GMER 1.0.15.15640 - http://www.gmer.net Rootkit scan 2011-06-09 16:45:26 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_SV4012H rev.RM100-10 Running: cj9je7cw.exe; Driver: C:\DOCUME~1\Drill\USTAWI~1\Temp\kxtdypod.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwAllocateVirtualMemory [0xA7453410] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwAssignProcessToJobObject [0xA7452E5A] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwConnectPort [0xA7452EA2] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwCreateFile [0xA7452F5A] SSDT F7B6EA6E ZwCreateKey SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwCreateProcess [0xA7453BEC] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwCreateProcessEx [0xA7453C78] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwCreateSection [0xA7452FDA] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwCreateThread [0xA7453D08] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwDebugActiveProcess [0xA745302A] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwDeleteFile [0xA7453072] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwDeleteKey [0xA74530BA] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwDeleteValueKey [0xA7453102] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwDuplicateObject [0xA745314C] SSDT spgv.sys ZwEnumerateKey [0xF7433DA4] SSDT spgv.sys ZwEnumerateValueKey [0xF7434132] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwFsControlFile [0xA7453196] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwLoadDriver [0xA74531E0] SSDT F7B6EA82 ZwLoadKey SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwMapViewOfSection [0xA7453256] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwOpenFile [0xA745329E] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwOpenKey [0xA74532EE] SSDT F7B6EA50 ZwOpenProcess SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwOpenSection [0xA7453336] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwOpenThread [0xA745337E] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwProtectVirtualMemory [0xA745345E] SSDT spgv.sys ZwQueryKey [0xF743420A] SSDT spgv.sys ZwQueryValueKey [0xF743408A] SSDT F7B6EA8C ZwReplaceKey SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwRequestWaitReplyPort [0xA74533C6] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwRestoreKey [0xA74534A6] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwResumeThread [0xA74534F4] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSecureConnectPort [0xA74535E0] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSetInformationFile [0xA745353C] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSetSecurityObject [0xA745368C] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSetValueKey [0xA745358C] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSuspendProcess [0xA74536D6] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwSystemDebugControl [0xA745371E] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwTerminateProcess [0xA7453766] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwWriteFile [0xA74537B4] SSDT \??\C:\WINDOWS\system32\drivers\PCTAppEvent.sys (PC Tools App Monitor Driver/PC Tools) ZwWriteVirtualMemory [0xA74537FC] INT 0x33 ? 82C45F00 INT 0x35 ? 82C45F00 INT 0x3A ? 82C45F00 INT 0x3B ? 82C45F00 INT 0x3E ? 82FDCBF8 INT 0x3F ? 82FDCBF8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + F0 804E275C 4 Bytes JMP 9060F7B6 .text ntoskrnl.exe!_abnormal_termination + 234 804E28A0 4 Bytes [50, EA, B6, F7] .text ntoskrnl.exe!_abnormal_termination + 350 804E29BC 4 Bytes JMP E67CF7B6 ? spgv.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF1745360, 0x24BB1D, 0xE8000020] .text USBPORT.SYS!DllUnload F15148AC 5 Bytes JMP 82C454E0 ---- User code sections - GMER 1.0.15 ---- ? D:\PC Tools Firewall Plus\FWService.exe[660] C:\WINDOWS\system32\msvcrt.dll IMAGE_DOS_SIGNATURE not found; ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82FDE2D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7446DDC] spgv.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7446E30] spgv.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F741C042] spgv.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F741C13E] spgv.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F741C0C0] spgv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F741C800] spgv.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F741C6D6] spgv.sys IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82C455E0 IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F742BB90] spgv.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 82FDB1F8 AttachedDevice \Driver\Tcpip \Device\Ip pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) Device \Driver\usbuhci \Device\USBPDO-0 82C59500 Device \Driver\usbuhci \Device\USBPDO-1 82C59500 Device \Driver\usbuhci \Device\USBPDO-2 82C59500 Device \Driver\usbehci \Device\USBPDO-3 82C5A500 AttachedDevice \Driver\Tcpip \Device\Tcp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) Device \Driver\Ftdisk \Device\HarddiskVolume1 82F6E1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 82F6E1F8 Device \Driver\Cdrom \Device\CdRom0 82C61500 Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F7394B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F7394B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7394B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7394B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F7394B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 82C61500 Device \Driver\NetBT \Device\NetBT_Tcpip_{C8FEC7BE-8BB2-42CD-B889-3FB3DF7E870C} 82CBF500 Device \Driver\NetBT \Device\NetBt_Wins_Export 82CBF500 Device \Driver\NetBT \Device\NetbiosSmb 82CBF500 AttachedDevice \Driver\Tcpip \Device\Udp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) AttachedDevice \Driver\Tcpip \Device\RawIp pctgntdi.sys (PC Tools Generic TDI Driver/PC Tools) Device \Driver\usbuhci \Device\USBFDO-0 82C59500 Device \Driver\usbuhci \Device\USBFDO-1 82C59500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82CF21F8 Device \Driver\usbuhci \Device\USBFDO-2 82C59500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 82CF21F8 Device \Driver\usbehci \Device\USBFDO-3 82C5A500 Device \Driver\Ftdisk \Device\FtControl 82F6E1F8 Device \FileSystem\Cdfs \Cdfs 82C81500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x54 0x40 0x06 0x46 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x54 0x40 0x06 0x46 ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 MBR read error Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0 ---- EOF - GMER 1.0.15 ----