GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-03-07 13:42:44 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_4D040H2 rev.DAH017K0 Running: 19y6qiw8.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\awtyqpob.sys ---- System - GMER 1.0.15 ---- SSDT F7A8198E ZwCreateKey SSDT F7A81984 ZwCreateThread SSDT F7A81993 ZwDeleteKey SSDT F7A8199D ZwDeleteValueKey SSDT spkj.sys ZwEnumerateKey [0xF74FCDA4] SSDT spkj.sys ZwEnumerateValueKey [0xF74FD132] SSDT F7A819A2 ZwLoadKey SSDT spkj.sys ZwOpenKey [0xF74E40C0] SSDT F7A81970 ZwOpenProcess SSDT F7A81975 ZwOpenThread SSDT spkj.sys ZwQueryKey [0xF74FD20A] SSDT spkj.sys ZwQueryValueKey [0xF74FD08A] SSDT F7A819AC ZwReplaceKey SSDT F7A819A7 ZwRestoreKey SSDT F7A81998 ZwSetValueKey INT 0x62 ? 898A0BF8 INT 0x63 ? 8940EBF8 INT 0x82 ? 898A0BF8 INT 0xB4 ? 8940EBF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spkj.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload B970F8AC 5 Bytes JMP 8940E1D8 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8990E2D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F750FDDC] spkj.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F750FE30] spkj.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74E5042] spkj.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74E513E] spkj.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74E50C0] spkj.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74E5800] spkj.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74E56D6] spkj.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8940E2D8 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74F4B90] spkj.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\Explorer.EXE[1424] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00E82EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[1424] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00E82C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[1424] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00E82C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\Explorer.EXE[1424] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00E82C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3188] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00AC2EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3188] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00AC2C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3188] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00AC2C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Avira\AntiVir Desktop\avgnt.exe[3188] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00AC2C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[3292] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00C82EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[3292] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00C82C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[3292] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00C82C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Common Files\Java\Java Update\jusched.exe[3292] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00C82C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\ctfmon.exe[3308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00A32EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\ctfmon.exe[3308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00A32C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\ctfmon.exe[3308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00A32C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINDOWS\system32\ctfmon.exe[3308] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00A32C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe[3376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00E62EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe[3376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00E62C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe[3376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00E62C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\REALTEK USB Wireless LAN Driver and Utility\RtWLan.exe[3376] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00E62C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\Administrator\Pulpit\19y6qiw8.exe[3532] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802EC0] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\Administrator\Pulpit\19y6qiw8.exe[3532] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802C30] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\Administrator\Pulpit\19y6qiw8.exe[3532] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802C90] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\Administrator\Pulpit\19y6qiw8.exe[3532] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802C60] C:\Program Files\Common Files\Logishrd\LVMVFM\LVPrcInj.dll (Camera Helper Library./Logitech Inc.) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8989F1F8 Device \FileSystem\Fastfat \FatCdrom 88D7F1F8 Device \Driver\usbuhci \Device\USBPDO-0 896461F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8990C1F8 Device \Driver\dmio \Device\DmControl\DmConfig 8990C1F8 Device \Driver\dmio \Device\DmControl\DmPnP 8990C1F8 Device \Driver\dmio \Device\DmControl\DmInfo 8990C1F8 Device \Driver\usbuhci \Device\USBPDO-1 896461F8 Device \Driver\usbehci \Device\USBPDO-2 8940C1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{122CEF52-BE91-4451-B039-3D6BE24BC24D} 895441F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 898A11F8 Device \Driver\Cdrom \Device\CdRom0 894061F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 895441F8 Device \Driver\NetBT \Device\NetbiosSmb 895441F8 Device \Driver\usbuhci \Device\USBFDO-0 896461F8 Device \Driver\usbuhci \Device\USBFDO-1 896461F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 892451F8 Device \Driver\usbehci \Device\USBFDO-2 8940C1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 892451F8 Device \Driver\Ftdisk \Device\FtControl 898A11F8 Device \FileSystem\Fastfat \Fat 88D7F1F8 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 892441F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x89 0xBA 0x41 0xBD ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x89 0xBA 0x41 0xBD ... ---- EOF - GMER 1.0.15 ----