GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-03-26 20:13:08 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_HM160HI rev.HH100-06 Running: gmer.exe; Driver: C:\DOCUME~1\ADRIAN~1\USTAWI~1\Temp\uxlyypod.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwAllocateVirtualMemory [0xAA03F328] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwAssignProcessToJobObject [0xAA03E824] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwConnectPort [0xAA03D64C] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateFile [0xAA0441F8] SSDT spci.sys ZwCreateKey [0xF74000E0] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreatePort [0xAA03D46A] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateProcess [0xAA03EDE4] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateProcessEx [0xAA03B978] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateSection [0xAA03B4F2] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwCreateThread [0xAA03C634] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwDebugActiveProcess [0xAA03CD22] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwDuplicateObject [0xAA03D32C] SSDT spci.sys ZwEnumerateKey [0xF7418DA4] SSDT spci.sys ZwEnumerateValueKey [0xF7419132] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwLoadDriver [0xAA03E24C] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwOpenFile [0xAA044554] SSDT spci.sys ZwOpenKey [0xF74000C0] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwOpenProcess [0xAA03C308] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwOpenSection [0xAA03B7B4] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwOpenThread [0xAA03C8B0] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwProtectVirtualMemory [0xAA03E5D6] SSDT spci.sys ZwQueryKey [0xF741920A] SSDT spci.sys ZwQueryValueKey [0xF741908A] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwQueueApcThread [0xAA03E940] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwRequestPort [0xAA03DCB0] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwRequestWaitReplyPort [0xAA03DF14] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwRestoreKey [0xAA043FF0] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwResumeThread [0xAA03D0CE] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSecureConnectPort [0xAA03D86E] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSetContextThread [0xAA03CBCC] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSetSystemInformation [0xAA03EFDC] SSDT spci.sys ZwSetValueKey [0xF741929C] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwShutdownSystem [0xAA03E186] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSuspendProcess [0xAA03D1FE] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSuspendThread [0xAA03CF7A] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwSystemDebugControl [0xAA03CE40] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwTerminateProcess [0xAA03C472] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwTerminateThread [0xAA03CA66] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwUnloadDriver [0xAA03E414] SSDT \??\C:\WINDOWS\system32\drivers\OADriver.sys ZwWriteVirtualMemory [0xAA03E700] INT 0x62 ? 865D7BF8 INT 0x82 ? 865D7BF8 INT 0x83 ? 863E3BF8 INT 0xA4 ? 863E3BF8 INT 0xB4 ? 863E3BF8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C30 805044CC 4 Bytes CALL 98ECEED4 .text ntkrnlpa.exe!ZwCallbackReturn + 2C9C 80504538 12 Bytes [6A, D4, 03, AA, E4, ED, 03, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2EB4 80504750 4 Bytes JMP CF4CF158 .text ntkrnlpa.exe!ZwCallbackReturn + 2FD8 80504874 12 Bytes [FE, D1, 03, AA, 7A, CF, 03, ...] ? spci.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload F62D68AC 5 Bytes JMP 863E31D8 ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\Explorer.EXE[1264] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00D6000A .text C:\WINDOWS\Explorer.EXE[1264] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00D7000A .text C:\WINDOWS\Explorer.EXE[1264] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00D5000C ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7401042] spci.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F740113E] spci.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74010C0] spci.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7401800] spci.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74016D6] spci.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7410B90] spci.sys IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F0D71EB0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Emsisoft) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F0D71F80] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Emsisoft) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F0D71F10] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Emsisoft) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F0D71F50] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Emsisoft) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F0D71F10] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Emsisoft) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F0D71F80] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Emsisoft) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F0D71EB0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Emsisoft) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F0D71F10] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Emsisoft) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F0D71F50] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Emsisoft) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F0D71EB0] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Emsisoft) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F0D71F80] \??\C:\WINDOWS\system32\drivers\OAnet.sys (OA Helper Driver/Emsisoft) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 865D61F8 Device \FileSystem\Fastfat \FatCdrom 8538B1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{1C1B196E-F2A6-4230-8E2B-27E0A49E4A71} 856EE1F8 Device \Driver\Tcpip \Device\Ip OAmon.sys (TDI Helper Driver/Emsisoft) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys (Kernel Mode Driver Framework Runtime/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-0 863B41F8 Device \Driver\usbuhci \Device\USBPDO-1 863E21F8 Device \Driver\usbuhci \Device\USBPDO-2 863E21F8 Device \Driver\usbuhci \Device\USBPDO-3 863E21F8 Device \Driver\usbuhci \Device\USBPDO-4 863E21F8 Device \Driver\Tcpip \Device\Tcp OAmon.sys (TDI Helper Driver/Emsisoft) AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys (Family Safety Filter Driver (TDI)/Microsoft Corporation) Device \Driver\Ftdisk \Device\HarddiskVolume1 865691F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 865691F8 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 864A939B Device \Driver\atapi \Device\Ide\IdePort0 [F7379B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 864A939B Device \Driver\atapi \Device\Ide\IdePort1 [F7379B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 865691F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 856EE1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{CA6C67A1-5CA3-46B2-84FD-BB324A4C8D07} 856EE1F8 Device \Driver\Tcpip \Device\Udp OAmon.sys (TDI Helper Driver/Emsisoft) Device \Driver\Tcpip \Device\RawIp OAmon.sys (TDI Helper Driver/Emsisoft) Device \Driver\usbuhci \Device\USBFDO-0 863E21F8 Device \Driver\usbuhci \Device\USBFDO-1 863E21F8 Device \Driver\USBSTOR \Device\0000007b 852C4500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 857321F8 Device \Driver\Tcpip \Device\IPMULTICAST OAmon.sys (TDI Helper Driver/Emsisoft) Device \Driver\usbuhci \Device\USBFDO-2 863E21F8 Device \Driver\USBSTOR \Device\0000007c 852C4500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 857321F8 Device \Driver\usbuhci \Device\USBFDO-3 863E21F8 Device \Driver\usbehci \Device\USBFDO-4 863B41F8 Device \Driver\Ftdisk \Device\FtControl 865691F8 Device \FileSystem\Fastfat \Fat 8538B1F8 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \Device\Ide\IdeDeviceP0T0L0-3 -> \??\IDE#DiskSAMSUNG_HM160HI_________________________HH100-06#31535757394a5a46313533323134202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x28 0x05 0xAF 0x0B ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x28 0x05 0xAF 0x0B ... ---- EOF - GMER 1.0.15 ----