GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-03-06 21:49:52 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_4D040H2 rev.DAH017K0 Running: 19y6qiw8.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\awtyqpob.sys ---- System - GMER 1.0.15 ---- SSDT F7A5AF0E ZwCreateKey SSDT F7A5AF04 ZwCreateThread SSDT F7A5AF13 ZwDeleteKey SSDT F7A5AF1D ZwDeleteValueKey SSDT spib.sys ZwEnumerateKey [0xF74FCDA4] SSDT spib.sys ZwEnumerateValueKey [0xF74FD132] SSDT F7A5AF22 ZwLoadKey SSDT spib.sys ZwOpenKey [0xF74E40C0] SSDT F7A5AEF0 ZwOpenProcess SSDT F7A5AEF5 ZwOpenThread SSDT spib.sys ZwQueryKey [0xF74FD20A] SSDT spib.sys ZwQueryValueKey [0xF74FD08A] SSDT F7A5AF2C ZwReplaceKey SSDT F7A5AF27 ZwRestoreKey SSDT F7A5AF18 ZwSetValueKey INT 0x62 ? 898A0BF8 INT 0x63 ? 89772BF8 INT 0x82 ? 898A0BF8 INT 0xB4 ? 89772BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spib.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload B9D628AC 5 Bytes JMP 897721D8 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] WS2_32.dll!getaddrinfo 71A52A6F 5 Bytes JMP 00F9B1A3 .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 00F9BF35 .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] WS2_32.dll!send 71A54C27 5 Bytes JMP 00F9BC3D .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 00F9BE4E .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] WS2_32.dll!gethostbyname 71A55355 5 Bytes JMP 00F9B0E6 .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] WS2_32.dll!recv 71A5676F 2 Bytes JMP 00F9BCE3 .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] WS2_32.dll!recv + 3 71A56772 2 Bytes [54, 8F] .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 00F9BD8D .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] WS2_32.dll!WSAAsyncGetHostByName 71A5E99D 5 Bytes JMP 00F9B56A .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 00F9C1A3 .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 00F9C6DD .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] GDI32.dll!TextOutA 77F1BA4F 5 Bytes JMP 00F9C0D6 .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] GDI32.dll!ExtTextOutA 77F1D3FA 5 Bytes JMP 00F9C5F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] GDI32.dll!GetGlyphIndicesA 77F3DFE3 5 Bytes JMP 00F9CA94 .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] GDI32.dll!GetGlyphIndicesW 77F52604 5 Bytes JMP 00F9CB5E .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 00F9B645 .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] USER32.dll!DrawTextExW 7E37B415 5 Bytes JMP 00F9C510 .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] USER32.dll!DrawTextW 7E37D7E2 5 Bytes JMP 00F9C34C .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] USER32.dll!SetClipboardData 7E380F9E 5 Bytes JMP 00F9BFC3 .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] USER32.dll!DrawTextA 7E38C702 5 Bytes JMP 00F9C270 .text C:\Program Files\Mozilla Firefox\firefox.exe[2344] USER32.dll!DrawTextExA 7E38C739 5 Bytes JMP 00F9C428 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8990E2D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F750FDDC] spib.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F750FE30] spib.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74E5042] spib.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74E513E] spib.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74E50C0] spib.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74E5800] spib.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74E56D6] spib.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 897722D8 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74F4B90] spib.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Skype\Phone\Skype.exe[260] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [02622EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Skype\Phone\Skype.exe[260] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [02622C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Skype\Phone\Skype.exe[260] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [02622C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Skype\Phone\Skype.exe[260] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [02622C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\Administrator\Pulpit\19y6qiw8.exe[416] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A92EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\Administrator\Pulpit\19y6qiw8.exe[416] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A92C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\Administrator\Pulpit\19y6qiw8.exe[416] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A92C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\Administrator\Pulpit\19y6qiw8.exe[416] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A92C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[1588] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00D62EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[1588] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00D62C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[1588] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00D62C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[1588] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00D62C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Mozilla Firefox\firefox.exe[2344] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [01232EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Mozilla Firefox\firefox.exe[2344] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [01232C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Mozilla Firefox\firefox.exe[2344] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [01232C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Mozilla Firefox\firefox.exe[2344] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [01232C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Skype\Plugin Manager\skypePM.exe[2496] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [009E2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Skype\Plugin Manager\skypePM.exe[2496] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [009E2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Skype\Plugin Manager\skypePM.exe[2496] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [009E2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Skype\Plugin Manager\skypePM.exe[2496] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [009E2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8989F1F8 Device \FileSystem\Fastfat \FatCdrom 88D0A1F8 Device \Driver\usbuhci \Device\USBPDO-0 897711F8 Device \Driver\usbuhci \Device\USBPDO-1 897711F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8990C1F8 Device \Driver\dmio \Device\DmControl\DmConfig 8990C1F8 Device \Driver\dmio \Device\DmControl\DmPnP 8990C1F8 Device \Driver\dmio \Device\DmControl\DmInfo 8990C1F8 Device \Driver\usbehci \Device\USBPDO-2 897A01F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{122CEF52-BE91-4451-B039-3D6BE24BC24D} 896291F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 898A11F8 Device \Driver\Cdrom \Device\CdRom0 8975D1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 896291F8 Device \Driver\NetBT \Device\NetbiosSmb 896291F8 Device \Driver\usbuhci \Device\USBFDO-0 897711F8 Device \Driver\usbuhci \Device\USBFDO-1 897711F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8961D1F8 Device \Driver\usbehci \Device\USBFDO-2 897A01F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8961D1F8 Device \Driver\Ftdisk \Device\FtControl 898A11F8 Device \FileSystem\Fastfat \Fat 88D0A1F8 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 896181F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x89 0xBA 0x41 0xBD ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x89 0xBA 0x41 0xBD ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0A 0xBE 0x42 0xDD ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDC 0x03 0x2D 0x9B ... ---- EOF - GMER 1.0.15 ----