GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-09-19 13:06:40 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-e WDC_WD3200AAKS-00M9A0 rev.05.01D05 Running: hiujyxsw.exe; Driver: C:\DOCUME~1\ba\USTAWI~1\Temp\kwnyyaow.sys ---- System - GMER 1.0.15 ---- SSDT sptd.sys ZwCreateKey [0xBA6CFA50] SSDT sptd.sys ZwEnumerateKey [0xBA703FFE] SSDT sptd.sys ZwEnumerateValueKey [0xBA70438C] SSDT sptd.sys ZwOpenKey [0xBA6CFA30] SSDT sptd.sys ZwQueryKey [0xBA704464] SSDT sptd.sys ZwQueryValueKey [0xBA7042E4] SSDT sptd.sys ZwSetValueKey [0xBA7044F6] INT 0x62 ? 89DC0CC8 INT 0x73 ? 89DC0CC8 INT 0x73 ? 89DC0CC8 INT 0x73 ? 89DBFCC8 INT 0x73 ? 89DC0CC8 INT 0xB4 ? 89DBFCC8 ---- Kernel code sections - GMER 1.0.15 ---- PAGE sptd.sys BA6F3000 1 Byte [74] PAGE sptd.sys BA6F3004 5 Bytes [40, 33, 6F, BA, A3] PAGE sptd.sys BA6F300C 5 Bytes [50, 34, 6F, BA, 98] PAGE sptd.sys BA6F3014 5 Bytes [B8, 33, 6F, BA, 59] {MOV EAX, 0x59ba6f33} PAGE sptd.sys BA6F301C 5 Bytes [78, 32, 6F, BA, 61] PAGE ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xBA78CD38] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text USBPORT.SYS!DllUnload B9B428AC 5 Bytes JMP 89DBF1D8 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB937C360, 0x307F47, 0xE8000020] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [BA696574] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [BA6960C0] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [BA696FE0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6960C0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA696362] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6962A4] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6971BC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA696FE0] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6AB312] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89DBC1F8 Device \Driver\usbohci \Device\USBPDO-0 89B4A1F8 Device \Driver\usbehci \Device\USBPDO-1 89BF0408 Device \Driver\Cdrom \Device\CdRom0 89BE41F8 Device \Driver\atapi \Device\Ide\IdePort0 [BA5E8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [BA5E8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-e [BA5E8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [BA5E8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [BA5E8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 [BA5E8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 89B61430 Device \Driver\NetBT \Device\NetBT_Tcpip_{DCC24E6E-3F53-4508-B097-82CD03C50205} 89B61430 Device \Driver\NetBT \Device\NetbiosSmb 89B61430 Device \Driver\usbohci \Device\USBFDO-0 89B4A1F8 Device \Driver\usbehci \Device\USBFDO-1 89BF0408 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89B64430 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89B64430 Device \FileSystem\Cdfs \Cdfs 89A75430 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE6 0xD2 0xEA 0xE5 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x05 0x1D 0xAF 0xAF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... ---- EOF - GMER 1.0.15 ----