GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-09-30 20:08:48 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3250410AS rev.3.AAC Running: zxe1i4nb.exe; Driver: C:\WINDOWS\TEMP\pftdqpow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xB4D744B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0xB4D747F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xB4D74AB0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xB4D745D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0xB4D748B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xB4D74350] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xB4D74410] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xB4D74570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xB4D74630] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xB4D74530] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xB4D744F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xB4D74670] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0xB4D74870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xB4D743B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xB4D74430] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0xB4D74830] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xB4D74370] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xB4D74470] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xB4D745F0] INT 0x73 ? 8A5C1ED8 INT 0x83 ? 8A754CB8 INT 0x83 ? 8A754CB8 INT 0x83 ? 8A754CB8 INT 0xB1 ? 8A462CB8 INT 0xB1 ? 8A462CB8 INT 0xB4 ? 8A5C1ED8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FD0 80504888 12 Bytes [B0, 43, D7, B4, 30, 44, D7, ...] .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xB9FA1089] .text USBPORT.SYS!DllUnload B91158AC 5 Bytes JMP 8A5C13E8 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB88DB380, 0x346307, 0xE8000020] .text aljfkl53.SYS!A0DB34FC6FE35D429A28ADDE5467D4D7 B8844EA0 48 Bytes [71, 8E, 7D, 0D, B4, 6B, 31, ...] ? C:\WINDOWS\System32\Drivers\aljfkl53.SYS suspicious PE modification .text a5b94giu.SYS!A0DB34FC6FE35D429A28ADDE5467D4D7 B8810900 48 Bytes [32, 89, CE, 50, 4C, 7D, 6B, ...] ? C:\WINDOWS\System32\Drivers\a5b94giu.SYS suspicious PE modification .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB403B300, 0x3B6D8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA470300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Mozilla\firefox.exe[968] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01210C00 C:\Mozilla\xul.dll (Mozilla Foundation) .text C:\Mozilla\firefox.exe[968] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01447B4C C:\Mozilla\xul.dll (Mozilla Foundation) .text C:\Mozilla\firefox.exe[968] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01447B29 C:\Mozilla\xul.dll (Mozilla Foundation) .text C:\Mozilla\firefox.exe[968] kernel32.dll!ValidateLocale + B130 7C844958 7 Bytes JMP 01213FAC C:\Mozilla\xul.dll (Mozilla Foundation) .text C:\Mozilla\firefox.exe[968] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 0136B77F C:\Mozilla\xul.dll (Mozilla Foundation) .text C:\Mozilla\firefox.exe[968] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01447AAA C:\Mozilla\xul.dll (Mozilla Foundation) .text C:\Mozilla\plugin-container.exe[1012] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 10414536 C:\Mozilla\xul.dll (Mozilla Foundation) .text C:\Mozilla\plugin-container.exe[1012] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 10414B35 C:\Mozilla\xul.dll (Mozilla Foundation) .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1344] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B9E8F232] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B9E8E730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B9E8EF12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9E8E730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9E8E914] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9E8E856] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9E8F0F0] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9E8EF12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EA2EA6] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A7531E8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \Driver\usbohci \Device\USBPDO-0 8A4F01E8 Device \Driver\usbehci \Device\USBPDO-1 8A5B31E8 Device \Driver\usbohci \Device\USBPDO-2 8A4F01E8 Device \Driver\usbehci \Device\USBPDO-3 8A5B31E8 Device \Driver\PCI_PNP3548 \Device\00000048 sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) Device \Driver\PCI_PNP3548 \Device\00000048 sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) Device \Driver\PCI_PNP3548 \Device\00000049 sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) Device \Driver\PCI_PNP3548 \Device\00000049 sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) Device \Driver\Cdrom \Device\CdRom0 8A1F11E8 Device \Driver\atapi \Device\Ide\IdePort0 [B9DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-5 [B9DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 8A1F11E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 89FE9430 Device \Driver\NetBT \Device\NetbiosSmb 89FE9430 Device \Driver\usbohci \Device\USBFDO-0 8A4F01E8 Device \Driver\usbehci \Device\USBFDO-1 8A5B31E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A003430 Device \Driver\usbohci \Device\USBFDO-2 8A4F01E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A003430 Device \Driver\NetBT \Device\NetBT_Tcpip_{910AAA8A-0F74-4566-96C4-7B342511BA32} 89FE9430 Device \Driver\usbehci \Device\USBFDO-3 8A5B31E8 Device \Driver\aljfkl53 \Device\Scsi\aljfkl531Port5Path0Target0Lun0 8A4611E8 Device \Driver\aljfkl53 \Device\Scsi\aljfkl531 8A4611E8 Device \Driver\a5b94giu \Device\Scsi\a5b94giu1 8A460430 Device \Driver\a5b94giu \Device\Scsi\a5b94giu1Port4Path0Target0Lun0 8A460430 Device \FileSystem\Cdfs \Cdfs 89FF8430 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8A 0x99 0xC2 0xF2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x14 0x08 0xE7 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7E 0xC7 0xF2 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3D 0xD5 0x2D 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA3 0x94 0x6C 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2D 0x77 0x92 0x22 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x4B 0x9D 0xE0 0x27 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x14 0x08 0xE7 0x55 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x23 0x93 0x90 0x4E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8A 0x99 0xC2 0xF2 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x14 0x08 0xE7 0x55 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x7E 0xC7 0xF2 0xCF ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3D 0xD5 0x2D 0xDF ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA3 0x94 0x6C 0x64 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2D 0x77 0x92 0x22 ... Reg HKLM\SOFTWARE\Classes\TypeLib\{3050F1C5-98B5-11CF-BB82-00AA00BDCE0B}\4.0\0\win32@ C:\WINDOWS\system32\mshtml.tlb Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@ParseAutoexec 1 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon@BuildNumber 2600 ---- EOF - GMER 1.0.15 ----