GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-11-26 14:53:18 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD800BB-00FRA0 rev.77.07W77 Running: ys1cpy78.exe; Driver: C:\DOCUME~1\MICHA~1\USTAWI~1\Temp\kxtdqpog.sys ---- System - GMER 1.0.15 ---- SSDT sptd.sys ZwCreateKey [0xF842C0D0] SSDT sptd.sys ZwEnumerateKey [0xF8431FB2] SSDT sptd.sys ZwEnumerateValueKey [0xF8432340] SSDT sptd.sys ZwOpenKey [0xF842C0B0] SSDT sptd.sys ZwQueryKey [0xF8432418] SSDT sptd.sys ZwQueryValueKey [0xF8432298] SSDT sptd.sys ZwSetValueKey [0xF84324AA] ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF7B95360, 0x372FAD, 0xE8000020] .text USBPORT.SYS!DllUnload F7B758AC 5 Bytes JMP 82338770 ? System32\Drivers\a73lojpt.SYS System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1140] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!IoConnectInterrupt] [F844306C] sptd.sys IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F8443018] sptd.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F84659AE] sptd.sys IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F844306C] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F842CAD4] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F842CC1A] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F842CB9C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F842D748] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F842D61E] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F844229A] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 823D51E8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET) Device \Driver\usbuhci \Device\USBPDO-0 8226C790 Device \Driver\dmio \Device\DmControl\DmIoDaemon 823D71E8 Device \Driver\dmio \Device\DmControl\DmConfig 823D71E8 Device \Driver\dmio \Device\DmControl\DmPnP 823D71E8 Device \Driver\dmio \Device\DmControl\DmInfo 823D71E8 Device \Driver\usbuhci \Device\USBPDO-1 8226C790 Device \Driver\PCI_NTPNP8238 \Device\00000045 sptd.sys Device \Driver\usbuhci \Device\USBPDO-2 8226C790 Device \Driver\usbehci \Device\USBPDO-3 8226B790 Device \Driver\NetBT \Device\NetBT_Tcpip_{A16FF41D-063F-4023-B2A0-A0E214408C59} 81DC31E8 AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET) Device \Driver\usbstor \Device\00000070 81D47580 Device \Driver\Ftdisk \Device\HarddiskVolume1 8236B1E8 Device \Driver\usbstor \Device\00000071 81D47580 Device \Driver\Ftdisk \Device\HarddiskVolume2 8236B1E8 Device \Driver\usbstor \Device\00000072 81D47580 Device \Driver\Cdrom \Device\CdRom0 823161E8 Device \Driver\atapi \Device\Ide\IdePort0 [F837FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F837FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F837FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F837FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [F837FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [F837FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\usbstor \Device\00000073 81D47580 Device \Driver\Cdrom \Device\CdRom1 823161E8 Device \Driver\Cdrom \Device\CdRom2 823161E8 Device \Driver\Cdrom \Device\CdRom3 823161E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 81DC31E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{40195E4D-B6CF-4EA5-A905-83B16984808C} 81DC31E8 Device \Driver\NetBT \Device\NetbiosSmb 81DC31E8 AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET) Device \Driver\usbuhci \Device\USBFDO-0 8226C790 Device \Driver\usbstor \Device\0000006d 81D47580 Device \Driver\usbuhci \Device\USBFDO-1 8226C790 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81D951E8 Device \Driver\usbuhci \Device\USBFDO-2 8226C790 Device \FileSystem\MRxSmb \Device\LanmanRedirector 81D951E8 Device \Driver\usbehci \Device\USBFDO-3 8226B790 Device \Driver\Ftdisk \Device\FtControl 8236B1E8 Device \Driver\a73lojpt \Device\Scsi\a73lojpt1Port2Path0Target0Lun0 8226D1E8 Device \Driver\a73lojpt \Device\Scsi\a73lojpt1 8226D1E8 Device \Driver\a73lojpt \Device\Scsi\a73lojpt1Port2Path0Target1Lun0 8226D1E8 Device \FileSystem\Cdfs \Cdfs 81BDB1E8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD5 0x36 0x66 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x07 0xED 0xAE 0xC1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAB 0xA7 0xBB 0x21 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x71 0xF4 0xEA 0x17 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD5 0x36 0x66 0x15 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x07 0xED 0xAE 0xC1 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xAB 0xA7 0xBB 0x21 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x71 0xF4 0xEA 0x17 ... ---- EOF - GMER 1.0.15 ----