GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-04-03 15:04:29 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-6 ST380011A rev.3.04 Running: h7w06r05.exe; Driver: C:\DOCUME~1\Tux\USTAWI~1\Temp\pxldipow.sys ---- System - GMER 1.0.15 ---- SSDT F7A96A66 ZwCreateKey SSDT F7A96A5C ZwCreateThread SSDT F7A96A6B ZwDeleteKey SSDT F7A96A75 ZwDeleteValueKey SSDT sptd.sys ZwEnumerateKey [0xF7532018] SSDT sptd.sys ZwEnumerateValueKey [0xF75323A6] SSDT F7A96A7A ZwLoadKey SSDT sptd.sys ZwOpenKey [0xF74FDF80] SSDT F7A96A48 ZwOpenProcess SSDT F7A96A4D ZwOpenThread SSDT sptd.sys ZwQueryKey [0xF753247E] SSDT sptd.sys ZwQueryValueKey [0xF75322FE] SSDT F7A96A84 ZwReplaceKey SSDT F7A96A7F ZwRestoreKey SSDT F7A96A70 ZwSetValueKey INT 0x62 ? 89918CB8 INT 0x63 ? 894AFF00 INT 0x82 ? 89918CB8 INT 0xA4 ? 894AFF00 INT 0xB4 ? 894AFF00 ---- Kernel code sections - GMER 1.0.15 ---- .text sptd.sys F74C1000 32 Bytes [E0, 16, 6F, 80, 5E, 67, 6F, ...] .text sptd.sys F74C1024 424 Bytes [15, 77, 50, 80, 44, B7, 54, ...] .text sptd.sys F74C11D4 4 Bytes [F3, A5, 6A, 4D] {REP MOVSD ; PUSH 0x4d} .text sptd.sys F74C11DC 1 Byte [02] .text sptd.sys F74C11E0 1 Byte [21] .text ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF756B9E3] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB90B6000, 0x1C5D38, 0xE8000020] .text USBPORT.SYS!DllUnload B90958AC 5 Bytes JMP 894AF410 .text ai9upkwr.SYS B8F37306 50 Bytes [00, 00, 00, 24, 03, 00, F0, ...] .text ai9upkwr.SYS B8F37339 23 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ai9upkwr.SYS B8F37351 87 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ai9upkwr.SYS B8F373A9 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text ai9upkwr.SYS B8F373B4 34 Bytes [40, 00, 00, C8, 50, 41, 47, ...] .text ... ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F74C320E] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F74C270C] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F74C2EEE] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74C270C] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74C28F0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74C2832] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74C30CC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74C2EEE] sptd.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 894AF540 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74D6F56] sptd.sys IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoCreateDevice] 00E49E89 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoDetachDevice] 9E890000 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!ExFreePoolWithTag] 000000E8 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoFreeWorkItem] 00EC9E89 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoDeleteDevice] 60EB0000 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!KeWaitForSingleObject] 000938B9 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!KeSetEvent] D8868D00 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!ObfReferenceObject] 89000000 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] E8868908 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 89000000 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 0000E48E IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!NlsMbCodePageTag] 6C868D00 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!RtlInitAnsiString] 89000001 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!RtlInitUnicodeString] 0000DC86 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!sprintf] F4458B00 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoFreeIrp] E9C1C88B IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoCancelIrp] F28E8818 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoAllocateIrp] 8B000000 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!KeInitializeEvent] 10E9C1C8 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoSetCompletionRoutineEx] 00F38E88 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoInitializeTimer] C88B0000 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IofCallDriver] C708E9C1 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] 0000EC86 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoSetStartIoAttributes] F3912C00 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoStartPacket] F48E88B8 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!PoRequestPowerIrp] 88000000 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoStopTimer] 0000F586 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoStartTimer] F886C600 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoAllocateWorkItem] 01000000 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoReleaseCancelSpinLock] C6385E39 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!KeRemoveEntryDeviceQueue] 0000F986 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoQueueWorkItem] 86C6F800 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoFreeMdl] 000000FA IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 009E8902 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoAllocateMdl] 89000001 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 0001049E IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!memmove] 8B047500 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] 8D2CEBFA IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] 00015086 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoBuildPartialMdl] 15FF5000 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoAcquireCancelSpinLock] [B8F38050] \SystemRoot\System32\Drivers\ai9upkwr.SYS (USB Mass Storage Class Driver/Microsoft Corporation) IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!KeTickCount] 00D09E38 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!KeBugCheckEx] 0E740000 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IofCompleteRequest] 013686C6 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoStartNextPacket] [BF010000] \SystemRoot\System32\drivers\dxg.sys (DirectX Graphics Driver/Microsoft Corporation) IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 000003E5 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!PoCallDriver] 86C609EB IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 00000137 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 8AFF3301 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!KeInitializeSpinLock] 4D8BFF55 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!ZwClose] 0815FFF8 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!MmHighestUserAddress] 3BB8F380 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] 6A0A75FB IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[HAL.dll!KeGetCurrentIrql] 000000F0 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[HAL.dll!KfAcquireSpinLock] 0B5D3842 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[HAL.dll!KfReleaseSpinLock] 00E09689 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[HAL.dll!KfRaiseIrql] F98B0000 IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[HAL.dll!KfLowerIrql] ABABABAB IAT \SystemRoot\System32\Drivers\ai9upkwr.SYS[USBD.SYS!USBD_CreateConfigurationRequestEx] 0000F186 IAT \SystemRoot\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 89403540 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 899171E8 Device \Driver\PCI_PNP8840 \Device\00000040 sptd.sys Device \Driver\PCI_PNP8840 \Device\00000040 sptd.sys Device \Driver\usbuhci \Device\USBPDO-0 8948F430 Device \Driver\NetBT \Device\NetBT_Tcpip_{7649A435-F525-4669-BE8E-ACF4C4D9FFC1} 894E7430 Device \Driver\usbuhci \Device\USBPDO-1 8948F430 Device \Driver\usbuhci \Device\USBPDO-2 8948F430 Device \Driver\usbehci \Device\USBPDO-3 893FD430 Device \Driver\Cdrom \Device\CdRom0 894C3430 Device \Driver\atapi \Device\Ide\IdePort0 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-6 [F7833B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 894C3430 Device \Driver\Cdrom \Device\CdRom2 894C3430 Device \Driver\NetBT \Device\NetBt_Wins_Export 894E7430 Device \Driver\NetBT \Device\NetbiosSmb 894E7430 Device \Driver\usbuhci \Device\USBFDO-0 8948F430 Device \Driver\usbuhci \Device\USBFDO-1 8948F430 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89531430 Device \Driver\usbuhci \Device\USBFDO-2 8948F430 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89531430 Device \Driver\usbehci \Device\USBFDO-3 893FD430 Device \Driver\ai9upkwr \Device\Scsi\ai9upkwr1 89412430 Device \Driver\ai9upkwr \Device\Scsi\ai9upkwr1Port2Path0Target1Lun0 89412430 Device \Driver\ai9upkwr \Device\Scsi\ai9upkwr1Port2Path0Target0Lun0 89412430 Device \FileSystem\Cdfs \Cdfs 89498430 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0xFA 0x40 0xFA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC9 0x55 0x93 0xB1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBF 0x96 0x36 0x5E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xEC 0xC8 0xB1 0x0C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x0B 0xFA 0x40 0xFA ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC9 0x55 0x93 0xB1 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBF 0x96 0x36 0x5E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xEC 0xC8 0xB1 0x0C ... ---- EOF - GMER 1.0.15 ----