GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-04-11 22:25:45 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543232L9A300 rev.FB4OC4DC Running: uo7cferr.exe; Driver: C:\Users\Mateo\AppData\Local\Temp\pwddikog.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13BD 82E7D589 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EA2092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? System32\Drivers\speb.sys System nie może odnaleźć określonej ścieżki. ! PAGE ataport.SYS!DllUnload + 1 8A086AD7 4 Bytes JMP 851BD1D9 .text USBPORT.SYS!DllUnload 94462CA0 5 Bytes JMP 862E03D8 .text ase5bcur.SYS 95EF2000 12 Bytes [44, 88, E0, 82, EE, 86, E0, ...] .text ase5bcur.SYS 95EF200D 9 Bytes [67, E0, 82, 48, 8B, E0, 82, ...] {LOOPNZW 0xffffffffffffff85; DEC EAX; MOV ESP, EAX; ADD BYTE [EAX], 0x0} .text ase5bcur.SYS 95EF2017 41 Bytes [00, DE, 57, F9, 89, E6, 55, ...] .text ase5bcur.SYS 95EF2041 128 Bytes JMP EA256082 .text ase5bcur.SYS 95EF20C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text ... .text autochk.exe 004311D1 73 Bytes [10, 08, FE, 75, 41, 8B, 4D, ...] .text autochk.exe 0043121B 4 Bytes [0F, 84, C8, 00] .text autochk.exe 00431220 129 Bytes [00, 83, 7D, 18, 00, 7E, 6D, ...] .text autochk.exe 004312A2 1 Byte [00] .text autochk.exe 004312A2 7 Bytes [00, 00, C7, 44, 01, 04, 00] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1596] kernel32.dll!SetUnhandledExceptionFilter 77F13162 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2816] USER32.dll!SetWindowLongA 77BFB1E3 5 Bytes JMP 66CB9777 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2816] USER32.dll!SetWindowLongW 77C06614 5 Bytes JMP 66CB9709 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2816] USER32.dll!GetWindowInfo 77C06A82 5 Bytes JMP 66AE7C37 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2816] USER32.dll!TrackPopupMenu 77C24B3B 5 Bytes JMP 66AE823A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3640] ntdll.dll!LdrLoadDll 77DCF5B5 5 Bytes JMP 00171410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [89E99042] \SystemRoot\System32\Drivers\speb.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [89E996D6] \SystemRoot\System32\Drivers\speb.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [89E99800] \SystemRoot\System32\Drivers\speb.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [89E9913E] \SystemRoot\System32\Drivers\speb.sys IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortNotification] 00147880 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortStallExecution] C25DC033 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortInitialize] 157B805E IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500 IAT \SystemRoot\System32\Drivers\ase5bcur.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 851C41F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \FileSystem\fastfat \FatCdrom BBA9A1F8 Device \Driver\volmgr \Device\VolMgrControl 851BF1F8 Device \Driver\usbuhci \Device\USBPDO-0 85201500 Device \Driver\NetBT \Device\NetBT_Tcpip_{E42B028B-E8EC-4811-BD3D-040E3A040C8E} 862051F8 Device \Driver\usbuhci \Device\USBPDO-1 85201500 Device \Driver\ACPI_HAL \Device\00000052 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbuhci \Device\USBPDO-2 85201500 Device \Driver\usbehci \Device\USBPDO-3 85EFB500 Device \Driver\usbuhci \Device\USBPDO-4 85201500 Device \Driver\usbuhci \Device\USBPDO-5 85201500 Device \Driver\usbuhci \Device\USBPDO-6 85201500 Device \Driver\volmgr \Device\HarddiskVolume1 851BF1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-7 85EFB500 Device \Driver\volmgr \Device\HarddiskVolume2 851BF1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 861801F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 851C11F8 Device \Driver\atapi \Device\Ide\IdePort0 851C11F8 Device \Driver\atapi \Device\Ide\IdePort1 851C11F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 851C11F8 Device \Driver\msahci \Device\Ide\PciIde0Channel0 851C21F8 Device \Driver\msahci \Device\Ide\PciIde0Channel1 851C21F8 Device \Driver\volmgr \Device\HarddiskVolume3 851BF1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom1 861801F8 Device \Driver\cdrom \Device\CdRom2 861801F8 Device \Driver\volmgr \Device\HarddiskVolume4 851BF1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 862051F8 Device \Driver\sptd \Device\2366804047 speb.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{0C040BCE-D98B-470F-A9CF-D0DF7A137938} 862051F8 Device \Driver\PCI_PNP8046 \Device\0000005d speb.sys Device \Driver\usbuhci \Device\USBFDO-0 85201500 Device \Driver\NetBT \Device\NetBT_Tcpip_{A22A2019-E9F4-487B-89FF-75BE8BD4FD30} 862051F8 Device \Driver\usbuhci \Device\USBFDO-1 85201500 Device \Driver\usbuhci \Device\USBFDO-2 85201500 Device \Driver\usbehci \Device\USBFDO-3 85EFB500 Device \Driver\usbuhci \Device\USBFDO-4 85201500 Device \Driver\usbuhci \Device\USBFDO-5 85201500 Device \Driver\usbuhci \Device\USBFDO-6 85201500 Device \Driver\usbehci \Device\USBFDO-7 85EFB500 Device \Driver\ase5bcur \Device\Scsi\ase5bcur1Port2Path0Target1Lun0 8657D1F8 Device \Driver\ase5bcur \Device\Scsi\ase5bcur1 8657D1F8 Device \Driver\ase5bcur \Device\Scsi\ase5bcur1Port2Path0Target0Lun0 8657D1F8 Device \FileSystem\fastfat \Fat BBA9A1F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET) Device \FileSystem\cdfs \Cdfs 88D781F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 81456 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 6457 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9B 0x37 0x70 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x25 0xA2 0xD0 0x76 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x39 0xFF 0x6F 0x58 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x05 0x6D 0x28 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xF9 0x74 0x44 0xA9 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9B 0x37 0x70 0x27 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x25 0xA2 0xD0 0x76 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x39 0xFF 0x6F 0x58 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x05 0x6D 0x28 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0xF9 0x74 0x44 0xA9 ... ---- EOF - GMER 1.0.15 ----