GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-01-11 21:29:45 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JB-00FMA0 rev.13.03G13 Running: o8xzg1v3.exe; Driver: C:\DOCUME~1\Oliwia\USTAWI~1\Temp\kgloyuoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xB6562CD2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xB6562B8E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteKey [0xB6563142] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xB656306C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xB6562764] SSDT spyb.sys ZwEnumerateKey [0xF746CCA4] SSDT spyb.sys ZwEnumerateValueKey [0xF746D032] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xB6562C68] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xB65626A4] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xB6562708] SSDT spyb.sys ZwQueryKey [0xF746D10A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xB6562D88] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRenameKey [0xB6563210] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xB6562D48] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xB6562EC8] INT 0x62 ? 86FDABF8 INT 0x82 ? 86FDABF8 INT 0x83 ? 86F70BF8 INT 0xB4 ? 86D23BF8 INT 0xB4 ? 86D23BF8 INT 0xB4 ? 86D23BF8 INT 0xB4 ? 86D23BF8 INT 0xB4 ? 86D23BF8 INT 0xB4 ? 86D23BF8 Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0xB656FB9C] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0xB656F9C0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0xB656FAFA] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + B0 804E271C 2 Bytes [D2, 2C] .text ntoskrnl.exe!_abnormal_termination + B3 804E271F 1 Byte [B6] .text ntoskrnl.exe!_abnormal_termination + 228 804E2894 2 Bytes [68, 2C] .text ntoskrnl.exe!_abnormal_termination + 22B 804E2897 1 Byte [B6] .text ntoskrnl.exe!_abnormal_termination + 310 804E297C 2 Bytes [88, 2D] .text ... PAGE ntoskrnl.exe!ObInsertObject 8056503A 5 Bytes JMP B656CF6C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntoskrnl.exe!NtCreateSection 805652B3 7 Bytes JMP B656F9C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntoskrnl.exe!ZwCreateProcessEx 8057FE4C 7 Bytes JMP B656FBA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntoskrnl.exe!ObMakeTemporaryObject 8059F8CA 5 Bytes JMP B656B5B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntoskrnl.exe!ZwLoadDriver 805A3B73 7 Bytes JMP B656FAFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ? wtdap.sys Nie można odnaleźć określonego pliku. ! ? spyb.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload F69668AC 5 Bytes JMP 86D231D8 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86F702D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F747FC4C] spyb.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F747FCA0] spyb.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F744F042] spyb.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F744F13E] spyb.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F744F0C0] spyb.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F744F800] spyb.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F744F6D6] spyb.sys IAT \SystemRoot\System32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86D232D8 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[756] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 1.0.15 ---- Device aswSP.SYS (avast! self protection module/ALWIL Software) Device 86FD81F8 Device Ntfs.sys (NT File System Driver/Microsoft Corporation) Device 86978500 AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbuhci \Device\USBPDO-0 86D221F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 86F6E1F8 Device \Driver\dmio \Device\DmControl\DmConfig 86F6E1F8 Device \Driver\dmio \Device\DmControl\DmPnP 86F6E1F8 Device \Driver\dmio \Device\DmControl\DmInfo 86F6E1F8 Device \Driver\usbuhci \Device\USBPDO-1 86D221F8 Device \Driver\usbuhci \Device\USBPDO-2 86D221F8 Device \Driver\usbuhci \Device\USBPDO-3 86D221F8 Device \Driver\usbehci \Device\USBPDO-4 86CF51F8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\Ftdisk \Device\HarddiskVolume1 86FDB1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 86FDB1F8 Device \Driver\Cdrom \Device\CdRom0 86D81500 Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F73A1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F73A1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F73A1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F73A1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F73A1B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 86D81500 Device \Driver\USBSTOR \Device\00000066 86A4C500 Device \Driver\USBSTOR \Device\00000067 86A4C500 Device \Driver\NetBT \Device\NetBt_Wins_Export 866F0500 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\NetBT \Device\NetBT_Tcpip_{BAE111A9-4F63-4469-94B4-9891FB0A3D54} 866F0500 Device \Driver\usbuhci \Device\USBFDO-0 86D221F8 Device \Driver\usbuhci \Device\USBFDO-1 86D221F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{6CF5142F-5952-49FA-9272-1E324CBBAFBB} 866F0500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8670D1F8 Device \Driver\usbuhci \Device\USBFDO-2 86D221F8 Device 8670D1F8 Device \Driver\usbuhci \Device\USBFDO-3 86D221F8 Device \Driver\usbehci \Device\USBFDO-4 86CF51F8 Device \Driver\Ftdisk \Device\FtControl 86FDB1F8 Device \Driver\viamraid \Device\Scsi\viamraid1 86F6D1F8 AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 86881500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 ---- EOF - GMER 1.0.15 ----