GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-22 10:57:29 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-5 MAXTOR_STM3160811AS rev.3.AAE 149,05GB Running: d5t41r4g.exe; Driver: C:\DOCUME~1\Corri\USTAWI~1\Temp\fwayqaod.sys ---- System - GMER 2.1 ---- SSDT 8A6AAB38 ZwAlertResumeThread SSDT 8A6915B8 ZwAlertThread SSDT 8A698D40 ZwAllocateVirtualMemory SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort [0xB0A15FC0] SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile [0xB0A12C80] SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey [0xB0A2D170] SSDT 8A373300 ZwCreateMutant SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort [0xB0A16580] SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess [0xB0A2A900] SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx [0xB0A2AB10] SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection [0xB0A2EB10] SSDT 8A697B38 ZwCreateThread SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort [0xB0A16670] SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile [0xB0A13210] SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey [0xB0A2D9F0] SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey [0xB0A2D7A0] SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject [0xB0A2A280] SSDT 8A5E4598 ZwFreeVirtualMemory SSDT 8A5EF958 ZwImpersonateAnonymousToken SSDT 8A5F7618 ZwImpersonateThread SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey [0xB0A2DF10] SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey2 [0xB0A2DF90] SSDT 8A5907B8 ZwMapViewOfSection SSDT 8A5F9260 ZwOpenEvent SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile [0xB0A13070] SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess [0xB0A2C180] SSDT 8A6B9958 ZwOpenProcessToken SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread [0xB0A2BF40] SSDT 8A5F07E0 ZwOpenThreadToken SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory [0xB824D840] SSDT \SystemRoot\System32\vsdatant.sys ZwRenameKey [0xB0A2E6F0] SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey [0xB0A2E150] SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort [0xB0A15BE0] SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey [0xB0A2E540] SSDT 8A5F9440 ZwResumeThread SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort [0xB0A16190] SSDT 8A683B00 ZwSetContextThread SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile [0xB0A13440] SSDT 8A5EA838 ZwSetInformationProcess SSDT 8A5E6628 ZwSetInformationThread SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey [0xB0A2D4E0] SSDT 8A704408 ZwSuspendProcess SSDT 8A6B5B18 ZwSuspendThread SSDT \SystemRoot\System32\vsdatant.sys ZwSystemDebugControl [0xB0A2B200] SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess [0xB0A2B080] SSDT 8A6AF778 ZwTerminateThread SSDT 8A692460 ZwUnmapViewOfSection SSDT 8A51AD90 ZwWriteVirtualMemory INT 0x62 ? 8A6D6CC8 INT 0x63 ? 8A6D6CC8 INT 0x63 ? 8A6D6CC8 INT 0x63 ? 8A3B9F00 INT 0x63 ? 8A3B9F00 INT 0x63 ? 8A6D6CC8 INT 0x74 ? 8A3B9F00 INT 0x82 ? 8A6D6CC8 INT 0x94 ? 8A3B9F00 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 241C 80501C44 12 Bytes [80, 65, A1, B0, 00, A9, A2, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 24C8 80501CF0 2 Bytes [58, F9] {POP EAX; STC } .text ntkrnlpa.exe!ZwCallbackReturn + 2758 80501F80 12 Bytes [08, 44, 70, 8A, 18, 5B, 6B, ...] .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xB7F8D346] ? srescan.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6B353C0, 0x74AA7A, 0xE8000020] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8A6D51F8 Device \Driver\Tcpip \Device\Ip vsdatant.sys Device \Driver\usbuhci \Device\USBPDO-0 8A355430 Device \Driver\usbuhci \Device\USBPDO-1 8A355430 Device \Driver\usbuhci \Device\USBPDO-2 8A355430 Device \Driver\usbuhci \Device\USBPDO-3 8A355430 Device \Driver\usbehci \Device\USBPDO-4 8A350430 Device \Driver\NetBT \Device\NetBT_Tcpip_{82C0FDFA-F3D0-440C-978E-5AF7E60C399E} 8A3B8430 Device \Driver\Tcpip \Device\Tcp vsdatant.sys Device \Driver\Cdrom \Device\CdRom0 8A3A4430 Device \Driver\atapi \Device\Ide\IdePort0 [B7E22B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B7E22B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B7E22B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B7E22B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 [B7E22B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 [B7E22B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 8A3B8430 Device \Driver\NetBT \Device\NetbiosSmb 8A3B8430 Device \Driver\Tcpip \Device\Udp vsdatant.sys Device \Driver\Tcpip \Device\RawIp vsdatant.sys Device \Driver\usbuhci \Device\USBFDO-0 8A355430 Device \Driver\usbuhci \Device\USBFDO-1 8A355430 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A38A430 Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys Device \Driver\usbuhci \Device\USBFDO-2 8A355430 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A38A430 Device \Driver\usbuhci \Device\USBFDO-3 8A355430 Device \Driver\usbehci \Device\USBFDO-4 8A350430 Device \FileSystem\Cdfs \Cdfs 8A5D11F8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Control\Video\{04C743A6-5B9D-4A8B-93F2-8635E8437F06}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet001\Control\Video\{0B921C92-D2A7-453A-A077-2509FA27573F}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet001\Control\Video\{1CEBADBB-3E19-48F6-8C9E-086C2D394BFE}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet001\Control\Video\{1F74C15B-9431-4C9C-978A-84A00877FFA2}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{04C743A6-5B9D-4A8B-93F2-8635E8437F06}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{0B921C92-D2A7-453A-A077-2509FA27573F}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{1CEBADBB-3E19-48F6-8C9E-086C2D394BFE}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{1F74C15B-9431-4C9C-978A-84A00877FFA2}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{04C743A6-5B9D-4A8B-93F2-8635E8437F06}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{0B921C92-D2A7-453A-A077-2509FA27573F}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{1CEBADBB-3E19-48F6-8C9E-086C2D394BFE}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{1F74C15B-9431-4C9C-978A-84A00877FFA2}\0000@D3D_\x3332\x3331 2089309684 ---- EOF - GMER 2.1 ----