GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-08-26 23:54:18 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 Running: 1pwxbrh7.exe; Driver: C:\Users\mhj\AppData\Local\Temp\kxtdypow.sys ---- System - GMER 1.0.15 ---- INT 0x72 ? 86EF7F00 INT 0x72 ? 86EF7F00 INT 0x72 ? 86EF7F00 INT 0x72 ? 86EF7F00 INT 0x72 ? 86EF7F00 INT 0x82 ? 86EF7F00 INT 0x92 ? 85398BF8 INT 0x92 ? 85398BF8 INT 0x92 ? 85398BF8 INT 0x92 ? 85398BF8 INT 0x92 ? 85398BF8 INT 0xA2 ? 86EF7F00 INT 0xB2 ? 86EF7F00 ---- Kernel code sections - GMER 1.0.15 ---- ? System32\Drivers\spvv.sys System nie może odnaleźć określonej ścieżki. ! .text USBPORT.SYS!DllUnload 8E7F141B 5 Bytes JMP 86EF74E0 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1848] ntdll.dll!LdrLoadDll 76FA93A8 5 Bytes JMP 01391410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1852] kernel32.dll!SetUnhandledExceptionFilter 7567A8C5 4 Bytes [C2, 04, 00, 00] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8068E6D6] \SystemRoot\System32\Drivers\spvv.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8068E042] \SystemRoot\System32\Drivers\spvv.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8068E800] \SystemRoot\System32\Drivers\spvv.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8068E0C0] \SystemRoot\System32\Drivers\spvv.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8068E13E] \SystemRoot\System32\Drivers\spvv.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8069DB90] \SystemRoot\System32\Drivers\spvv.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73AA7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73AFA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73AABB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73A9F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73AA75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73A9E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73AD8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73AADA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73A9FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73A9FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73A971CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73B2CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73ACC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73A9D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73A96853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73A9687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1988] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73AA2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 85D2B1F8 Device \FileSystem\fastfat \FatCdrom 88DD73E8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) Device \Driver\netbt \Device\NetBT_Tcpip_{BC946024-61D6-4AF0-8680-494B2AD40DC5} 887E71F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) Device \Driver\volmgr \Device\VolMgrControl 85D271F8 Device \Driver\usbuhci \Device\USBPDO-0 86F491F8 Device \Driver\usbuhci \Device\USBPDO-1 86F491F8 Device \Driver\usbuhci \Device\USBPDO-2 86F491F8 Device \Driver\usbehci \Device\USBPDO-3 86F051F8 Device \Driver\usbuhci \Device\USBPDO-4 86F491F8 Device \Driver\usbuhci \Device\USBPDO-5 86F491F8 Device \Driver\usbuhci \Device\USBPDO-6 86F491F8 Device \Driver\volmgr \Device\HarddiskVolume1 85D271F8 Device \Driver\usbehci \Device\USBPDO-7 86F051F8 Device \Driver\volmgr \Device\HarddiskVolume2 85D271F8 Device \Driver\cdrom \Device\CdRom0 86F281F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 85D291F8 Device \Driver\atapi \Device\Ide\IdePort0 85D291F8 Device \Driver\atapi \Device\Ide\IdePort1 85D291F8 Device \Driver\atapi \Device\Ide\IdePort2 85D291F8 Device \Driver\atapi \Device\Ide\IdePort3 85D291F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 85D291F8 Device \Driver\msahci \Device\Ide\PciIde0Channel0 85D2A1F8 Device \Driver\msahci \Device\Ide\PciIde0Channel1 85D2A1F8 Device \Driver\msahci \Device\Ide\PciIde0Channel4 85D2A1F8 Device \Driver\msahci \Device\Ide\PciIde0Channel5 85D2A1F8 Device \Driver\volmgr \Device\HarddiskVolume3 85D271F8 Device \Driver\volmgr \Device\HarddiskVolume4 85D271F8 Device \Driver\netbt \Device\NetBT_Tcpip_{EFB90487-D593-4AB5-81AE-CA7353F11D08} 887E71F8 Device \Driver\netbt \Device\NetBt_Wins_Export 887E71F8 Device \Driver\Smb \Device\NetbiosSmb 889481F8 Device \Driver\iScsiPrt \Device\RaidPort0 86F1B1F8 Device \Driver\usbuhci \Device\USBFDO-0 86F491F8 Device \Driver\usbuhci \Device\USBFDO-1 86F491F8 Device \Driver\usbuhci \Device\USBFDO-2 86F491F8 Device \Driver\usbehci \Device\USBFDO-3 86F051F8 Device \Driver\usbuhci \Device\USBFDO-4 86F491F8 Device \Driver\usbuhci \Device\USBFDO-5 86F491F8 Device \Driver\usbuhci \Device\USBFDO-6 86F491F8 Device \Driver\usbehci \Device\USBFDO-7 86F051F8 Device \FileSystem\fastfat \Fat 88DD73E8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) Device \FileSystem\cdfs \Cdfs 887721F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2f2fe32 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2f2fe32@001e3a245bb6 0x36 0xC8 0xCB 0xF2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2f2fe32@00233a02581b 0xCB 0x53 0xD6 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2f2fe32@0cddefe1ac60 0xCE 0xB0 0xC9 0x7A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2f2fe32@6c9b020e1a65 0x12 0xA7 0x18 0x8B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2f2fe32@d45d4210fe88 0x50 0x5E 0xF8 0x7F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2f2fe32@bc4760b7822e 0xD1 0x4C 0x78 0x67 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6C 0xC5 0x0C 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2f2fe32 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2f2fe32@001e3a245bb6 0x36 0xC8 0xCB 0xF2 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2f2fe32@00233a02581b 0xCB 0x53 0xD6 0xBF ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2f2fe32@0cddefe1ac60 0xCE 0xB0 0xC9 0x7A ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2f2fe32@6c9b020e1a65 0x12 0xA7 0x18 0x8B ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2f2fe32@d45d4210fe88 0x50 0x5E 0xF8 0x7F ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2f2fe32@bc4760b7822e 0xD1 0x4C 0x78 0x67 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6C 0xC5 0x0C 0x80 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 4147093651EB9A8D0D3E3C00DFCC7E607DA5851AD1CFA1C8327FD0F1D40E55102C31B00A268505BC085C4C3CCCE1E7F645905A496B0C4A471AC5A4399E13D999DBA32C8BE95E891AF3284DB9B73005DA690D7D86677F354E7306909B6A18CC8D224B1B00F411707015F958513A1167FB40BFA05EBEDFDB93C4537F7BB1D0B1FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933C038D530D6EB3452A6A0AC4980AC7933A6A0AC4980AC79338AECD51537124C4FC4ED0A988C24CB7EE1132FB23CE3DD2645633323523E0288829EDFF310D59F729599CF04C864F091EEA3BE9E152532D4C7FC25AB52572DDECB5FA563F049838B9210C89E19F95DFD678888AC97465846E1AFAF41A026CC90CE1C826D607CE4EDE6ECBEABD7F57C9F5B30E4F592F8D7FCA95858F6249C2B68C4C3493EF74369CC9352700FF42EEEB2B08C1E3AE9326FE1875B97045373BF183F4A3DA6E436E843EB640F55703A0A5A9F13735C942D10403C9DD646B9A5BAB21EA6979B67316C4D184A402BE2F8551E353D97621DE8DFC7560BF83CF8F0FD3199D606365655364D13329F62F40B0EE751093178A325388ABD915089C4D99F703CD6A93399853908AC4D3A706454A404AA775B6CDAEA27002BA426F66626EBB0652D1773AF699BA709CD91EE85FEBC28C Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL B8BE2592076407617E8C3309A8C2C7C0ECD405F43A287132C63E54070337BDB788528E701AB640CC147ACB68523DF24F6ACEE0FCC5A9C841F7BD813EE06854536C73682C0A1081C02721170050C6577A3289A9BCB0FE522949643016E7F6C872780B9B26529EE19945FE436E65B31EEC6834EBAE273F687F97366C09CCE1C337E2135875D364FC289CA33D873A2770C2D515F684FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808FEBC9E127BECC74CA6171C11EC38DE3DA6171C11EC38DE3D407F6CFDF8885913A7A9A884DEDCEE3AB4CFAF40F87147DD8652BE6273790845ACC34891E67CB79CDF553499535B9005BD0D3FE6273ADF7EA44F58CFD92B6F180BB49EB59A320BF77D37E36E081588AB97A8428279F769D09A76C639DB550A85924BA2F21BB55D3181EE79D91D49BE172A85AD59CA3FCD38DD12CD6FACFE5F8D5DD40C4694A27785506F3DA25748DEE045DCF91D98353ACD433F3A3323C43E65EBF4139E5727EAE8337D7C87A0F6D9D9193A24FA0513205F05EE573CBAD3B977221FF8E0D68909FE543685B80650E204BA7CAC0FD528B36A42E478371170A7E1461FFDE42BA1E8A546072B5B375F7399A459186DF4D66F27FCB9F1C0EA73A17484916A75115C66E97BB3C6098AC64683B2567019EF158F7B1CDA1DE ---- EOF - GMER 1.0.15 ----