GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-13 23:47:09 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JB-00JJC0 rev.05.01C05 74,53GB Running: wz1v90zt.exe; Driver: E:\DOCUME~1\RADEK~1.LZT\USTAWI~1\Temp\ffryypow.sys ---- System - GMER 2.1 ---- SSDT sphe.sys ZwCreateKey [0xF741B0E0] SSDT sphe.sys ZwEnumerateKey [0xF7433DA4] SSDT sphe.sys ZwEnumerateValueKey [0xF7434132] SSDT sphe.sys ZwOpenKey [0xF741B0C0] SSDT sphe.sys ZwQueryKey [0xF743420A] SSDT sphe.sys ZwQueryValueKey [0xF743408A] SSDT sphe.sys ZwSetValueKey [0xF743429C] INT 0x62 ? 82F70BF8 INT 0x63 ? 82C4FBF8 INT 0x63 ? 82C4FBF8 INT 0x63 ? 82C4FBF8 INT 0x63 ? 82C4FBF8 INT 0x82 ? 82F70BF8 ---- Kernel code sections - GMER 2.1 ---- ? sphe.sys Nie można odnaleźć określonego pliku. ! .text E:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF6AC3340, 0x121A5F, 0xF8000020] .text E:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF9D3380, 0x25BA81, 0xF8000020] ? \Program Files\DAEMON Tools Lite\Engine.dll Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text E:\WINDOWS\System32\svchost.exe[1156] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 00C9ADCD .text E:\WINDOWS\System32\svchost.exe[1156] NETAPI32.dll!NetpwPathCanonicalize 6FF4A259 5 Bytes JMP 00C9AD64 .text E:\WINDOWS\System32\svchost.exe[1208] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 0068ADCD ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 82F6F1F8 Device \Driver\sptd \Device\730280922 sphe.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{E375C8A5-A27A-4C0A-A322-EFD5135753AF} 82B621F8 Device \Driver\usbuhci \Device\USBPDO-0 82DB8500 Device \Driver\usbuhci \Device\USBPDO-1 82DB8500 Device \Driver\dmio \Device\DmControl\DmIoDaemon 82FDD1F8 Device \Driver\dmio \Device\DmControl\DmConfig 82FDD1F8 Device \Driver\dmio \Device\DmControl\DmPnP 82FDD1F8 Device \Driver\dmio \Device\DmControl\DmInfo 82FDD1F8 Device \Driver\usbuhci \Device\USBPDO-2 82DB8500 Device \Driver\Ftdisk \Device\HarddiskVolume1 82F711F8 Device \Driver\Cdrom \Device\CdRom0 82C52500 Device \Driver\Ftdisk \Device\HarddiskVolume2 82F711F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 82F701F8 Device \Driver\atapi \Device\Ide\IdePort0 82F701F8 Device \Driver\atapi \Device\Ide\IdePort1 82F701F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e 82F701F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 82F711F8 Device \Driver\PCI_PNP5922 \Device\0000003a sphe.sys Device \Driver\Cdrom \Device\CdRom1 82C52500 Device \Driver\Ftdisk \Device\HarddiskVolume4 82F711F8 Device \Driver\Ftdisk \Device\HarddiskVolume5 82F711F8 Device \Driver\Ftdisk \Device\HarddiskVolume6 82F711F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 82B621F8 Device \Driver\NetBT \Device\NetbiosSmb 82B621F8 Device \Driver\usbuhci \Device\USBFDO-0 82DB8500 Device \Driver\usbuhci \Device\USBFDO-1 82DB8500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82AB91F8 Device \Driver\usbuhci \Device\USBFDO-2 82DB8500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 82AB91F8 Device \Driver\Ftdisk \Device\FtControl 82F711F8 Device \Driver\a8etmdql \Device\Scsi\a8etmdql1Port2Path0Target0Lun0 82D93500 Device \Driver\a8etmdql \Device\Scsi\a8etmdql1 82D93500 Device \FileSystem\Cdfs \Cdfs 82E04500 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll >>UNKNOWN [0x82f701f8]<< 82f701f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82edaab8] 82edaab8 Trace 3 CLASSPNP.SYS[f756f05b] -> nt!IofCallDriver -> \Device\00000053[0x82f57168] 82f57168 Trace 5 ACPI.sys[f73d9620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82eff940] 82eff940 Trace \Driver\atapi[0x82f579c8] -> IRP_MJ_CREATE -> 0x82f701f8 82f701f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4C 0x44 0x8A 0xFC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0B 0xEE 0xD2 0x2D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCC 0xC3 0xA1 0xCE ... Reg HKLM\SYSTEM\ControlSet003\Services\mvqpbaptc@DisplayName Update Driver Reg HKLM\SYSTEM\ControlSet003\Services\mvqpbaptc@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\mvqpbaptc@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\mvqpbaptc@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\mvqpbaptc@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\mvqpbaptc@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\mvqpbaptc@Description Monitoruje ustawienia zabezpiecze? i konfiguracje systemu. Reg HKLM\SYSTEM\ControlSet003\Services\mvqpbaptc\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\mvqpbaptc\Parameters@ServiceDll E:\WINDOWS\system32\mamfpuyt.dll Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 F:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4C 0x44 0x8A 0xFC ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0B 0xEE 0xD2 0x2D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCC 0xC3 0xA1 0xCE ... ---- EOF - GMER 2.1 ----