GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-12-30 04:15:59 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-00HEA0 rev.13.03G13 Running: 3n6siy6w.exe; Driver: C:\DOCUME~1\szeffel\USTAWI~1\Temp\kftdauog.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\WINDOWS\system32\drivers\avgtpx86.sys (AVG Technologies) ZwQueryValueKey [0xF78361EA] INT 0x62 ? 823A2CC8 INT 0x74 ? 821DCCC8 INT 0x82 ? 823A2CC8 INT 0x83 ? 823D5CC8 INT 0x84 ? 821DCCC8 INT 0x94 ? 821DCCC8 INT 0xB4 ? 821DCCC8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwYieldExecution + 33A 804E4B94 4 Bytes JMP F0F78361 .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF84FB346] ? Combo-Fix.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF7405360, 0x24BB1D, 0xE8000020] .text USBPORT.SYS!DllUnload F73018AC 5 Bytes JMP 821DC1D8 ? C:\ComboFix\catchme.sys System nie może odnaleźć określonej ścieżki. ! ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[3644] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0149A650 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3644] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 016D7E1A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3644] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 016D7DF7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3644] kernel32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 0149EDB3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3644] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 016D7D78 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F8401232] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\System32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F8400730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\System32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F8400F12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8400730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F8400914] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F8400856] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F84010F0] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F8400F12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 823D5308 IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8414F1E] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 821DC308 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 823D01F8 Device \FileSystem\Fastfat \FatCdrom 821D91F8 Device \FileSystem\Udfs \UdfsCdRom 821C71F8 Device \FileSystem\Udfs \UdfsDisk 821C71F8 Device \Driver\usbehci \Device\USBPDO-0 821941F8 Device \Driver\usbohci \Device\USBPDO-1 821B61F8 Device \Driver\usbohci \Device\USBPDO-2 821B61F8 Device \Driver\usbohci \Device\USBPDO-3 821B61F8 Device \Driver\USBSTOR \Device\00000071 81DDD1F8 Device \Driver\USBSTOR \Device\00000072 81DDD1F8 Device \Driver\Cdrom \Device\CdRom0 821DD1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F836AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F836AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F836AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F836AB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBT_Tcpip_{C4BE64FF-2CF4-4F52-9054-226BD46C900A} 8207E1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8207E1F8 Device \Driver\NetBT \Device\NetbiosSmb 8207E1F8 Device \Driver\usbohci \Device\USBFDO-0 821B61F8 Device \Driver\usbohci \Device\USBFDO-1 821B61F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81D981F8 Device \Driver\USBSTOR \Device\0000006e 81DDD1F8 Device \Driver\usbohci \Device\USBFDO-2 821B61F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 81D981F8 Device \Driver\USBSTOR \Device\0000006f 81DDD1F8 Device \Driver\usbehci \Device\USBFDO-3 821941F8 Device \Driver\SiSRaid \Device\Scsi\SiSRaid1 823D11F8 Device \FileSystem\Fastfat \Fat 821D91F8 Device \Driver\00000865 \GLOBAL??\d1bbc12f 81DAA880 Device \FileSystem\Cdfs \Cdfs 821C83A0 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x63 0x3E 0xF6 0xFD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x4E 0x73 0x11 0x23 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x63 0x3E 0xF6 0xFD ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x4E 0x73 0x11 0x23 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xCD 0xA0 0x53 0x28 ... ---- EOF - GMER 1.0.15 ----