GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-12-21 20:28:37 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6 WDC_WD5000AAKS-00D2B0 rev.12.01C02 Running: snwv2nek.exe; Driver: C:\DOCUME~1\ppp\USTAWI~1\Temp\pwndipog.sys ---- System - GMER 1.0.15 ---- SSDT 8A0D6C90 ZwAssignProcessToJobObject SSDT a347bus.sys ZwClose [0xB7E75028] SSDT a347bus.sys ZwCreateKey [0xB7E74FE0] SSDT a347bus.sys ZwCreatePagingFile [0xB7E68B00] SSDT 8A0D7200 ZwDebugActiveProcess SSDT 8A0D72F0 ZwDuplicateObject SSDT a347bus.sys ZwEnumerateKey [0xB7E695DC] SSDT a347bus.sys ZwEnumerateValueKey [0xB7E75120] SSDT a347bus.sys ZwOpenFile [0xB7E68B40] SSDT a347bus.sys ZwOpenKey [0xB7E74FA4] SSDT 8A0D6590 ZwOpenProcess SSDT 8A0D6800 ZwOpenThread SSDT 8A0D6FD0 ZwProtectVirtualMemory SSDT a347bus.sys ZwQueryKey [0xB7E695FC] SSDT a347bus.sys ZwQueryValueKey [0xB7E75076] SSDT 8A0D70E0 ZwQueueApcThread SSDT 8A0D6EC0 ZwSetContextThread SSDT 8A0D6D90 ZwSetInformationThread SSDT 8A0D3DA0 ZwSetSecurityObject SSDT a347bus.sys ZwSetSystemPowerState [0xB7E74550] SSDT spgw.sys ZwSetValueKey [0xB7EC719A] SSDT 8A0D6B90 ZwSuspendProcess SSDT 8A0D6A80 ZwSuspendThread SSDT 8A0D66E0 ZwTerminateProcess SSDT 8A0D6A50 ZwTerminateThread SSDT 8A0D76D0 ZwWriteVirtualMemory INT 0x62 ? 8B13CBF8 INT 0x63 ? 8B13CBF8 INT 0x63 ? 8B13CBF8 INT 0x63 ? 8AE39BF8 INT 0x63 ? 8B13CBF8 INT 0x82 ? 8B13CBF8 INT 0x83 ? 8AE39BF8 INT 0xA4 ? 8AE39BF8 INT 0xB4 ? 8AE39BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spgw.sys Nie można odnaleźć określonego pliku. ! ? a347bus.sys Nie można odnaleźć określonego pliku. ! ? pavboot.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB69D23A0, 0x59FFE5, 0xE8000020] .text USBPORT.SYS!DllUnload B69678AC 5 Bytes JMP 8AE391D8 .text aidozy3e.SYS B68AB386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text aidozy3e.SYS B68AB3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text aidozy3e.SYS B68AB3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH} .text aidozy3e.SYS B68AB3C9 1 Byte [2E] .text aidozy3e.SYS B68AB3C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...] .text ... ? C:\WINDOWS\System32\Drivers\aidozy3e.SYS Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xB4519280] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB3A44300, 0x3AE88, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8448300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1476] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3312] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EB9048] spgw.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8B0DD1F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \Driver\usbuhci \Device\USBPDO-0 8AE381F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{4C415CD4-DB3D-43ED-8241-CD0695F58B06} 8ABBF500 Device \Driver\usbuhci \Device\USBPDO-1 8AE381F8 Device \Driver\usbuhci \Device\USBPDO-2 8AE381F8 Device \Driver\usbuhci \Device\USBPDO-3 8AE381F8 Device \Driver\usbehci \Device\USBPDO-4 8ADFD1F8 AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) Device \Driver\Ftdisk \Device\HarddiskVolume1 8B0DF1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8B0DF1F8 Device \Driver\Cdrom \Device\CdRom0 8AB7A820 Device \FileSystem\Rdbss \Device\FsWrap 8AC00320 Device \Driver\atapi \Device\Ide\IdePort0 8ABBA660 Device \Driver\atapi \Device\Ide\IdePort1 8ABBA660 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-6 8ABBA660 Device \Driver\atapi \Device\Ide\IdePort2 8ABBA660 Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-e 8ABBA660 Device \Driver\atapi \Device\Ide\IdePort3 8ABBA660 Device \Driver\Ftdisk \Device\HarddiskVolume3 8B0DF1F8 Device \Driver\sptd \Device\4167573418 spgw.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{4CD60172-9CD5-44CA-AB34-26003A6F5913} 8ABBF500 Device \Driver\NetBT \Device\NetBt_Wins_Export 8ABBF500 Device \Driver\NetBT \Device\NetbiosSmb 8ABBF500 Device \Driver\PCI_PNP7168 \Device\0000004f spgw.sys Device \FileSystem\Srv \Device\LanmanServer 8ACF1C30 Device \Driver\usbuhci \Device\USBFDO-0 8AE381F8 Device \Driver\usbuhci \Device\USBFDO-1 8AE381F8 Device \Driver\usbuhci \Device\USBFDO-2 8AE381F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AB75500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AD939D8 Device \Driver\usbuhci \Device\USBFDO-3 8AE381F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AB75500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AD939D8 Device \FileSystem\Npfs \Device\NamedPipe 8AF33DB8 Device \Driver\Ftdisk \Device\FtControl 8B0DF1F8 Device \Driver\usbehci \Device\USBFDO-4 8ADFD1F8 Device \Driver\usbstor \Device\0000007d 8AC37500 Device \Driver\usbstor \Device\0000007e 8AC37500 Device \FileSystem\Msfs \Device\Mailslot 8AF64738 Device \Driver\aidozy3e \Device\Scsi\aidozy3e1 8ABCC4C8 Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 8AF86650 Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 8AF86650 Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 8AF86650 Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 8AF86650 Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 8AF86650 Device \FileSystem\Cdfs \Cdfs 8ABAE500 Device \FileSystem\Cdfs \Cdfs 8AF7C268 ---- Modules - GMER 1.0.15 ---- Module _________ B7DF0000-B7E08000 (98304 bytes) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF4 0xE5 0xEC 0x0E ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x77 0x89 0x01 0x0B ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xBF 0x49 0xA6 0x7D ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xF7 0xC9 0xBB 0x33 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x16 0xB6 0xAA 0xC2 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0x36 0xF6 0x8D 0x1D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF4 0xE5 0xEC 0x0E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x97 0x39 0x88 0xB6 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x46 0x06 0xD6 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF4 0xE5 0xEC 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xD4 0x89 0x5C 0x92 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAE 0x3D 0x7E 0x81 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE6 0xA3 0x36 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xE1 0xC9 0xD1 0x36 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xB1 0xB7 0x42 0x30 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF4 0xE5 0xEC 0x0E ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x77 0x89 0x01 0x0B ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xAE 0x3D 0x7E 0x81 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xE6 0xA3 0x36 0x38 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0xE1 0xC9 0xD1 0x36 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf43@khjeh 0xB1 0xB7 0x42 0x30 ... ---- EOF - GMER 1.0.15 ----