GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-12-13 22:25:35 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-e SAMSUNG_HD322HJ rev.1AC01113 Running: gmer.exe; Driver: C:\DOCUME~1\xpsp3\USTAWI~1\Temp\fgdiafod.sys ---- System - GMER 1.0.15 ---- SSDT sptd.sys ZwCreateKey [0xB7ECFA50] SSDT sptd.sys ZwEnumerateKey [0xB7F03FFE] SSDT sptd.sys ZwEnumerateValueKey [0xB7F0438C] SSDT sptd.sys ZwOpenKey [0xB7ECFA30] SSDT sptd.sys ZwQueryKey [0xB7F04464] SSDT sptd.sys ZwQueryValueKey [0xB7F042E4] SSDT sptd.sys ZwSetValueKey [0xB7F044F6] INT 0x62 ? 8A592CC8 INT 0x73 ? 8A447CC8 INT 0x83 ? 8A592CC8 INT 0xB4 ? 8A447CC8 ---- Kernel code sections - GMER 1.0.15 ---- PAGE sptd.sys B7EF3000 1 Byte [74] PAGE sptd.sys B7EF3004 5 Bytes [40, 33, EF, B7, A3] {INC EAX; XOR EBP, EDI; MOV BH, 0xa3} PAGE sptd.sys B7EF300C 5 Bytes [50, 34, EF, B7, 98] {PUSH EAX; XOR AL, 0xef; MOV BH, 0x98} PAGE sptd.sys B7EF3014 5 Bytes [B8, 33, EF, B7, 59] {MOV EAX, 0x59b7ef33} PAGE sptd.sys B7EF301C 5 Bytes [78, 32, EF, B7, 61] {JS 0x34; OUT DX, EAX; MOV BH, 0x61} PAGE ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB7F8CD38] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text USBPORT.SYS!DllUnload B73528AC 5 Bytes JMP 8A4471D8 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6B87360, 0x3E57A5, 0xE8000020] .text a1i5ri3r.SYS B6B3A306 50 Bytes [00, 00, 00, 48, 03, 00, F0, ...] .text a1i5ri3r.SYS B6B3A339 23 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text a1i5ri3r.SYS B6B3A351 87 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text a1i5ri3r.SYS B6B3A3A9 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text a1i5ri3r.SYS B6B3A3B4 12 Bytes [40, 00, 00, C8, 50, 41, 47, ...] {INC EAX; ADD [EAX], AL; ENTER 0x4150, 0x47; INC EBP; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Pando Networks\Media Booster\PMB.exe[1452] kernel32.dll!SetUnhandledExceptionFilter 7C8449CD 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B7E96574] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B7E960C0] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B7E96FE0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7E960C0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7E96362] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7E962A4] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7E971BC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7E96FE0] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EAB312] sptd.sys IAT \SystemRoot\System32\Drivers\a1i5ri3r.SYS[HAL.dll!KeGetCurrentIrql] 5E0001F4 IAT \SystemRoot\System32\Drivers\a1i5ri3r.SYS[HAL.dll!KfAcquireSpinLock] C2C95B5F IAT \SystemRoot\System32\Drivers\a1i5ri3r.SYS[HAL.dll!KfReleaseSpinLock] 5F380008 IAT \SystemRoot\System32\Drivers\a1i5ri3r.SYS[HAL.dll!KfRaiseIrql] 56227411 IAT \SystemRoot\System32\Drivers\a1i5ri3r.SYS[HAL.dll!KfLowerIrql] B3C63A68 IAT \SystemRoot\System32\Drivers\a1i5ri3r.SYS[USBD.SYS!USBD_CreateConfigurationRequestEx] F7C31352 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A5911F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{4A82EC06-E588-4A32-93F1-340D02868362} 89A4D1F8 Device \Driver\usbohci \Device\USBPDO-0 8A38E1F8 Device \Driver\usbehci \Device\USBPDO-1 8A38A1F8 Device \Driver\Cdrom \Device\CdRom0 8A43B1F8 Device \Driver\atapi \Device\Ide\IdePort0 [B7DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B7DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B7DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-e [B7DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B7DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B7DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 8A43B1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 89A4D1F8 Device \Driver\PCI_PNP1842 \Device\0000004b sptd.sys Device \Driver\PCI_PNP1842 \Device\0000004b sptd.sys Device \Driver\NetBT \Device\NetbiosSmb 89A4D1F8 Device \Driver\usbohci \Device\USBFDO-0 8A38E1F8 Device \Driver\usbehci \Device\USBFDO-1 8A38A1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89A3F1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89A3F1F8 Device \Driver\a1i5ri3r \Device\Scsi\a1i5ri3r1 8A3491F8 Device \Driver\a1i5ri3r \Device\Scsi\a1i5ri3r1Port4Path0Target0Lun0 8A3491F8 Device \FileSystem\Cdfs \Cdfs 89A08430 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x69 0x18 0xE0 0xFA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x19 0xBD 0x25 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEF 0x0E 0xD7 0xB6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x90 0x30 0x43 0x36 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD4 0x9B 0x28 0xED ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6E 0xC5 0x67 0x93 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEF 0x0E 0xD7 0xB6 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4C 0x90 0x19 0xCA ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x69 0x18 0xE0 0xFA ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x19 0xBD 0x25 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xEF 0x0E 0xD7 0xB6 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x90 0x30 0x43 0x36 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@D:\Program Files\LucasArts\LEGO\xae Indiana Jones\x2122 2\Audio\Audio.CFG 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@D:\Program Files\LucasArts\LEGO\xae Indiana Jones\x2122 2\Audio\_CutScenes\AkatorHub_Intro.ogg 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@D:\Program Files\LucasArts\LEGO\xae Indiana Jones\x2122 2\Audio\_Music\1_0_HUB_1Nepal_Qui.ogg 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@D:\Program Files\LucasArts\LEGO\xae Indiana Jones\x2122 2\Movies\PC\attract.bik 1 ---- EOF - GMER 1.0.15 ----