GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-03-16 23:35:24 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD400BB-60DGA0 rev.05.03E05 Running: toy9ct7d.exe; Driver: C:\DOCUME~1\Prezes\USTAWI~1\Temp\uwriapow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xF69346B8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xF6934574] SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwCreatePagingFile [0xF83E3B00] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xF6934A52] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xF693414C] SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateKey [0xF83E45DC] SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwEnumerateValueKey [0xF83F0120] SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwOpenFile [0xF83E3B40] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xF693464E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xF693408C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xF69340F0] SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwQueryKey [0xF83E45FC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xF693476E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xF693472E] SSDT a347bus.sys (Plug and Play BIOS Extension/ ) ZwSetSystemPowerState [0xF83EF550] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xF69348AE] INT 0x62 ? 823DDBF8 INT 0x63 ? 8227BF00 INT 0x73 ? 8227BF00 INT 0x82 ? 823DDBF8 INT 0xB4 ? 8227BF00 ---- Kernel code sections - GMER 1.0.15 ---- ? spbx.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload F7FC88AC 5 Bytes JMP 8227B4E0 .text aq6po4l4.SYS F7E52386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text aq6po4l4.SYS F7E523AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text aq6po4l4.SYS F7E523C4 3 Bytes [00, 80, 02] .text aq6po4l4.SYS F7E523C9 1 Byte [30] .text aq6po4l4.SYS F7E523C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ? C:\WINDOWS\System32\Drivers\aq6po4l4.SYS Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xF46BC400, 0x7960C, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF475E420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF475E420] .protect˙˙˙˙hardlockunknown last code section [0xF475E200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xF475E200, 0x5049, 0xE0000020] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 823722D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F844EDDC] spbx.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F844EE30] spbx.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 8227B5E0 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8433B90] spbx.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[708] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[708] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8236E1F8 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) Device \FileSystem\Fastfat \FatCdrom 81BBB500 Device \FileSystem\Fastfat \FatCdrom 81E38240 Device \Driver\sptd \Device\448959410 spbx.sys AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbuhci \Device\USBPDO-0 822341F8 Device \Driver\usbuhci \Device\USBPDO-1 822341F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 823701F8 Device \Driver\dmio \Device\DmControl\DmConfig 823701F8 Device \Driver\dmio \Device\DmControl\DmPnP 823701F8 Device \Driver\dmio \Device\DmControl\DmInfo 823701F8 Device \Driver\usbuhci \Device\USBPDO-2 822341F8 Device \Driver\usbehci \Device\USBPDO-3 822121F8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\Ftdisk \Device\HarddiskVolume1 823DE1F8 Device \Driver\Cdrom \Device\CdRom0 82125C28 Device \Driver\Ftdisk \Device\HarddiskVolume2 823DE1F8 Device \FileSystem\Rdbss \Device\FsWrap 81ECC458 Device \Driver\atapi \Device\Ide\IdePort0 82147380 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 82147380 Device \Driver\atapi \Device\Ide\IdePort1 82147380 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 82147380 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 82147380 Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 82147380 Device \Driver\Cdrom \Device\CdRom1 82125C28 Device \Driver\Ftdisk \Device\HarddiskVolume3 823DE1F8 Device \Driver\Cdrom \Device\CdRom2 82125C28 Device \Driver\Ftdisk \Device\HarddiskVolume4 823DE1F8 Device \Driver\Ftdisk \Device\HarddiskVolume5 823DE1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{615A46AD-608B-413E-97C5-F234071B4019} 81E4D500 Device \Driver\Ftdisk \Device\HarddiskVolume6 823DE1F8 Device \Driver\Ftdisk \Device\HarddiskVolume7 823DE1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 81E4D500 Device \Driver\NetBT \Device\NetbiosSmb 81E4D500 Device \Driver\NetBT \Device\NetBT_Tcpip_{EFE11BA4-B66A-4E81-8D45-E9D022F2F670} 81E4D500 Device \Driver\PCI_PNP0660 \Device\0000005b spbx.sys Device \FileSystem\Srv \Device\LanmanServer 81A89758 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbuhci \Device\USBFDO-0 822341F8 Device \Driver\usbuhci \Device\USBFDO-1 822341F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81E4B1F8 Device \Driver\usbuhci \Device\USBFDO-2 822341F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 81E4B1F8 Device \Driver\usbehci \Device\USBFDO-3 822121F8 Device \FileSystem\Npfs \Device\NamedPipe 81FAB6F0 Device \Driver\Ftdisk \Device\FtControl 823DE1F8 Device \FileSystem\Msfs \Device\Mailslot 81ED1240 Device \Driver\aq6po4l4 \Device\Scsi\aq6po4l41Port2Path0Target0Lun0 8201F748 Device \Driver\a347scsi \Device\Scsi\a347scsi1 814BE7C0 Device \Driver\aq6po4l4 \Device\Scsi\aq6po4l41 8201F748 Device \Driver\a347scsi \Device\Scsi\a347scsi1Port3Path0Target0Lun0 814BE7C0 Device \FileSystem\Fastfat \Fat 81BBB500 Device \FileSystem\Fastfat \Fat 81E38240 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 82079448 Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 82079448 Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 82079448 Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 82079448 Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 82079448 Device \FileSystem\Cdfs \Cdfs 81BB31F8 Device \FileSystem\Cdfs \Cdfs 81E9C3B8 ---- Modules - GMER 1.0.15 ---- Module _________ F8345000-F835D000 (98304 bytes) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\a347scsi\Config\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE9 0x44 0x89 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xED 0x55 0x78 0x77 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFD 0x21 0xA3 0xAA ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE9 0x44 0x89 0x2D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xED 0x55 0x78 0x77 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFD 0x21 0xA3 0xAA ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{E9F81423-211E-46B6-9AE0-38568BC5CF6F}@DisplayName Alcohol 120% (Trial Version) Reg HKLM\SOFTWARE\Classes\Installer\Products\32418F9EE1126B64A90E8365B85CFCF6@ProductName Alcohol 120% (Trial Version) ---- EOF - GMER 1.0.15 ----