GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-01-16 17:04:34 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7 ST3320620AS rev.3.AAK Running: mulsmk2i.exe; Driver: C:\DOCUME~1\Gosia\USTAWI~1\Temp\kwrdqpow.sys ---- System - GMER 1.0.15 ---- SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwAllocateVirtualMemory [0xB87C3088] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwClose [0xB756F8A0] SSDT spwc.sys ZwCreateKey [0xF74D60E0] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwCreateThread [0xB87C41E0] SSDT spwc.sys ZwEnumerateKey [0xF74F4DA4] SSDT spwc.sys ZwEnumerateValueKey [0xF74F5132] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwFreeVirtualMemory [0xB87C3306] SSDT spwc.sys ZwOpenKey [0xF74D60C0] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xB756F8D0] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwOpenSection [0xB87C2ED2] SSDT spwc.sys ZwQueryKey [0xF74F520A] SSDT spwc.sys ZwQueryValueKey [0xF74F508A] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwQueueApcThread [0xB87C42E2] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwSetContextThread [0xB87C432E] SSDT spwc.sys ZwSetValueKey [0xF74F529C] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwSystemDebugControl [0xB87C2E00] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xB756F980] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xB756FA20] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xB756FAC0] INT 0x63 ? 89C10BF8 INT 0x73 ? 899D2BF8 INT 0x73 ? 899D2BF8 INT 0x83 ? 899D2BF8 INT 0x83 ? 899D2BF8 INT 0x84 ? 899D2BF8 INT 0xA4 ? 899D2BF8 INT 0xB4 ? 89C10BF8 INT 0xB4 ? 89C10BF8 INT 0xB4 ? 89C10BF8 INT 0xB4 ? 89C10BF8 INT 0xB4 ? 899D2BF8 INT 0xB4 ? 89C10BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spwc.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB765D360, 0x3D46A5, 0xE8000020] .text USBPORT.SYS!DllUnload B763E62C 5 Bytes JMP 899D21D8 pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0x8EF42F00, 0x24000, 0x48000000] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[2584] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3516] USER32.dll!TrackPopupMenu 77D84F16 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 89C132D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7507D4C] spwc.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7507DA0] spwc.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D7042] spwc.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D713E] spwc.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D70C0] spwc.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D7800] spwc.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D76D6] spwc.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 899D22D8 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74E6E9C] spwc.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89C0F1F8 AttachedDevice \FileSystem\Ntfs \Ntfs dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies ) Device \FileSystem\Fastfat \FatCdrom 88F471F8 AttachedDevice \Driver\Tcpip \Device\Ip dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbuhci \Device\USBPDO-0 899D11F8 Device \Driver\usbuhci \Device\USBPDO-1 899D11F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 89BA01F8 Device \Driver\dmio \Device\DmControl\DmConfig 89BA01F8 Device \Driver\dmio \Device\DmControl\DmPnP 89BA01F8 Device \Driver\dmio \Device\DmControl\DmInfo 89BA01F8 Device \Driver\usbehci \Device\USBPDO-2 899A01F8 Device \Driver\usbuhci \Device\USBPDO-3 899D11F8 Device \Driver\usbuhci \Device\USBPDO-4 899D11F8 AttachedDevice \Driver\Tcpip \Device\Tcp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) AttachedDevice \Driver\Tcpip \Device\Tcp AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies ) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbuhci \Device\USBPDO-5 899D11F8 Device \Driver\usbuhci \Device\USBPDO-6 899D11F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 89C111F8 Device \Driver\usbehci \Device\USBPDO-7 899A01F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 89C111F8 Device \Driver\Cdrom \Device\CdRom0 8994B1F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 89C111F8 Device \Driver\USBSTOR \Device\00000083 88E1B1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 89706500 Device \Driver\USBSTOR \Device\00000084 88E1B1F8 AttachedDevice \Driver\Tcpip \Device\Udp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) AttachedDevice \Driver\Tcpip \Device\Udp AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies ) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) AttachedDevice \Driver\Tcpip \Device\RawIp AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies ) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\NetBT \Device\NetBT_Tcpip_{2F4E276E-7750-41FF-9FD3-CC0B33557860} 89706500 Device \Driver\usbuhci \Device\USBFDO-0 899D11F8 Device \Driver\usbuhci \Device\USBFDO-1 899D11F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 891B01F8 Device \Driver\usbehci \Device\USBFDO-2 899A01F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 891B01F8 Device \Driver\usbuhci \Device\USBFDO-3 899D11F8 Device \Driver\usbuhci \Device\USBFDO-4 899D11F8 Device \Driver\Ftdisk \Device\FtControl 89C111F8 Device \Driver\usbuhci \Device\USBFDO-5 899D11F8 Device \Driver\usbuhci \Device\USBFDO-6 899D11F8 Device \Driver\usbehci \Device\USBFDO-7 899A01F8 Device \FileSystem\Fastfat \Fat 88F471F8 AttachedDevice \FileSystem\Fastfat \Fat dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies ) Device \FileSystem\Cdfs \Cdfs 898D9500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC3 0x8A 0xCD 0xC2 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC3 0x8A 0xCD 0xC2 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x8C 0x10 0x46 0xE6 ... Reg HKLM\SOFTWARE\Classes\CLSID\{dcdfeb0f-63e6-4ca6-8b85-8f91b25750fe}@Model 183 Reg HKLM\SOFTWARE\Classes\CLSID\{dcdfeb0f-63e6-4ca6-8b85-8f91b25750fe}@Therad 29 Reg HKLM\SOFTWARE\Classes\CLSID\{dcdfeb0f-63e6-4ca6-8b85-8f91b25750fe}@MData 0x73 0xD5 0xCF 0xB8 ... ---- EOF - GMER 1.0.15 ----