GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-03-16 19:27:33 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-22FJA0 rev.13.03G13 Running: ocxdqv3q.exe; Driver: C:\DOCUME~1\ADMINI~1.JAN\USTAWI~1\Temp\uxtdypod.sys ---- System - GMER 1.0.15 ---- SSDT spwu.sys ZwCreateKey [0xF771C0E0] SSDT spwu.sys ZwEnumerateKey [0xF7734DA4] SSDT spwu.sys ZwEnumerateValueKey [0xF7735132] SSDT spwu.sys ZwOpenKey [0xF771C0C0] SSDT spwu.sys ZwQueryKey [0xF773520A] SSDT spwu.sys ZwQueryValueKey [0xF773508A] SSDT spwu.sys ZwSetValueKey [0xF773529C] INT 0x62 ? 867DBBF8 INT 0x73 ? 86633BF8 INT 0x82 ? 867DBBF8 INT 0x83 ? 86633BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spwu.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload F6B0F8AC 5 Bytes JMP 866331D8 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF630B360, 0x24BB1D, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\AVG\AVG9\avgnsx.exe[372] SHELL32.dll!SHStartNetConnectionDialogW + 1092 7CAD2B3F 1 Byte [7F] .text C:\Documents and Settings\Administrator.JANIK\Pulpit\ocxdqv3q.exe[2116] ntdll.dll!NtCreateKey 7C90D0EE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator.JANIK\Pulpit\ocxdqv3q.exe[2116] ntdll.dll!NtCreateKey + 4 7C90D0F2 2 Bytes [17, 5F] {POP SS; POP EDI} .text C:\Documents and Settings\Administrator.JANIK\Pulpit\ocxdqv3q.exe[2116] ntdll.dll!NtSetValueKey 7C90DDCE 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator.JANIK\Pulpit\ocxdqv3q.exe[2116] ntdll.dll!NtSetValueKey + 4 7C90DDD2 2 Bytes [14, 5F] {ADC AL, 0x5f} .text C:\Documents and Settings\Administrator.JANIK\Pulpit\ocxdqv3q.exe[2116] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 00C70001 .text C:\Documents and Settings\Administrator.JANIK\Pulpit\ocxdqv3q.exe[2116] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A .text C:\Documents and Settings\Administrator.JANIK\Pulpit\ocxdqv3q.exe[2116] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A .text C:\Documents and Settings\Administrator.JANIK\Pulpit\ocxdqv3q.exe[2116] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 5F100F5A .text C:\Documents and Settings\Administrator.JANIK\Pulpit\ocxdqv3q.exe[2116] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\Documents and Settings\Administrator.JANIK\Pulpit\ocxdqv3q.exe[2116] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [05, 5F] .text C:\Documents and Settings\Administrator.JANIK\Pulpit\ocxdqv3q.exe[2116] ADVAPI32.dll!CreateServiceA 77E27211 6 Bytes JMP 5F190F5A .text C:\Documents and Settings\Administrator.JANIK\Pulpit\ocxdqv3q.exe[2116] ADVAPI32.dll!CreateServiceW 77E273A9 6 Bytes JMP 5F1C0F5A .text C:\WINDOWS\Explorer.EXE[2792] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 03660001 .text C:\WINDOWS\Explorer.EXE[2792] kernel32.dll!CreateProcessW 7C802336 6 Bytes JMP 5F0D0F5A .text C:\WINDOWS\Explorer.EXE[2792] kernel32.dll!CreateProcessA 7C80236B 6 Bytes JMP 5F0A0F5A .text C:\WINDOWS\Explorer.EXE[2792] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 6 Bytes JMP 5F100F5A .text C:\WINDOWS\Explorer.EXE[2792] ADVAPI32.dll!CreateProcessWithLogonW 77E05FFD 3 Bytes [FF, 25, 1E] .text C:\WINDOWS\Explorer.EXE[2792] ADVAPI32.dll!CreateProcessWithLogonW + 4 77E06001 2 Bytes [05, 5F] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8676F2D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7747DDC] spwu.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7747E30] spwu.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F771D042] spwu.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F771D13E] spwu.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F771D0C0] spwu.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F771D800] spwu.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F771D6D6] spwu.sys IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 866332D8 IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F772CB90] spwu.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 867DA1F8 Device \FileSystem\Fastfat \FatCdrom 86035500 AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\NetBT \Device\NetBT_Tcpip_{1DDFAC79-B7BA-427B-9A01-BF3058E65502} 862A0500 Device \Driver\usbohci \Device\USBPDO-0 866381F8 Device \Driver\usbohci \Device\USBPDO-1 866381F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8676D1F8 Device \Driver\dmio \Device\DmControl\DmConfig 8676D1F8 Device \Driver\dmio \Device\DmControl\DmPnP 8676D1F8 Device \Driver\dmio \Device\DmControl\DmInfo 8676D1F8 AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\Ftdisk \Device\HarddiskVolume1 867DC1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 867DC1F8 Device \Driver\Cdrom \Device\CdRom0 866371F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F766FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F766FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F766FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F766FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F766FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 867DC1F8 Device \Driver\Cdrom \Device\CdRom1 866371F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 862A0500 Device \Driver\NetBT \Device\NetbiosSmb 862A0500 AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbohci \Device\USBFDO-0 866381F8 Device \Driver\usbohci \Device\USBFDO-1 866381F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 862931F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 862931F8 Device \Driver\Ftdisk \Device\FtControl 867DC1F8 Device \FileSystem\Fastfat \Fat 86035500 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 8623A500 ---- Threads - GMER 1.0.15 ---- Thread System [4:3296] B5F531F0 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a1dd Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a1dd@00181359824c 0xE8 0xCA 0xA3 0x97 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a1dd@00234572688a 0x30 0x2F 0xA7 0xDC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a1dd@942053841dee 0x5F 0xA5 0x1E 0x65 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x92 0x73 0xC0 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x04 0x97 0xC8 0x30 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0B 0x32 0xD6 0xC4 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x71 0x5A 0x3A 0x86 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158315a1dd (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158315a1dd@00181359824c 0xE8 0xCA 0xA3 0x97 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158315a1dd@00234572688a 0x30 0x2F 0xA7 0xDC ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158315a1dd@942053841dee 0x5F 0xA5 0x1E 0x65 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x49 0xB7 0xC3 0xF5 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0B 0x32 0xD6 0xC4 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x56 0x55 0x96 0x87 ... ---- EOF - GMER 1.0.15 ----