GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-09-07 14:31:09 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-6 WDC_WD800BB-00JHC0 rev.05.01C05 Running: cz4jz826.exe; Driver: c:\Temp\kfndypoc.sys ---- System - GMER 1.0.15 ---- SSDT sptd.sys ZwCreateKey [0xFAA520D0] SSDT sptd.sys ZwEnumerateKey [0xFAA57FB2] SSDT sptd.sys ZwEnumerateValueKey [0xFAA58340] SSDT sptd.sys ZwOpenKey [0xFAA520B0] SSDT sptd.sys ZwQueryKey [0xFAA58418] SSDT sptd.sys ZwQueryValueKey [0xFAA58298] SSDT sptd.sys ZwSetValueKey [0xFAA584AA] ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xFA4D2360, 0x1E9DED, 0xE8000020] .text USBPORT.SYS!DllUnload FA49062C 5 Bytes JMP 811DA1C8 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [FAA6906C] sptd.sys IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [FAA69018] sptd.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [FAA8B9AE] sptd.sys IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [FAA6906C] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [FAA52AD4] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [FAA52C1A] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [FAA52B9C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [FAA53748] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [FAA5361E] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [FAA6829A] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8128D1E8 Device \FileSystem\Fastfat \FatCdrom FF8A01E8 Device \Driver\usbuhci \Device\USBPDO-0 811D91E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 812FD1E8 Device \Driver\dmio \Device\DmControl\DmConfig 812FD1E8 Device \Driver\dmio \Device\DmControl\DmPnP 812FD1E8 Device \Driver\dmio \Device\DmControl\DmInfo 812FD1E8 Device \Driver\USBSTOR \Device\00000057 FFB641E8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8128F1E8 Device \Driver\USBSTOR \Device\00000058 FFB641E8 Device \Driver\Cdrom \Device\CdRom0 811E51E8 Device \Driver\atapi \Device\Ide\IdePort0 8128E1E8 Device \Driver\atapi \Device\Ide\IdePort1 8128E1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e 8128E1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-6 8128E1E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{D5A62193-7226-499F-9F37-E46359A1F6AF} FFBB91E8 Device \Driver\NetBT \Device\NetBt_Wins_Export FFBB91E8 Device \Driver\NetBT \Device\NetbiosSmb FFBB91E8 Device \Driver\usbuhci \Device\USBFDO-0 811D91E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver FFBB11E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector FFBB11E8 Device \Driver\Ftdisk \Device\FtControl 8128F1E8 Device \FileSystem\Fastfat \Fat FF8A01E8 Device \FileSystem\Cdfs \Cdfs FFB661E8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7D 0xD0 0x98 0x0F ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x7D 0xD0 0x98 0x0F ... ---- EOF - GMER 1.0.15 ----