GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-11-18 19:48:05 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST9320320AS rev.0303 Running: lropg69x.exe; Driver: C:\DOCUME~1\Ola\USTAWI~1\Temp\fwpyqaod.sys ---- System - GMER 1.0.15 ---- SSDT spkx.sys ZwCreateKey [0xBA6A70E0] SSDT spkx.sys ZwEnumerateKey [0xBA6C5CA4] SSDT spkx.sys ZwEnumerateValueKey [0xBA6C6032] SSDT spkx.sys ZwOpenKey [0xBA6A70C0] SSDT spkx.sys ZwQueryKey [0xBA6C610A] SSDT spkx.sys ZwQueryValueKey [0xBA6C5F8A] SSDT spkx.sys ZwSetValueKey [0xBA6C619C] INT 0x62 ? 8A54CBF8 INT 0x63 ? 8A2B0BF8 INT 0x74 ? 8A2B0BF8 INT 0x83 ? 8A2B0BF8 INT 0x94 ? 8A2B0BF8 INT 0xA4 ? 8A54CBF8 INT 0xB4 ? 8A2B0BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spkx.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9D3B360, 0x37226D, 0xE8000020] .text USBPORT.SYS!DllUnload B9D1C62C 5 Bytes JMP 8A2B01D8 .text arc3zl5y.SYS B9961386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text arc3zl5y.SYS B99613AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text arc3zl5y.SYS B99613C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH} .text arc3zl5y.SYS B99613C9 1 Byte [30] .text arc3zl5y.SYS B99613C9 11 Bytes [30, 00, 00, 00, 5C, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESP; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6A8042] spkx.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6A813E] spkx.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6A80C0] spkx.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6A8800] spkx.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6A86D6] spkx.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6B7E9C] spkx.sys IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46 IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[HAL.dll!READ_PORT_UCHAR] B08B8932 IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[HAL.dll!KeGetCurrentIrql] 89000001 IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[HAL.dll!KfRaiseIrql] 0001BC83 IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[HAL.dll!KfLowerIrql] 24468B00 IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[HAL.dll!HalGetInterruptVector] 89820C8D IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639 IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[HAL.dll!KfReleaseSpinLock] 000000BD IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0208B389 IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[HAL.dll!READ_PORT_USHORT] 83660000 IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320 IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00 IAT \SystemRoot\System32\Drivers\arc3zl5y.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A54B1F8 AttachedDevice \FileSystem\Ntfs \Ntfs AsDsm.sys (Data Security Manager Driver/Windows (R) Codename Longhorn DDK provider) Device \FileSystem\Fastfat \FatCdrom 88197500 AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\usbuhci \Device\USBPDO-0 8A2AE1F8 Device \Driver\usbuhci \Device\USBPDO-1 8A2AE1F8 Device \Driver\usbehci \Device\USBPDO-2 8A2911F8 Device \Driver\usbuhci \Device\USBPDO-3 8A2AE1F8 Device \Driver\usbuhci \Device\USBPDO-4 8A2AE1F8 Device \Driver\usbehci \Device\USBPDO-5 8A2911F8 Device \Driver\usbuhci \Device\USBPDO-6 8A2AE1F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A4DC1F8 Device \Driver\Cdrom \Device\CdRom0 8A1C9500 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A54C1F8 Device \Driver\atapi \Device\Ide\IdePort0 8A54C1F8 Device \Driver\atapi \Device\Ide\IdePort1 8A54C1F8 Device \Driver\atapi \Device\Ide\IdePort2 8A54C1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 8A54C1F8 Device \Driver\Cdrom \Device\CdRom1 8A1C9500 Device \Driver\NetBT \Device\NetBt_Wins_Export 8A02F500 Device \Driver\PCI_PNP1350 \Device\0000004b spkx.sys Device \Driver\sptd \Device\4010967600 spkx.sys Device \Driver\NetBT \Device\NetbiosSmb 8A02F500 Device \Driver\NetBT \Device\NetBT_Tcpip_{FCA8151B-1511-4157-BD7E-EF8CD9563413} 8A02F500 Device \Driver\usbuhci \Device\USBFDO-0 8A2AE1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{F105CAA1-5736-4481-A1E1-4603A6758226} 8A02F500 Device \Driver\usbuhci \Device\USBFDO-1 8A2AE1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A02C500 Device \Driver\usbehci \Device\USBFDO-2 8A2911F8 Device \Driver\usbuhci \Device\USBFDO-3 8A2AE1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A02C500 Device \Driver\Ftdisk \Device\FtControl 8A4DC1F8 Device \Driver\usbuhci \Device\USBFDO-4 8A2AE1F8 Device \Driver\usbuhci \Device\USBFDO-5 8A2AE1F8 Device \Driver\usbehci \Device\USBFDO-6 8A2911F8 Device \Driver\arc3zl5y \Device\Scsi\arc3zl5y1Port3Path0Target0Lun0 8A17A1F8 Device \Driver\arc3zl5y \Device\Scsi\arc3zl5y1 8A17A1F8 Device \FileSystem\Fastfat \Fat 88197500 AttachedDevice \FileSystem\Fastfat \Fat AsDsm.sys (Data Security Manager Driver/Windows (R) Codename Longhorn DDK provider) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 84FD6500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x26 0x77 0x37 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x84 0x17 0x79 0x81 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCA 0xA0 0x45 0xB1 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x26 0x77 0x37 0x5D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x84 0x17 0x79 0x81 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCA 0xA0 0x45 0xB1 ... ---- Files - GMER 1.0.15 ---- File C:\ADSM_PData_0150 0 bytes File C:\ADSM_PData_0150\DB 0 bytes File C:\ADSM_PData_0150\DB\SI.db 624 bytes File C:\ADSM_PData_0150\DB\UL.db 16 bytes File C:\ADSM_PData_0150\DB\VL.db 16 bytes File C:\ADSM_PData_0150\DB\_avt 512 bytes File C:\ADSM_PData_0150\DragWait.exe 253952 bytes executable File C:\ADSM_PData_0150\_avt 512 bytes File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86 0 bytes File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\AsDsm.sys 29752 bytes executable File C:\Program Files\ASUS\ASUS Data Security Manager\driver\x86\_avt 512 bytes ---- EOF - GMER 1.0.15 ----