GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-11-07 20:14:24 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST3160815AS rev.3.AAC Running: 8e86yd3c.exe; Driver: C:\DOCUME~1\Tomek\USTAWI~1\Temp\kwtyrpog.sys ---- System - GMER 1.0.15 ---- SSDT F7E3D5EC ZwClose SSDT F7E3D5A6 ZwCreateKey SSDT F7E3D5F6 ZwCreateSection SSDT F7E3D59C ZwCreateThread SSDT F7E3D5AB ZwDeleteKey SSDT F7E3D5B5 ZwDeleteValueKey SSDT F7E3D5E7 ZwDuplicateObject SSDT sptd.sys ZwEnumerateKey [0xF7773C22] SSDT sptd.sys ZwEnumerateValueKey [0xF7773F9A] SSDT F7E3D5BA ZwLoadKey SSDT sptd.sys ZwOpenKey [0xF777398E] SSDT F7E3D588 ZwOpenProcess SSDT F7E3D58D ZwOpenThread SSDT sptd.sys ZwQueryKey [0xF7774064] SSDT sptd.sys ZwQueryValueKey [0xF7773EFC] SSDT F7E3D5C4 ZwReplaceKey SSDT F7E3D5BF ZwRestoreKey SSDT F7E3D5FB ZwSetContextThread SSDT F7E3D5B0 ZwSetValueKey SSDT F7E3D597 ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ? C:\WINDOWS\System32\Drivers\SPTD1661.SYS Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6B51380, 0x566445, 0xE8000020] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F777C89E] sptd.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7792D86] sptd.sys IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F777CE24] sptd.sys IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F777CD28] sptd.sys IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F777CEF4] sptd.sys IAT dmio.sys[ntoskrnl.exe!IofCallDriver] [F777CEF4] sptd.sys IAT dmio.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F777CE24] sptd.sys IAT dmio.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F777CD28] sptd.sys IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F77921AE] sptd.sys IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F777CA5A] sptd.sys IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F779204A] sptd.sys IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F777C8F2] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F776FAD2] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F776FC0E] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F776FB96] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F777076C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F7770642] sptd.sys IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7792E4A] sptd.sys IAT \WINDOWS\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F77818C6] sptd.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F779204A] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7792056] sptd.sys IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7792E4A] sptd.sys IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F777CCC6] sptd.sys IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F777CCC6] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 867D99C0 Device \FileSystem\Fastfat \FatCdrom 866DB0E8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 -1823337126 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -526378118 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1421335643 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC0 0x40 0xFD 0x80 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 E:\Programy\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x95 0x47 0x54 0xF8 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x1C 0x4F 0x5F 0x53 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xF3 0x1E 0x9A 0xDA ... ---- EOF - GMER 1.0.15 ----