GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-01-15 20:04:23 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7 ST3320620AS rev.3.AAK Running: mulsmk2i.exe; Driver: C:\DOCUME~1\Gosia\USTAWI~1\Temp\kwrdqpow.sys ---- System - GMER 1.0.15 ---- SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwAllocateVirtualMemory [0xB87C3088] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwClose [0xF78208A0] SSDT spxj.sys ZwCreateKey [0xF74D60E0] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwCreateThread [0xB87C41E0] SSDT spxj.sys ZwEnumerateKey [0xF74F4DA4] SSDT spxj.sys ZwEnumerateValueKey [0xF74F5132] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwFreeVirtualMemory [0xB87C3306] SSDT spxj.sys ZwOpenKey [0xF74D60C0] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwOpenProcess [0xF78208D0] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwOpenSection [0xB87C2ED2] SSDT spxj.sys ZwQueryKey [0xF74F520A] SSDT spxj.sys ZwQueryValueKey [0xF74F508A] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwQueueApcThread [0xB87C42E2] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwSetContextThread [0xB87C432E] SSDT spxj.sys ZwSetValueKey [0xF74F529C] SSDT dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwSystemDebugControl [0xB87C2E00] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateProcess [0xF7820980] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwTerminateThread [0xF7820A20] SSDT \??\C:\Program Files\AVG\AVG8\IdentityProtection\agent\driver\platform_XP\AVGIDSShim.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies ) ZwWriteVirtualMemory [0xF7820AC0] INT 0x63 ? 89C10BF8 INT 0x73 ? 899C1BF8 INT 0x73 ? 899C1BF8 INT 0x83 ? 899C1BF8 INT 0x83 ? 899C1BF8 INT 0x84 ? 899C1BF8 INT 0xA4 ? 899C1BF8 INT 0xB4 ? 89C10BF8 INT 0xB4 ? 89C10BF8 INT 0xB4 ? 89C10BF8 INT 0xB4 ? 89C10BF8 INT 0xB4 ? 899C1BF8 INT 0xB4 ? 89C10BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spxj.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB756B360, 0x3D46A5, 0xE8000020] .text USBPORT.SYS!DllUnload B754C62C 5 Bytes JMP 899C11D8 pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xB3C79F00, 0x24000, 0x48000000] ? C:\DOCUME~1\Gosia\USTAWI~1\Temp\h4F6y2J2.sys Nie można odnaleźć określonego pliku. ! ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 89C132D8 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F7507D4C] spxj.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F7507DA0] spxj.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F74D7042] spxj.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F74D713E] spxj.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F74D70C0] spxj.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F74D7800] spxj.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F74D76D6] spxj.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 899C12D8 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F74E6E9C] spxj.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 88CF8AB8 Device \FileSystem\Ntfs \Ntfs 88DA17B8 Device \FileSystem\Ntfs \Ntfs 89C0F1F8 Device \FileSystem\Ntfs \Ntfs 88ED8D00 Device \FileSystem\Ntfs \Ntfs 8973D008 AttachedDevice \FileSystem\Ntfs \Ntfs dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) AttachedDevice \FileSystem\Ntfs \Ntfs AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies ) Device \FileSystem\Fastfat \FatCdrom 88DF1080 Device \FileSystem\Fastfat \FatCdrom 89654500 Device \FileSystem\Fastfat \FatCdrom 88F3E828 Device \FileSystem\Fastfat \FatCdrom 88E4C9C0 AttachedDevice \Driver\Tcpip \Device\Ip dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbuhci \Device\USBPDO-0 899BF1F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 89BA01F8 Device \Driver\dmio \Device\DmControl\DmConfig 89BA01F8 Device \Driver\dmio \Device\DmControl\DmPnP 89BA01F8 Device \Driver\dmio \Device\DmControl\DmInfo 89BA01F8 Device \Driver\usbuhci \Device\USBPDO-1 899BF1F8 Device \Driver\usbehci \Device\USBPDO-2 899891F8 Device \Driver\usbuhci \Device\USBPDO-3 899BF1F8 Device \Driver\usbuhci \Device\USBPDO-4 899BF1F8 AttachedDevice \Driver\Tcpip \Device\Tcp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) AttachedDevice \Driver\Tcpip \Device\Tcp AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies ) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbuhci \Device\USBPDO-5 899BF1F8 Device \Driver\usbuhci \Device\USBPDO-6 899BF1F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 89C111F8 Device \Driver\usbehci \Device\USBPDO-7 899891F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 89C111F8 Device \Driver\Cdrom \Device\CdRom0 898FB1F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 89C111F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 896C2500 AttachedDevice \Driver\Tcpip \Device\Udp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) AttachedDevice \Driver\Tcpip \Device\Udp AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies ) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) AttachedDevice \Driver\Tcpip \Device\RawIp AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies ) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\NetBT \Device\NetBT_Tcpip_{2F4E276E-7750-41FF-9FD3-CC0B33557860} 896C2500 Device \Driver\usbuhci \Device\USBFDO-0 899BF1F8 Device \Driver\usbuhci \Device\USBFDO-1 899BF1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8978C500 Device \Driver\usbehci \Device\USBFDO-2 899891F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8978C500 Device \Driver\usbuhci \Device\USBFDO-3 899BF1F8 Device \Driver\usbuhci \Device\USBFDO-4 899BF1F8 Device \Driver\Ftdisk \Device\FtControl 89C111F8 Device \Driver\usbuhci \Device\USBFDO-5 899BF1F8 Device \Driver\usbuhci \Device\USBFDO-6 899BF1F8 Device \Driver\usbehci \Device\USBFDO-7 899891F8 Device \FileSystem\Fastfat \Fat 88DF1080 Device \FileSystem\Fastfat \Fat 89654500 Device \FileSystem\Fastfat \Fat 88F3E828 Device \FileSystem\Fastfat \Fat 88E4C9C0 AttachedDevice \FileSystem\Fastfat \Fat dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) AttachedDevice \FileSystem\Fastfat \Fat AVGIDSFilter.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies ) Device \FileSystem\Cdfs \Cdfs 88F001F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC3 0x8A 0xCD 0xC2 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD9 0xFB 0x43 0x22 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF6 0x34 0x2D 0xF8 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x23 0x81 0x36 0x15 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0x8C 0x10 0x46 0xE6 ... Reg HKLM\SOFTWARE\Classes\CLSID\{dcdfeb0f-63e6-4ca6-8b85-8f91b25750fe}@Model 183 Reg HKLM\SOFTWARE\Classes\CLSID\{dcdfeb0f-63e6-4ca6-8b85-8f91b25750fe}@Therad 29 Reg HKLM\SOFTWARE\Classes\CLSID\{dcdfeb0f-63e6-4ca6-8b85-8f91b25750fe}@MData 0x73 0xD5 0xCF 0xB8 ... Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\8\Shell@ScrollPos1680x1050(1).y 3 ---- EOF - GMER 1.0.15 ----