GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-07-18 11:10:20 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort2 ST3500320AS rev.SD1A Running: c8utc956.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\uxliyuoc.sys ---- System - GMER 1.0.15 ---- SSDT spjl.sys ZwCreateKey [0xBA6B50E0] SSDT spjl.sys ZwEnumerateKey [0xBA6CDDA4] SSDT spjl.sys ZwEnumerateValueKey [0xBA6CE132] SSDT spjl.sys ZwOpenKey [0xBA6B50C0] SSDT spjl.sys ZwQueryKey [0xBA6CE20A] SSDT spjl.sys ZwQueryValueKey [0xBA6CE08A] SSDT spjl.sys ZwSetValueKey [0xBA6CE29C] INT 0x63 ? 89DE4BF8 INT 0x63 ? 89DE4BF8 INT 0x63 ? 89DE4BF8 INT 0x63 ? 89DE4BF8 INT 0x63 ? 89DE4BF8 INT 0x83 ? 89DE4BF8 INT 0x83 ? 89DE4BF8 INT 0x83 ? 89AB6BF8 INT 0x84 ? 89AB6BF8 INT 0x94 ? 89AB6BF8 INT 0xA4 ? 89AB6BF8 INT 0xA4 ? 89AB6BF8 INT 0xA4 ? 89AB6BF8 INT 0xA4 ? 89AB6BF8 INT 0xB4 ? 89AB6BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spjl.sys Nie można odnaleźć określonego pliku. ! .rsrc C:\WINDOWS\system32\drivers\pci.sys entry point in ".rsrc" section [0xBA66A994] ? C:\WINDOWS\system32\drivers\pci.sys suspicious PE modification .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB88BD360, 0x32E00D, 0xE8000020] .text USBPORT.SYS!DllUnload B889E62C 5 Bytes JMP 89AB61D8 ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[972] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00B1000A .text C:\WINDOWS\System32\svchost.exe[972] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00B2000A .text C:\WINDOWS\System32\svchost.exe[972] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00B0000C .text C:\WINDOWS\System32\svchost.exe[972] USER32.dll!GetCursorPos 7E36BD5E 5 Bytes JMP 008B000A .text C:\WINDOWS\System32\svchost.exe[972] ole32.dll!CoCreateInstance 774F057E 5 Bytes JMP 00BA000A .text C:\WINDOWS\Explorer.EXE[1752] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 0165000A .text C:\WINDOWS\Explorer.EXE[1752] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 0166000A .text C:\WINDOWS\Explorer.EXE[1752] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00FF000C .text C:\WINDOWS\system32\wuauclt.exe[2356] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 015B000A .text C:\WINDOWS\system32\wuauclt.exe[2356] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 0181000A .text C:\WINDOWS\system32\wuauclt.exe[2356] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 015A000C .text C:\Program Files\Mozilla Firefox\firefox.exe[3764] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 0179000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3764] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 017A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[3764] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0178000C ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6B6042] spjl.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6B613E] spjl.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6B60C0] spjl.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6B6800] spjl.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6B66D6] spjl.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6C5B90] spjl.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89DE31F8 Device \Driver\usbuhci \Device\USBPDO-0 89B7F1F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 89E541F8 Device \Driver\dmio \Device\DmControl\DmConfig 89E541F8 Device \Driver\dmio \Device\DmControl\DmPnP 89E541F8 Device \Driver\dmio \Device\DmControl\DmInfo 89E541F8 Device \Driver\usbuhci \Device\USBPDO-1 89B7F1F8 Device \Driver\usbuhci \Device\USBPDO-2 89B7F1F8 Device \Driver\usbehci \Device\USBPDO-3 89B6B1F8 Device \Driver\usbuhci \Device\USBPDO-4 89B7F1F8 Device \Driver\usbuhci \Device\USBPDO-5 89B7F1F8 Device \Driver\usbuhci \Device\USBPDO-6 89B7F1F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 89DE51F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{99823368-26FB-454A-8A59-59CDB580A99C} 89B1D500 Device \Driver\usbehci \Device\USBPDO-7 89B6B1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 89DE51F8 Device \Driver\Cdrom \Device\CdRom0 89B601F8 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 89CCCAEA Device \Driver\atapi \Device\Ide\IdePort0 89DE41F8 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 89CCCAEA Device \Driver\atapi \Device\Ide\IdePort1 89DE41F8 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 89CCCAEA Device \Driver\atapi \Device\Ide\IdePort2 89DE41F8 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 89CCCAEA Device \Driver\atapi \Device\Ide\IdePort3 89DE41F8 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 89CCCAEA Device \Driver\atapi \Device\Ide\IdePort4 89DE41F8 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 89CCCAEA Device \Driver\atapi \Device\Ide\IdePort5 89DE41F8 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP1T0L0-5 89CCCAEA Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-5 89DE41F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 89DE51F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 89B1D500 Device \Driver\usbstor \Device\00000077 89BA7370 Device \Driver\usbstor \Device\00000079 89BA7370 Device \Driver\NetBT \Device\NetbiosSmb 89B1D500 Device \Driver\usbuhci \Device\USBFDO-0 89B7F1F8 Device \Driver\usbstor \Device\0000007a 89BA7370 Device \Driver\usbuhci \Device\USBFDO-1 89B7F1F8 Device \Driver\usbstor \Device\0000007b 89BA7370 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 894141F8 Device \Driver\usbuhci \Device\USBFDO-2 89B7F1F8 Device \Driver\usbstor \Device\0000007c 89BA7370 Device \FileSystem\MRxSmb \Device\LanmanRedirector 894141F8 Device \Driver\usbehci \Device\USBFDO-3 89B6B1F8 Device \Driver\usbuhci \Device\USBFDO-4 89B7F1F8 Device \Driver\Ftdisk \Device\FtControl 89DE51F8 Device \Driver\usbuhci \Device\USBFDO-5 89B7F1F8 Device \Driver\usbuhci \Device\USBFDO-6 89B7F1F8 Device \Driver\usbehci \Device\USBFDO-7 89B6B1F8 Device \FileSystem\Cdfs \Cdfs 899E9500 Device \Device\Ide\IdeDeviceP2T0L0-10 -> \??\IDE#DiskST3500320AS_____________________________SD1A____#5&18fda9ce&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found ---- Processes - GMER 1.0.15 ---- Library C:\Program (*** hidden *** ) @ C:\Program [1980] 0x00400000 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2F 0xFD 0x42 0x14 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x2F 0xFD 0x42 0x14 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x01 0x17 0x2B 0xBC ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x28 0x00 0x47 0x25 ... ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\pci.sys suspicious modification; TDL3 <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ----