GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-12-13 16:58:41 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST912082 rev.3.AL Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pgldqpoc.sys ---- System - GMER 1.0.15 ---- SSDT spjv.sys ZwCreateKey [0xF73BD0E0] SSDT spjv.sys ZwEnumerateKey [0xF73DBCA2] SSDT spjv.sys ZwEnumerateValueKey [0xF73DC030] SSDT spjv.sys ZwOpenKey [0xF73BD0C0] SSDT spjv.sys ZwQueryKey [0xF73DC108] SSDT spjv.sys ZwQueryValueKey [0xF73DBF88] SSDT spjv.sys ZwSetValueKey [0xF73DC19A] INT 0x62 ? 8656BBF8 INT 0x63 ? 85907BF8 INT 0x73 ? 85907BF8 INT 0x74 ? 85907BF8 INT 0x82 ? 8656BBF8 INT 0x84 ? 85907BF8 INT 0xA4 ? 85907BF8 INT 0xB4 ? 865D7BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spjv.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload F5D8080C 5 Bytes JMP 859071D8 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73BE040] spjv.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F73BE13C] spjv.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73BE0BE] spjv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73BE7FC] spjv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73BE6D2] spjv.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73CE048] spjv.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 865691F8 Device \Driver\usbuhci \Device\USBPDO-0 859061F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 865D81F8 Device \Driver\dmio \Device\DmControl\DmConfig 865D81F8 Device \Driver\dmio \Device\DmControl\DmPnP 865D81F8 Device \Driver\dmio \Device\DmControl\DmInfo 865D81F8 Device \Driver\usbuhci \Device\USBPDO-1 859061F8 Device \Driver\usbehci \Device\USBPDO-2 858EF1F8 Device \Driver\usbehci \Device\USBPDO-3 858EF1F8 Device \Driver\usbuhci \Device\USBPDO-4 859061F8 Device \Driver\usbuhci \Device\USBPDO-5 859061F8 Device \Driver\usbuhci \Device\USBPDO-6 859061F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8656C1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{D8B3C52E-1CEA-4962-A4EF-A758167F680A} 85770500 Device \Driver\Ftdisk \Device\HarddiskVolume2 8656C1F8 Device \Driver\Cdrom \Device\CdRom0 858B41F8 Device \Driver\iaStor \Device\Ide\iaStor0 [F72666D0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8656B1F8 Device \Driver\atapi \Device\Ide\IdePort0 8656B1F8 Device \Driver\atapi \Device\Ide\IdePort1 8656B1F8 Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [F72666D0] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 85770500 Device \Driver\NetBT \Device\NetbiosSmb 85770500 Device \Driver\NetBT \Device\NetBT_Tcpip_{055DD6FC-AB0C-4EA4-9EDD-D6D9FD45FFE8} 85770500 Device \Driver\usbuhci \Device\USBFDO-0 859061F8 Device \Driver\usbuhci \Device\USBFDO-1 859061F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 857E8500 Device \Driver\usbehci \Device\USBFDO-2 858EF1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 857E8500 Device \Driver\usbuhci \Device\USBFDO-3 859061F8 Device \Driver\usbuhci \Device\USBFDO-4 859061F8 Device \Driver\Ftdisk \Device\FtControl 8656C1F8 Device \Driver\usbuhci \Device\USBFDO-5 859061F8 Device \Driver\usbehci \Device\USBFDO-6 858EF1F8 Device \FileSystem\Fastfat \Fat 84B351F8 Device \FileSystem\Fastfat \Fat A95241F9 Device \FileSystem\Cdfs \Cdfs 857CE500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFA 0x2E 0x1D 0x0D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFA 0x2E 0x1D 0x0D ... ---- EOF - GMER 1.0.15 ----