GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-30 18:00:42 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 HDT722525DLA380 rev.V44OA9BA Running: cbozezsu.exe; Driver: C:\Users\Mariusz\AppData\Local\Temp\pwriifod.sys ---- System - GMER 1.0.15 ---- SSDT 88DD0D46 ZwCreateSection SSDT 88DD0D4B ZwSetContextThread SSDT 88DD0CE7 ZwTerminateProcess INT 0x52 ? 85F20CB8 INT 0x62 ? 85F20CB8 INT 0x72 ? 85F20CB8 INT 0x92 ? 84457CB8 INT 0xA2 ? 84457CB8 INT 0xB2 ? 85F20CB8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 215 820AF998 4 Bytes [46, 0D, DD, 88] .text ntkrnlpa.exe!KeSetEvent + 56D 820AFCF0 4 Bytes [4B, 0D, DD, 88] .text ntkrnlpa.exe!KeSetEvent + 621 820AFDA4 4 Bytes [E7, 0C, DD, 88] .text sptd.sys 80685000 32 Bytes [C0, 0E, 3C, 82, 06, A1, 3C, ...] .text sptd.sys 80685024 104 Bytes [EA, 13, 04, 82, 41, 0B, 0F, ...] .text sptd.sys 8068508D 84 Bytes [C1, 04, 82, 81, 0B, 0B, 82, ...] .text sptd.sys 806850E2 18 Bytes [0F, 82, 99, 81, 20, 82, F0, ...] .text sptd.sys 806850F5 23 Bytes [88, 04, 82, F0, 22, 02, 82, ...] .text ... .sptd2 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd2" section [0x8072F9E3] ? C:\Windows\System32\Drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text USBPORT.SYS!DllUnload 881EB41B 5 Bytes JMP 85F201C8 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] ntdll.dll!LdrLoadDll 777A9378 5 Bytes JMP 61D69720 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] ntdll.dll!NtQueryInformationProcess 777E4CC4 5 Bytes JMP 002D5A3A .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] kernel32.dll!MapViewOfFile 773F6B10 5 Bytes JMP 61F9E1F4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] kernel32.dll!VirtualAlloc 773FAF75 5 Bytes JMP 61F9E21B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] USER32.dll!DrawTextExW 776491CE 5 Bytes JMP 002BEED3 .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] USER32.dll!DrawTextW 776497D3 2 Bytes JMP 002BED11 .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] USER32.dll!DrawTextW + 3 776497D6 2 Bytes [C7, 88] .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] USER32.dll!DrawTextA 7765558D 5 Bytes JMP 002BEC36 .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] USER32.dll!DrawTextExA 776555C4 5 Bytes JMP 002BEDEC .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] USER32.dll!DialogBoxParamW 776610B0 5 Bytes JMP 002BDC86 .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] USER32.dll!SetClipboardData 77676410 5 Bytes JMP 002BE987 .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] GDI32.dll!CreateDIBSection 77227461 5 Bytes JMP 61F9E17E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] GDI32.dll!ExtTextOutW 7722872B 5 Bytes JMP 002BF09E .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] GDI32.dll!GetGlyphIndicesW 7722B765 5 Bytes JMP 002BF52B .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] GDI32.dll!ExtTextOutA 772300A5 5 Bytes JMP 002BEFBA .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] GDI32.dll!TextOutA 77230BAB 5 Bytes JMP 002BEA9E .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] GDI32.dll!TextOutW 77230D6D 5 Bytes JMP 002BEB6A .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] GDI32.dll!GetGlyphIndicesA 77249DC0 5 Bytes JMP 002BF45E .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] WS2_32.dll!closesocket 7775330C 5 Bytes JMP 002BE8E0 .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] WS2_32.dll!recv 7775343A 5 Bytes JMP 002BE4FA .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] WS2_32.dll!GetAddrInfoW 77753D12 5 Bytes JMP 002BD8B7 .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] WS2_32.dll!getaddrinfo 7775418A 5 Bytes JMP 002BD7D7 .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] WS2_32.dll!WSASend 77754496 5 Bytes JMP 002BE5A8 .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] WS2_32.dll!send 7775659B 5 Bytes JMP 002BE455 .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] WS2_32.dll!WSARecv 77758400 5 Bytes JMP 002BE67C .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] WS2_32.dll!WSAAsyncGetHostByName 77765FB9 5 Bytes JMP 002BDBA7 .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] WS2_32.dll!gethostbyname 777662D4 5 Bytes JMP 002BD716 .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] WININET.dll!InternetCrackUrlA 772B0326 5 Bytes JMP 002BF7F1 .text C:\Program Files\Mozilla Firefox\firefox.exe[1204] WININET.dll!InternetCrackUrlW 772C3129 5 Bytes JMP 002BF93A .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4060] USER32.dll!SetWindowLongA 7763E7CD 5 Bytes JMP 621075F7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4060] USER32.dll!SetWindowLongW 776413B4 5 Bytes JMP 62107589 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4060] USER32.dll!GetWindowInfo 7764428E 5 Bytes JMP 61EDFE0A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4060] USER32.dll!TrackPopupMenu 776514F3 5 Bytes JMP 61EE03C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [80686EEE] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [8068720E] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8068670C] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [806870CC] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [80686832] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [806868F0] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8069AF56] \SystemRoot\System32\Drivers\sptd.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74607817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7465A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7460BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [745FF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746075E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [745FE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74638395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7460DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [745FFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [745FFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [745F71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7468CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7462C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [745FD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [745F6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [745F687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2036] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74602AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8445E1E8 Device \FileSystem\fastfat \FatCdrom 86FF61E8 Device \Driver\usbuhci \Device\USBPDO-0 85F2E1E8 Device \Driver\usbuhci \Device\USBPDO-1 85F2E1E8 Device \Driver\usbuhci \Device\USBPDO-2 85F2E1E8 Device \Driver\usbuhci \Device\USBPDO-3 85F2E1E8 Device \Driver\usbehci \Device\USBPDO-4 85F2D1E8 Device \Driver\USBSTOR \Device\00000057 85F71430 Device \Driver\USBSTOR \Device\00000058 85F71430 Device \Driver\cdrom \Device\CdRom0 85F271E8 Device \Driver\USBSTOR \Device\00000059 85F71430 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8445D1E8 Device \Driver\atapi \Device\Ide\IdePort0 8445D1E8 Device \Driver\atapi \Device\Ide\IdePort1 8445D1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 8445D1E8 Device \Driver\netbt \Device\NetBt_Wins_Export 8684A430 Device \Driver\Smb \Device\NetbiosSmb 868481E8 Device \Driver\USBSTOR \Device\0000005a 85F71430 Device \Driver\USBSTOR \Device\0000005b 85F71430 Device \Driver\USBSTOR \Device\0000005c 85F71430 Device \Driver\iScsiPrt \Device\RaidPort0 8618E1E8 Device \Driver\USBSTOR \Device\0000005d 85F71430 Device \Driver\usbuhci \Device\USBFDO-0 85F2E1E8 Device \Driver\usbuhci \Device\USBFDO-1 85F2E1E8 Device \Driver\usbuhci \Device\USBFDO-2 85F2E1E8 Device \Driver\usbuhci \Device\USBFDO-3 85F2E1E8 Device \Driver\usbehci \Device\USBFDO-4 85F2D1E8 Device \Driver\netbt \Device\NetBT_Tcpip_{33742B31-7296-4C3E-A517-3A1F4F3FBF29} 8684A430 Device \FileSystem\fastfat \Fat 86FF61E8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) Device \FileSystem\cdfs \Cdfs 873F61E8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x08 0xBD 0x4A 0x37 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x08 0xBD 0x4A 0x37 ... ---- EOF - GMER 1.0.15 ----