GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-01-29 14:36:05 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3500320AS rev.SD15 465,76GB Running: nmo7berb.exe; Driver: C:\DOCUME~1\JA\USTAWI~1\Temp\pxtdrpod.sys ---- System - GMER 2.0 ---- SSDT sptd.sys ZwCreateKey [0xB7ED4FA0] SSDT sptd.sys ZwEnumerateKey [0xB7F08698] SSDT sptd.sys ZwEnumerateValueKey [0xB7F08A26] SSDT sptd.sys ZwOpenKey [0xB7ED4F80] SSDT sptd.sys ZwQueryKey [0xB7F08AFE] SSDT sptd.sys ZwQueryValueKey [0xB7F0897E] SSDT sptd.sys ZwSetValueKey [0xB7F08B90] INT 0x62 ? 8A71BCB8 INT 0x63 ? 8A4D4CB8 INT 0x73 ? 8A4D4CB8 INT 0x82 ? 8A71BCB8 INT 0x83 ? 8A4D4CB8 INT 0xB4 ? 8A4D4CB8 ---- Kernel code sections - GMER 2.0 ---- .text sptd.sys B7E98000 28 Bytes [30, 78, 6E, 80, A6, CB, 6E, ...] .text sptd.sys B7E9801D 3 Bytes [79, 6E, 80] .text sptd.sys B7E98024 160 Bytes [30, 53, 53, 80, 68, B9, 54, ...] .text sptd.sys B7E980C5 43 Bytes [F7, 4E, 80, C0, 98, 53, 80, ...] .text sptd.sys B7E980F1 40 Bytes [9A, 53, 80, B0, 95, 53, 80, ...] .text ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB7F441AA] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6B013C0, 0x95B7EA, 0xE8000020] .text USBPORT.SYS!DllUnload B6AB98AC 5 Bytes JMP 8A4D41C8 .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB2BE1300, 0x3AE88, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB83B0300, 0x1B7E, 0xE8000020] ---- Kernel IAT/EAT - GMER 2.0 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B7E9A20E] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B7E9970C] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B7E99EEE] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7E9970C] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7E998F0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7E99832] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7E9A0CC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7E99EEE] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EADF56] sptd.sys ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCB 0x9B 0x0A 0x92 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF6 0x46 0x3A 0x0A ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA0 0x9D 0xD9 0xC0 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x6C 0xC8 0xA5 0x4D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xED 0x04 0xBF 0x18 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCB 0x9B 0x0A 0x92 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF6 0x46 0x3A 0x0A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA0 0x9D 0xD9 0xC0 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x34 0x39 0x68 0xA6 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCB 0x9B 0x0A 0x92 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF6 0x46 0x3A 0x0A ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA0 0x9D 0xD9 0xC0 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xD3 0x18 0x35 0x34 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{050D6B22-1261-AF33-A485-0FCE4369335F} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{050D6B22-1261-AF33-A485-0FCE4369335F}@pabjcacilefdhcndpggkooifccpgjdbo 0x6A 0x61 0x6E 0x70 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{050D6B22-1261-AF33-A485-0FCE4369335F}@oaphmgofleokpncbjigncmchckponi 0x6A 0x61 0x6E 0x70 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{2E5A363A-FFE4-9FBE-3462-A8A033A6D1A7} ---- EOF - GMER 2.0 ----