozilla Firefox\hs_ebr_pid36&8.log 11949 bytes File C:\Program Files\Mozilla Firefox\hs_err_pid3764.log 10830 bytes ---- EOF - GMER 1.0.15 ----