GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-29 04:25:26 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS543232L9A300 rev.FB4OC40C Running: 1stmrym3.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pxldrpoc.sys ---- System - GMER 1.0.15 ---- SSDT B8779DD4 ZwClose SSDT B8779D8E ZwCreateKey SSDT B8779DDE ZwCreateSection SSDT B8779D84 ZwCreateThread SSDT B8779D93 ZwDeleteKey SSDT B8779D9D ZwDeleteValueKey SSDT B8779DCF ZwDuplicateObject SSDT B8779DA2 ZwLoadKey SSDT B8779D70 ZwOpenProcess SSDT B8779D75 ZwOpenThread SSDT B8779DF7 ZwQueryValueKey SSDT B8779DAC ZwReplaceKey SSDT B8779DE8 ZwRequestWaitReplyPort SSDT B8779DA7 ZwRestoreKey SSDT B8779DE3 ZwSetContextThread SSDT B8779DED ZwSetSecurityObject SSDT B8779D98 ZwSetValueKey SSDT B8779DF2 ZwSystemDebugControl SSDT B8779D7F ZwTerminateProcess INT 0x63 ? 8A2D9CB8 INT 0x83 ? 8A2D9CB8 INT 0x84 ? 8A2D9CB8 INT 0xA4 ? 8A2D9CB8 INT 0xB4 ? 8A54CCB8 INT 0xB4 ? 8A54CCB8 INT 0xB4 ? 8A54CCB8 INT 0xB4 ? 8A54CCB8 INT 0xB4 ? 8A2D9CB8 INT 0xB4 ? 8A2D9CB8 INT 0xB4 ? 8A54CCB8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2EFC 805047B4 4 Bytes CALL 9908BF56 .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xB7F83B2E] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB706C360, 0x33A1AD, 0xE8000020] .text USBPORT.SYS!DllUnload B704C8AC 5 Bytes JMP 8A2D91C8 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B7E8F232] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B7E8E730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B7E8EF12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7E8E730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7E8E914] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7E8E856] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7E8F0F0] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7E8EF12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EA2EB0] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A54B1E8 Device \Driver\usbuhci \Device\USBPDO-0 8A2D81E8 Device \Driver\usbuhci \Device\USBPDO-1 8A2D81E8 Device \Driver\usbuhci \Device\USBPDO-2 8A2D81E8 Device \Driver\usbehci \Device\USBPDO-3 8A2A21E8 Device \Driver\usbuhci \Device\USBPDO-4 8A2D81E8 Device \Driver\usbehci \Device\USBPDO-5 8A2A21E8 Device \Driver\usbuhci \Device\USBPDO-6 8A2D81E8 Device \Driver\usbuhci \Device\USBPDO-7 8A2D81E8 Device \Driver\Cdrom \Device\CdRom0 8A1C0430 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B7DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B7DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B7DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B7DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B7DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 8A24B430 Device \Driver\NetBT \Device\NetbiosSmb 8A24B430 Device \Driver\usbuhci \Device\USBFDO-0 8A2D81E8 Device \Driver\usbuhci \Device\USBFDO-1 8A2D81E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A240430 Device \Driver\usbuhci \Device\USBFDO-2 8A2D81E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A240430 Device \Driver\usbehci \Device\USBFDO-3 8A2A21E8 Device \Driver\usbuhci \Device\USBFDO-4 8A2D81E8 Device \Driver\usbuhci \Device\USBFDO-5 8A2D81E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{2F690A58-6B45-4472-8855-0AF3CC5CFFBB} 8A24B430 Device \Driver\usbuhci \Device\USBFDO-6 8A2D81E8 Device \Driver\usbehci \Device\USBFDO-7 8A2A21E8 Device \FileSystem\Fastfat \Fat 8A0A2430 Device \FileSystem\Fastfat \Fat B18CF297 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 8A0A5430 ---- EOF - GMER 1.0.15 ----