GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-11-20 13:12:14 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 ST3500418AS rev.CC38 Running: 6l1j7cde.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\fftiyfod.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwCreateKey [0xBA1DB808] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwDeleteKey [0xBA1DBB5C] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwDeleteValueKey [0xBA1DBB9C] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwOpenKey [0xBA1DB9AE] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwOpenProcess [0xBA1DA462] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwSetValueKey [0xBA1DBB00] INT 0x62 ? 8A560CB8 INT 0x63 ? 8A3F2CB8 INT 0x73 ? 8A3F2CB8 INT 0x82 ? 8A560CB8 INT 0xA4 ? 8A3F2CB8 INT 0xB4 ? 8A560CB8 INT 0xB4 ? 8A560CB8 INT 0xB4 ? 8A3F2CB8 INT 0xB4 ? 8A560CB8 ---- Kernel code sections - GMER 1.0.15 ---- ? sptd.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload B92B48AC 5 Bytes JMP 8A3F21C8 ? System32\Drivers\SCDEmu.SYS System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[2320] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01495B00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2320] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 016D7B58 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2320] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 1 Byte [E9] .text C:\Program Files\Mozilla Firefox\firefox.exe[2320] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 016D7B35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2320] kernel32.dll!ValidateLocale + B130 7C844958 7 Bytes JMP 0149EF12 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2320] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 016D7AB6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Microsoft Office\Office14\MSTORDB.EXE[2504] ole32.dll!OleLoadFromStream 7751983B 5 Bytes JMP 394D7978 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation) .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[3420] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes JMP 39007DFE C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation) .text C:\Program Files\Microsoft Office\Office14\WINWORD.EXE[3420] ole32.dll!OleLoadFromStream 7751983B 5 Bytes JMP 394D7978 C:\Program Files\Common Files\Microsoft Shared\office14\mso.dll (Microsoft Office 2010 component/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B9E8F232] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B9E8E730] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B9E8EF12] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9E8E730] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9E8E914] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9E8E856] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9E8F0F0] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9E8EF12] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EA2EB0] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A55F1E8 Device \Driver\Tcpip \Device\Ip GDTdiIcpt.sys (G Data Software AG) Device \Driver\usbuhci \Device\USBPDO-0 8A33F1E8 Device \Driver\usbuhci \Device\USBPDO-1 8A33F1E8 Device \Driver\usbuhci \Device\USBPDO-2 8A33F1E8 Device \Driver\usbuhci \Device\USBPDO-3 8A33F1E8 Device \Driver\usbehci \Device\USBPDO-4 8A3DB1E8 Device \Driver\Tcpip \Device\Tcp GDTdiIcpt.sys (G Data Software AG) Device \Driver\Cdrom \Device\CdRom0 8A31F1E8 Device \Driver\usbstor \Device\00000072 8A1821E8 Device \Driver\atapi \Device\Ide\IdePort0 [B9DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-5 [B9DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [B9DF8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\usbstor \Device\00000073 8A1821E8 Device \Driver\usbstor \Device\00000074 8A1821E8 Device \Driver\usbstor \Device\00000075 8A1821E8 Device \Driver\usbstor \Device\00000076 8A1821E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 89F9F430 Device \Driver\NetBT \Device\NetbiosSmb 89F9F430 Device \Driver\Tcpip \Device\Udp GDTdiIcpt.sys (G Data Software AG) Device \Driver\Tcpip \Device\RawIp GDTdiIcpt.sys (G Data Software AG) Device \Driver\usbuhci \Device\USBFDO-0 8A33F1E8 Device \Driver\usbuhci \Device\USBFDO-1 8A33F1E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89FB6430 Device \Driver\Tcpip \Device\IPMULTICAST GDTdiIcpt.sys (G Data Software AG) Device \Driver\usbuhci \Device\USBFDO-2 8A33F1E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89FB6430 Device \Driver\usbuhci \Device\USBFDO-3 8A33F1E8 Device \Driver\usbehci \Device\USBFDO-4 8A3DB1E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{4EFC1AF7-DFB5-4922-A1A6-EB2641A113E1} 89F9F430 Device \FileSystem\Cdfs \Cdfs 8A0AB430 ---- Processes - GMER 1.0.15 ---- Process C:\WINDOWS\system32\zshp1018.exe (*** hidden *** ) 736 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x85 0xF6 0x83 0xEA ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x85 0xF6 0x83 0xEA ... ---- EOF - GMER 1.0.15 ----