GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-02-28 18:05:53 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort2 SAMSUNG_SP2504C rev.VT100-41 Running: 3pz42gzn.exe; Driver: C:\DOCUME~1\DJ\USTAWI~1\Temp\kwtdipow.sys ---- System - GMER 1.0.15 ---- SSDT F7BC783E ZwCreateKey SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcess [0xAA2F9794] SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwCreateProcessEx [0xAA2F9F1E] SSDT F7BC7834 ZwCreateThread SSDT F7BC7843 ZwDeleteKey SSDT F7BC784D ZwDeleteValueKey SSDT sptd.sys ZwEnumerateKey [0xF72DDE2C] SSDT sptd.sys ZwEnumerateValueKey [0xF72DE1BA] SSDT F7BC7852 ZwLoadKey SSDT sptd.sys ZwOpenKey [0xF72D80B0] SSDT F7BC7820 ZwOpenProcess SSDT F7BC7825 ZwOpenThread SSDT sptd.sys ZwQueryKey [0xF72DE292] SSDT sptd.sys ZwQueryValueKey [0xF72DE112] SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwRenameKey [0xAA2FE12A] SSDT F7BC785C ZwReplaceKey SSDT F7BC7857 ZwRestoreKey SSDT F7BC7848 ZwSetValueKey SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwTerminateProcess [0xAA2F8D0A] SSDT \SystemRoot\system32\drivers\iksysflt.sys (System Filter Device Driver/PCTools Research Pty Ltd.) ZwWriteVirtualMemory [0xAA2F8384] ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text USBPORT.SYS!DllUnload F683962C 5 Bytes JMP 865C31C8 .rsrc C:\WINDOWS\system32\DRIVERS\serial.sys entry point in ".rsrc" section [0xF67F7214] ? System32\Drivers\amjjh6vo.SYS System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe[804] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe[804] WS2_32.dll!send 71A5428A 5 Bytes JMP 001F6E8F .text C:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe[804] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 001F708C .text C:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe[804] WS2_32.dll!gethostbyname 71A54FD4 5 Bytes JMP 001F75E8 .text C:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe[804] WS2_32.dll!recv 71A5615A 5 Bytes JMP 001F6F02 .text C:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe[804] WS2_32.dll!WSASend 71A56233 5 Bytes JMP 001F6FDD .text C:\Program Files\Mozilla Firefox 4.0 Beta 12\firefox.exe[804] WS2_32.dll!closesocket 71A59639 5 Bytes JMP 001F7307 .text C:\Program Files\Mozilla Firefox 4.0 Beta 12\plugin-container.exe[3032] USER32.dll!GetWindowInfo 7E36E77C 5 Bytes JMP 104C2D69 C:\Program Files\Mozilla Firefox 4.0 Beta 12\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox 4.0 Beta 12\plugin-container.exe[3032] USER32.dll!TrackPopupMenu 7E3B50EE 5 Bytes JMP 104C3375 C:\Program Files\Mozilla Firefox 4.0 Beta 12\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F72D8AD4] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F72D8C1A] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F72D8B9C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F72D9748] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F72D961E] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F72EDACA] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8675D1E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{6B157C15-3F32-4CCF-87E8-6449FFB64458} 863DA570 Device \Driver\usbuhci \Device\USBPDO-0 865BB1E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8675F1E8 Device \Driver\dmio \Device\DmControl\DmConfig 8675F1E8 Device \Driver\dmio \Device\DmControl\DmPnP 8675F1E8 Device \Driver\dmio \Device\DmControl\DmInfo 8675F1E8 Device \Driver\usbuhci \Device\USBPDO-1 865BB1E8 Device \Driver\usbuhci \Device\USBPDO-2 865BB1E8 Device \Driver\usbuhci \Device\USBPDO-3 865BB1E8 Device \Driver\usbehci \Device\USBPDO-4 865BF3E0 Device \Driver\PCI_NTPNP4956 \Device\00000049 sptd.sys Device \Driver\PCI_NTPNP4956 \Device\00000049 sptd.sys Device \Driver\Ftdisk \Device\HarddiskVolume1 867D21E8 Device \Driver\Ftdisk \Device\HarddiskVolume2 867D21E8 Device \Driver\Cdrom \Device\CdRom0 86201400 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8654FAF1 Device \Driver\atapi \Device\Ide\IdePort0 867D11E8 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8654FAF1 Device \Driver\atapi \Device\Ide\IdePort1 867D11E8 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8654FAF1 Device \Driver\atapi \Device\Ide\IdePort2 867D11E8 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8654FAF1 Device \Driver\atapi \Device\Ide\IdePort3 867D11E8 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-3 8654FAF1 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 867D11E8 Device \Driver\Cdrom \Device\CdRom1 86201400 Device \Driver\Cdrom \Device\CdRom2 86201400 Device \Driver\NetBT \Device\NetBt_Wins_Export 863DA570 Device \Driver\NetBT \Device\NetbiosSmb 863DA570 Device \Driver\usbuhci \Device\USBFDO-0 865BB1E8 Device \Driver\usbuhci \Device\USBFDO-1 865BB1E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 862817A0 Device \Driver\usbuhci \Device\USBFDO-2 865BB1E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 862817A0 Device \Driver\usbuhci \Device\USBFDO-3 865BB1E8 Device \Driver\usbehci \Device\USBFDO-4 865BF3E0 Device \Driver\Ftdisk \Device\FtControl 867D21E8 Device \Driver\amjjh6vo \Device\Scsi\amjjh6vo1Port4Path0Target1Lun0 863042E0 Device \Driver\amjjh6vo \Device\Scsi\amjjh6vo1 863042E0 Device \Driver\amjjh6vo \Device\Scsi\amjjh6vo1Port4Path0Target0Lun0 863042E0 Device \FileSystem\Cdfs \Cdfs 863343D8 Device \Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskSAMSUNG_SP2504C_________________________VT100-41#30535139314a4c4e313539363536202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5F 0xA7 0x27 0xCB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEB 0x63 0x59 0x21 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFB 0x18 0x78 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x18 0xCD 0xF9 0xA2 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5F 0xA7 0x27 0xCB ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xEB 0x63 0x59 0x21 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFB 0x18 0x78 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x18 0xCD 0xF9 0xA2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1 Reg HKLM\SOFTWARE\Classes\Interface\{BC0847B2-BD5C-37B3-BA67-7D2D54B17238}\ProxyStubClóid32 Reg HKLM\SOFTWARE\Classes\Interface\{BC0847B2-BD5C-37B3-BA67-7D2D54B17238}\ProxyStubClóid32@ {00020424-0000-0000-C000-000000000046} ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sectors 488396973 (+194): rootkit-like behavior; ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\DRIVERS\serial.sys suspicious modification; TDL3 <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ----