GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-11-07 19:44:43 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 SAMSUNG_SP1654N rev.BV100-45 Running: kju2t71s.exe; Driver: C:\DOCUME~1\RYSZAR~1\USTAWI~1\Temp\ufrdrpow.sys ---- System - GMER 1.0.15 ---- SSDT 85DD8050 ZwAlertResumeThread SSDT 85DD9050 ZwAlertThread SSDT 85FB6CD0 ZwAllocateVirtualMemory SSDT 85DC8050 ZwAssignProcessToJobObject SSDT 863032E8 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA9F08210] SSDT 86392F80 ZwCreateMutant SSDT 8636BB30 ZwCreateSymbolicLinkObject SSDT 85CE12D0 ZwCreateThread SSDT 85DCA050 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA9F08490] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA9F089F0] SSDT 85D6E630 ZwDuplicateObject SSDT sptd.sys ZwEnumerateKey [0xF73E3FFE] SSDT sptd.sys ZwEnumerateValueKey [0xF73E438C] SSDT 8637B2C0 ZwFreeVirtualMemory SSDT 85DD4050 ZwImpersonateAnonymousToken SSDT 85DD6050 ZwImpersonateThread SSDT 8636BEC0 ZwLoadDriver SSDT 86370BD0 ZwMapViewOfSection SSDT 85DD2050 ZwOpenEvent SSDT sptd.sys ZwOpenKey [0xF73AFA30] SSDT 85D68C80 ZwOpenProcess SSDT 85DF3050 ZwOpenProcessToken SSDT 85DCF050 ZwOpenSection SSDT 85D6E700 ZwOpenThread SSDT 863A5C50 ZwProtectVirtualMemory SSDT sptd.sys ZwQueryKey [0xF73E4464] SSDT sptd.sys ZwQueryValueKey [0xF73E42E4] SSDT 85DDB050 ZwResumeThread SSDT 85DE1050 ZwSetContextThread SSDT 8636CAA0 ZwSetInformationProcess SSDT 85DCC050 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA9F08C40] SSDT 85DD0050 ZwSuspendProcess SSDT 85DDD050 ZwSuspendThread SSDT 85DF8050 ZwTerminateProcess SSDT 85DDF050 ZwTerminateThread SSDT 85DE4050 ZwUnmapViewOfSection SSDT 8637B390 ZwWriteVirtualMemory INT 0x62 ? 86598CC8 INT 0x63 ? 86339F00 INT 0x82 ? 86598CC8 INT 0xA4 ? 86339F00 INT 0xB4 ? 86339F00 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2400 80501C38 4 Bytes [E8, 32, 30, 86] .text sptd.sys F7375000 32 Bytes [5E, 87, 6D, 80, 20, 37, 6D, ...] .text sptd.sys F7375024 4 Bytes [74, 7F, 36, F7] .text sptd.sys F737502C 420 Bytes [CE, 7E, 5D, 80, 7C, F3, 5D, ...] .text sptd.sys F73751D1 3 Bytes [70, 53, 80] .text sptd.sys F73751E4 4 Bytes [79, 62, 73, 4C] {JNS 0x64; JAE 0x50} .text ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF746CD38] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload F5F2E8AC 3 Bytes JMP 86339410 .text USBPORT.SYS!DllUnload + 4 F5F2E8B0 1 Byte [90] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADB6C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A502F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A4F61 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A4FCC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A4E32 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A4E94 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A5092 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1832] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A4EF6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 05E5003A .text C:\Program Files\Internet Explorer\iexplore.exe[1896] kernel32.dll!VirtualProtectEx + 6E 7C801ACF 7 Bytes JMP 05E50319 .text C:\Program Files\Internet Explorer\iexplore.exe[1896] kernel32.dll!ReadProcessMemory + 3E 7C80220E 7 Bytes JMP 05E500F7 .text C:\Program Files\Internet Explorer\iexplore.exe[1896] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 05E50263 .text C:\Program Files\Internet Explorer\iexplore.exe[1896] kernel32.dll!GetVersionExA + D3 7C812C51 7 Bytes JMP 05E503CF .text C:\Program Files\Internet Explorer\iexplore.exe[1896] kernel32.dll!GetProcessHandleCount + 35 7C86229F 7 Bytes JMP 05E501AD .text C:\Program Files\Internet Explorer\iexplore.exe[1896] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9B15 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D16D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADB6C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 40614666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A502F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A4F61 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A4FCC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A4E32 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A4E94 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A5092 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A4EF6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] ole32.dll!CreateBindCtx + B5F 774EF14F 7 Bytes JMP 05E5053F .text C:\Program Files\Internet Explorer\iexplore.exe[1896] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 406ADBC8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1896] ole32.dll!CoImpersonateClient + 51 775051F0 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[1896] ole32.dll!CoImpersonateClient + 51 775051F0 7 Bytes JMP 05E50485 .text C:\Program Files\Internet Explorer\iexplore.exe[1896] ole32.dll!OleLoadFromStream 7751981B 5 Bytes JMP 407A53B0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 0302003A .text C:\Program Files\Internet Explorer\iexplore.exe[4072] kernel32.dll!VirtualProtectEx + 6E 7C801ACF 7 Bytes JMP 03020494 .text C:\Program Files\Internet Explorer\iexplore.exe[4072] kernel32.dll!ReadProcessMemory + 3E 7C80220E 7 Bytes JMP 03020278 .text C:\Program Files\Internet Explorer\iexplore.exe[4072] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 030203E0 .text C:\Program Files\Internet Explorer\iexplore.exe[4072] kernel32.dll!GetVersionExA + D3 7C812C51 7 Bytes JMP 03020548 .text C:\Program Files\Internet Explorer\iexplore.exe[4072] kernel32.dll!GetProcessHandleCount + 35 7C86229F 7 Bytes JMP 0302032C .text C:\Program Files\Internet Explorer\iexplore.exe[4072] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5501 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9B15 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D16D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADB6C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 40614666 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A502F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A4F61 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A4FCC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A4E32 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A4E94 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A5092 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A4EF6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] ole32.dll!CreateBindCtx + B5F 774EF14F 7 Bytes JMP 030208F1 .text C:\Program Files\Internet Explorer\iexplore.exe[4072] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 406ADBC8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4072] ole32.dll!CoImpersonateClient + 51 775051F0 7 Bytes JMP 03020839 .text C:\Program Files\Internet Explorer\iexplore.exe[4072] ole32.dll!OleLoadFromStream 7751981B 5 Bytes JMP 407A53B0 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F7376574] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F73760C0] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F7376FE0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73760C0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7376362] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73762A4] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73771BC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F7376FE0] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F738B312] sptd.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Internet Explorer\iexplore.exe[1896] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) IAT C:\Program Files\Internet Explorer\iexplore.exe[4072] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 865971F8 AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\usbuhci \Device\USBPDO-0 86441430 Device \Driver\usbuhci \Device\USBPDO-1 86441430 Device \Driver\usbuhci \Device\USBPDO-2 86441430 Device \Driver\usbuhci \Device\USBPDO-3 86441430 Device \Driver\usbehci \Device\USBPDO-4 863C1430 AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{770A9068-086D-4479-A8E9-EE85DDE08031} 86379430 Device \Driver\Cdrom \Device\CdRom0 863C7430 Device \Driver\atapi \Device\Ide\IdePort0 [F72C8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F72C8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F72C8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F72C8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 86379430 Device \Driver\NetBT \Device\NetbiosSmb 86379430 AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\usbuhci \Device\USBFDO-0 86441430 Device \Driver\usbuhci \Device\USBFDO-1 86441430 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86332430 Device \Driver\usbuhci \Device\USBFDO-2 86441430 Device \FileSystem\MRxSmb \Device\LanmanRedirector 86332430 Device \Driver\usbuhci \Device\USBFDO-3 86441430 Device \Driver\usbehci \Device\USBFDO-4 863C1430 Device \FileSystem\Cdfs \Cdfs 85C8A430 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x81 0x61 0x42 0xCA ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x81 0x61 0x42 0xCA ... ---- EOF - GMER 1.0.15 ----