GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-01 14:39:17 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3 WDC_WD1600AAJS-08PSA0 rev.05.06H05 Running: 42zljt8g.exe; Driver: C:\DOCUME~1\USER~1.KOM\USTAWI~1\Temp\pgliqpoc.sys ---- System - GMER 1.0.15 ---- SSDT sptd.sys ZwCreateKey [0xB9ECFA50] SSDT sptd.sys ZwEnumerateKey [0xB9F03FFE] SSDT sptd.sys ZwEnumerateValueKey [0xB9F0438C] SSDT sptd.sys ZwOpenKey [0xB9ECFA30] SSDT sptd.sys ZwQueryKey [0xB9F04464] SSDT sptd.sys ZwQueryValueKey [0xB9F042E4] SSDT sptd.sys ZwSetValueKey [0xB9F044F6] INT 0x63 ? 8AFE9CC8 INT 0x73 ? 8AFE9CC8 INT 0x73 ? 8AFE9CC8 INT 0x83 ? 8B18CCC8 INT 0xA4 ? 8AFE9CC8 INT 0xB4 ? 8AFE9CC8 ---- Kernel code sections - GMER 1.0.15 ---- .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB9F8CD38] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6C9A360, 0x2FF817, 0xE8000020] .text USBPORT.SYS!DllUnload B6C578AC 5 Bytes JMP 8AFE91D8 .text ahnlrj7f.SYS B6BA2306 74 Bytes [00, 00, 00, 40, 03, 00, 40, ...] .text ahnlrj7f.SYS B6BA2351 87 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ahnlrj7f.SYS B6BA23A9 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text ahnlrj7f.SYS B6BA23B4 34 Bytes [40, 00, 00, C8, 50, 41, 47, ...] .text ahnlrj7f.SYS B6BA23D7 1 Byte [00] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[584] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B9E96574] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B9E960C0] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B9E96FE0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9E960C0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9E96362] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9E962A4] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9E971BC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9E96FE0] sptd.sys IAT \SystemRoot\System32\Drivers\ahnlrj7f.SYS[HAL.dll!KeGetCurrentIrql] 830C4D8A IAT \SystemRoot\System32\Drivers\ahnlrj7f.SYS[HAL.dll!KfAcquireSpinLock] 0001CCB8 IAT \SystemRoot\System32\Drivers\ahnlrj7f.SYS[HAL.dll!KfReleaseSpinLock] 48880000 IAT \SystemRoot\System32\Drivers\ahnlrj7f.SYS[HAL.dll!KfRaiseIrql] C0940F68 IAT \SystemRoot\System32\Drivers\ahnlrj7f.SYS[HAL.dll!KfLowerIrql] 8B55C35D IAT \SystemRoot\System32\Drivers\ahnlrj7f.SYS[USBD.SYS!USBD_CreateConfigurationRequestEx] 458D5653 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EAB312] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8B18B1F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \FileSystem\Fastfat \FatCdrom 8A490430 AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (Eset Personal Firewall TDI filter/ESET) Device \Driver\usbohci \Device\USBPDO-0 8AFE81F8 Device \Driver\usbohci \Device\USBPDO-1 8AFE81F8 Device \Driver\usbohci \Device\USBPDO-2 8AFE81F8 Device \Driver\usbohci \Device\USBPDO-3 8AFE81F8 Device \Driver\usbohci \Device\USBPDO-4 8AFE81F8 Device \Driver\PCI_PNP0134 \Device\00000048 sptd.sys Device \Driver\PCI_PNP0134 \Device\00000048 sptd.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET) Device \Driver\usbehci \Device\USBPDO-5 8AFCB1F8 Device \Driver\Cdrom \Device\CdRom0 8AF171F8 Device \Driver\atapi \Device\Ide\IdePort0 [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 8AF171F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{423DDD03-2D3D-4315-A88D-2C38C962E663} 8A5B51F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8A5B51F8 Device \Driver\NetBT \Device\NetbiosSmb 8A5B51F8 AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (Eset Personal Firewall TDI filter/ESET) Device \Driver\usbohci \Device\USBFDO-0 8AFE81F8 Device \Driver\USBSTOR \Device\0000007a 8ADAC430 Device \Driver\usbohci \Device\USBFDO-1 8AFE81F8 Device \Driver\USBSTOR \Device\0000007b 8ADAC430 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A5B21F8 Device \Driver\usbohci \Device\USBFDO-2 8AFE81F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A5B21F8 Device \Driver\usbohci \Device\USBFDO-3 8AFE81F8 Device \Driver\usbohci \Device\USBFDO-4 8AFE81F8 Device \Driver\usbehci \Device\USBFDO-5 8AFCB1F8 Device \Driver\ahnlrj7f \Device\Scsi\ahnlrj7f1Port4Path0Target0Lun0 8AEE01F8 Device \Driver\ahnlrj7f \Device\Scsi\ahnlrj7f1 8AEE01F8 Device \FileSystem\Fastfat \Fat 8A490430 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET) Device \FileSystem\Cdfs \Cdfs 8ADAE430 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x41 0xFB 0x08 0xB2 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xEF 0x24 0x6A 0x7A ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA6 0x76 0x70 0x49 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x41 0xFB 0x08 0xB2 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xEF 0x24 0x6A 0x7A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA6 0x76 0x70 0x49 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x41 0xFB 0x08 0xB2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xEF 0x24 0x6A 0x7A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA6 0x76 0x70 0x49 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x41 0xFB 0x08 0xB2 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xEF 0x24 0x6A 0x7A ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xA6 0x76 0x70 0x49 ... Reg HKLM\SOFTWARE\Classes\Interface\{0000010e-0000-0000-C000-000000000046}@ Reg HKLM\SOFTWARE\Classes\Interface\{000209CA-0000-0000-C000˙˙˙˙˙˙˙˙˙˙˙˙˙˙ Reg HKLM\SOFTWARE\Classes\Record\{D58DC4BB-3A4C-3B0C-B75F-9D0876694F3D}\4.0.0.0@\x2d9\x2d9\x2d9\x2d9\x2d9 ---- EOF - GMER 1.0.15 ----