GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-05 22:42:28 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e WDC_WD2500BEVS-22UST0 rev.01.01A01 232,89GB Running: nsl1rdg1.exe; Driver: C:\DOCUME~1\Preki\USTAWI~1\Temp\pwrdafob.sys ---- System - GMER 2.2 ---- SSDT sptd.sys ZwCreateKey [0xB7E90FA0] SSDT sptd.sys ZwEnumerateKey [0xB7EC5018] SSDT sptd.sys ZwEnumerateValueKey [0xB7EC53A6] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0xB83C96F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0xB83C9820] SSDT sptd.sys ZwOpenKey [0xB7E90F80] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0xB83C9010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0xB83C94E0] SSDT sptd.sys ZwQueryKey [0xB7EC547E] SSDT sptd.sys ZwQueryValueKey [0xB7EC52FE] SSDT sptd.sys ZwSetValueKey [0xB7EC5510] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0xB83C9300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0xB83C93F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0xB83C9120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0xB83C9210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0xB83C95F0] INT 0x62 ? 8AE4FCB8 INT 0x63 ? 8AC36F00 INT 0x73 ? 8AC36F00 INT 0x74 ? 8AC36F00 INT 0x94 ? 8AC36F00 INT 0xA4 ? 8AE4FCB8 INT 0xB4 ? 8AC36F00 ---- Kernel code sections - GMER 2.2 ---- ? 56717284.sys Nie można odnaleźć określonego pliku. ! .text sptd.sys B7E54000 28 Bytes [30, 78, 6E, 80, A6, CB, 6E, ...] .text sptd.sys B7E5401D 3 Bytes [79, 6E, 80] .text sptd.sys B7E54024 40 Bytes [28, 54, 53, 80, 68, B9, 54, ...] .text sptd.sys B7E5404D 83 Bytes [F2, 4E, 80, 96, 67, 52, 80, ...] .text sptd.sys B7E540A1 120 Bytes [9A, 53, 80, 2C, 7C, 50, 80, ...] .text ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB7EFE9E3] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB57643A0, 0x59FFE5, 0xE8000020] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[5200] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10008290 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5200] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 0242E8D2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5200] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 0242D9FF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5200] kernel32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 0212AE7F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5200] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 0242D405 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5200] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 030530ED C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5200] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 020E5294 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5200] USER32.dll!CreateWindowExA 7E37E4A9 5 Bytes JMP 025ADDBF C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.2 ---- Device \FileSystem\Ntfs \Ntfs 8AE4E1E8 Device \Driver\dtsoftbus01 \Device\0000009b 8AA0C430 AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys AttachedDevice \Driver\Tcpip \Device\Ip kl1.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{B65CD481-2E0A-4E57-9EDB-FE4BECDA2AE5} 88A491E8 Device \Driver\usbuhci \Device\USBPDO-0 8AB28430 Device \Driver\usbuhci \Device\USBPDO-1 8AB28430 Device \Driver\usbehci \Device\USBPDO-2 8AA12430 Device \Driver\usbuhci \Device\USBPDO-3 8AB28430 Device \Driver\usbuhci \Device\USBPDO-4 8AB28430 AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\Tcp kl1.sys Device \Driver\00005147 \Device\KLMD05082016_02130002 56717284.sys Device \Driver\usbuhci \Device\USBPDO-5 8AB28430 Device \Driver\usbehci \Device\USBPDO-6 8AA12430 Device \FileSystem\07141633 \Device\KLMD05082016_02130002_B 56717284.sys Device \Driver\Cdrom \Device\CdRom0 8AA2A430 Device \Driver\PCI_PNP8840 \Device\00000065 sptd.sys Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7DBFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B7DBFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B7DBFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B7DBFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B7DBFB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 8AA2A430 Device \Driver\NetBT \Device\NetBT_Tcpip_{4AD8BFEC-B453-4962-89F7-817967FD32AB} 88A491E8 Device \Driver\Cdrom \Device\CdRom2 8AA2A430 Device \Driver\USBSTOR \Device\000000b2 88A401E8 Device \Driver\Cdrom \Device\CdRom3 8AA2A430 Device \Driver\Cdrom \Device\CdRom4 8AA2A430 Device \Driver\USBSTOR \Device\000000b5 88A401E8 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl 8AA0C430 Device \Driver\NetBT \Device\NetBt_Wins_Export 88A491E8 Device \Driver\USBSTOR \Device\000000b6 88A401E8 Device \Driver\NetBT \Device\NetbiosSmb 88A491E8 AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\Udp kl1.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{E2ABE025-2B02-420B-B2D9-65262522324B} 88A491E8 AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\RawIp kl1.sys Device \Driver\usbuhci \Device\USBFDO-0 8AB28430 Device \Driver\usbuhci \Device\USBFDO-1 8AB28430 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 88A3E1E8 Device \Driver\usbehci \Device\USBFDO-2 8AA12430 Device \FileSystem\MRxSmb \Device\LanmanRedirector 88A3E1E8 Device \Driver\usbuhci \Device\USBFDO-3 8AB28430 Device \Driver\usbuhci \Device\USBFDO-4 8AB28430 Device \Driver\usbuhci \Device\USBFDO-5 8AB28430 Device \Driver\usbehci \Device\USBFDO-6 8AA12430 Device \Driver\a8426dpe \Device\Scsi\a8426dpe1Port3Path0Target1Lun0 8AA07430 Device \Driver\a8426dpe \Device\Scsi\a8426dpe1Port3Path0Target0Lun0 8AA07430 Device \Driver\a8426dpe \Device\Scsi\a8426dpe1 8AA07430 Device \Driver\dtsoftbus01 \Device\0000009a 8AA0C430 Device \FileSystem\Cdfs \Cdfs 8AC92430 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\ControlSet001\Control\Video\{04A535C9-EE1E-40B1-B0CD-3F00741249F2}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet001\Control\Video\{04A535C9-EE1E-40B1-B0CD-3F00741249F2}\0001@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet001\Control\Video\{75890269-F413-4C48-90BB-17FAE9B6ED35}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet001\Control\Video\{75890269-F413-4C48-90BB-17FAE9B6ED35}\0001@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5C 0xA1 0xC7 0x1C ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x51 0x45 0x27 0x18 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFB 0x69 0x42 0xC1 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xCF 0xE6 0x9F 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{04A535C9-EE1E-40B1-B0CD-3F00741249F2}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{04A535C9-EE1E-40B1-B0CD-3F00741249F2}\0001@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{75890269-F413-4C48-90BB-17FAE9B6ED35}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{75890269-F413-4C48-90BB-17FAE9B6ED35}\0001@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xBF 0xE2 0x11 0x04 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x51 0x45 0x27 0x18 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFB 0x69 0x42 0xC1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xCF 0xE6 0x9F 0x50 ... Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x41 0x66 0x12 0x6F ... Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x51 0x45 0x27 0x18 ... Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFE 0x10 0x7F 0xD8 ... Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xDC 0x96 0xD7 0x76 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{538779CB-D86F-CAEB-052D-A3AE3BF4031E} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{538779CB-D86F-CAEB-052D-A3AE3BF4031E}@hajfbedjckaabgok 0x67 0x61 0x63 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{538779CB-D86F-CAEB-052D-A3AE3BF4031E}@ianhibekeodhifijpb 0x62 0x61 0x68 0x64 ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 488396063 !