GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-10 16:19:11 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 SAMSUNG_SP1654N rev.BV100-45 Running: bbnz88jc.exe; Driver: C:\DOCUME~1\RYSZAR~1\USTAWI~1\Temp\ufrdrpow.sys ---- System - GMER 1.0.15 ---- SSDT 85BF1120 ZwAlertResumeThread SSDT 85BF1008 ZwAlertThread SSDT 85C5FF18 ZwAllocateVirtualMemory SSDT 85C36008 ZwAssignProcessToJobObject SSDT 865585A8 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA9F46D40] SSDT 85C3C008 ZwCreateMutant SSDT 85C36078 ZwCreateSymbolicLinkObject SSDT 85BF6698 ZwCreateThread SSDT 85C62EB0 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA9F46FC0] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA9F47680] SSDT 85C61288 ZwDuplicateObject SSDT sptd.sys ZwEnumerateKey [0xF73E3FFE] SSDT sptd.sys ZwEnumerateValueKey [0xF73E438C] SSDT 85C37888 ZwFreeVirtualMemory SSDT 85C33120 ZwImpersonateAnonymousToken SSDT 85C33008 ZwImpersonateThread SSDT 862DEB68 ZwLoadDriver SSDT 85C60F70 ZwMapViewOfSection SSDT 85C3C120 ZwOpenEvent SSDT sptd.sys ZwOpenKey [0xF73AFA30] SSDT 85C7D268 ZwOpenProcess SSDT 85BF5780 ZwOpenProcessToken SSDT 85C5F120 ZwOpenSection SSDT 85BF5268 ZwOpenThread SSDT 85C36168 ZwProtectVirtualMemory SSDT sptd.sys ZwQueryKey [0xF73E4464] SSDT sptd.sys ZwQueryValueKey [0xF73E42E4] SSDT 85C62770 ZwResumeThread SSDT 85C61800 ZwSetContextThread SSDT 85C618C0 ZwSetInformationProcess SSDT 85C62F90 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA9F47910] SSDT 85C5F008 ZwSuspendProcess SSDT 85C20E68 ZwSuspendThread SSDT 85BF3800 ZwTerminateProcess SSDT 85C20F48 ZwTerminateThread SSDT 85C60E90 ZwUnmapViewOfSection SSDT 85C37918 ZwWriteVirtualMemory INT 0x62 ? 865CFCC8 INT 0x73 ? 865CFCC8 INT 0x82 ? 865CFCC8 INT 0x94 ? 862B9F00 INT 0xA4 ? 862B9F00 INT 0xB4 ? 862B9F00 ---- Kernel code sections - GMER 1.0.15 ---- .text sptd.sys F7375000 32 Bytes [5E, 87, 6D, 80, 20, 37, 6D, ...] .text sptd.sys F7375024 4 Bytes [74, 7F, 36, F7] .text sptd.sys F737502C 160 Bytes [0E, 7F, 5D, 80, 48, F2, 5D, ...] .text sptd.sys F73750CD 263 Bytes [5F, 53, 80, 26, 28, 53, 80, ...] .text sptd.sys F73751E4 4 Bytes [79, 62, 73, 4C] {JNS 0x64; JAE 0x50} .text ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF746CD38] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload F5F628AC 5 Bytes JMP 862B9410 ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\winlogon.exe[1148] ntdll.dll!NtLockProductActivationKeys 7C90D4AE 5 Bytes JMP 10001000 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\winlogon.exe[1148] USER32.dll!GetSystemMetrics 7E368F9C 5 Bytes JMP 10001018 C:\WINDOWS\system32\antiwpa.dll ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F7376574] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F73760C0] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F7376FE0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F73760C0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F7376362] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73762A4] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F73771BC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F7376FE0] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F738B312] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 865CE1F8 AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\usbuhci \Device\USBPDO-0 8627F430 Device \Driver\usbuhci \Device\USBPDO-1 8627F430 Device \Driver\usbuhci \Device\USBPDO-2 8627F430 Device \Driver\usbuhci \Device\USBPDO-3 8627F430 Device \Driver\usbehci \Device\USBPDO-4 862E2430 AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{E9414232-5DF1-4F82-B153-574561F841D7} 85C7E1F8 Device \Driver\Cdrom \Device\CdRom0 8627E1F8 Device \Driver\atapi \Device\Ide\IdePort0 [F72C8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F72C8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F72C8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [F72C8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [F72C8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F72C8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBT_Tcpip_{997BEC68-E554-4A90-8C2A-CF544DBDE76C} 85C7E1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 85C7E1F8 Device \Driver\NetBT \Device\NetbiosSmb 85C7E1F8 AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\usbuhci \Device\USBFDO-0 8627F430 Device \Driver\usbuhci \Device\USBFDO-1 8627F430 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85C201F8 Device \Driver\usbuhci \Device\USBFDO-2 8627F430 Device \FileSystem\MRxSmb \Device\LanmanRedirector 85C201F8 Device \Driver\usbuhci \Device\USBFDO-3 8627F430 Device \Driver\usbehci \Device\USBFDO-4 862E2430 Device \FileSystem\Cdfs \Cdfs 85C2B1F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x81 0x61 0x42 0xCA ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x81 0x61 0x42 0xCA ... ---- EOF - GMER 1.0.15 ----