GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-02-26 17:24:01 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3 SAMSUNG_HD322HJ rev.1AC01110 Running: gmer.exe; Driver: C:\DOCUME~1\Krzychu\USTAWI~1\Temp\kxtdypog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwClose [0xB3CA2CF0] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateKey [0xB3CA2BAC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteKey [0xB3CA3160] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDeleteValueKey [0xB3CA308A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwDuplicateObject [0xB3CA2782] SSDT spxf.sys ZwEnumerateKey [0xB7ECDDA4] SSDT spxf.sys ZwEnumerateValueKey [0xB7ECE132] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenKey [0xB3CA2C86] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenProcess [0xB3CA26C2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwOpenThread [0xB3CA2726] SSDT spxf.sys ZwQueryKey [0xB7ECE20A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwQueryValueKey [0xB3CA2DA6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xB3CA322E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRestoreKey [0xB3CA2D66] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwSetValueKey [0xB3CA2EE6] INT 0x62 ? 89E52BF8 INT 0x63 ? 89A5FBF8 INT 0x82 ? 89E52BF8 INT 0x83 ? 89A5FBF8 INT 0xB4 ? 89A5FBF8 Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xB3CAFBAE] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0xB3CAF9D2] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0xB3CAFB0C] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) NtCreateSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntkrnlpa.exe!ZwLoadDriver 8058413A 7 Bytes JMP B3CAFB10 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!NtCreateSection 805AB3AE 7 Bytes JMP B3CAF9D6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC512 5 Bytes JMP B3CAB5D4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 805C2F96 5 Bytes JMP B3CACFFA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1136 7 Bytes JMP B3CAFBB2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ? spxf.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6DBA3A0, 0x5C77B9, 0xE8000020] .text USBPORT.SYS!DllUnload B6D118AC 5 Bytes JMP 89A5F1D8 .text a09y0891.SYS B6C89386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text a09y0891.SYS B6C893AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text a09y0891.SYS B6C893C4 3 Bytes [00, 80, 02] .text a09y0891.SYS B6C893C9 1 Byte [30] .text a09y0891.SYS B6C893C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB27C2300, 0x3B6D8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8398300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[232] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\Mozilla Firefox\firefox.exe[1360] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EB6042] spxf.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EB613E] spxf.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EB60C0] spxf.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EB6800] spxf.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EB66D6] spxf.sys IAT \SystemRoot\System32\Drivers\a09y0891.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E IAT \SystemRoot\System32\Drivers\a09y0891.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88 IAT \SystemRoot\System32\Drivers\a09y0891.SYS[HAL.dll!KeGetCurrentIrql] 9E880000 IAT \SystemRoot\System32\Drivers\a09y0891.SYS[HAL.dll!KfRaiseIrql] 00001CB1 IAT \SystemRoot\System32\Drivers\a09y0891.SYS[HAL.dll!KfLowerIrql] 0E798366 IAT \SystemRoot\System32\Drivers\a09y0891.SYS[HAL.dll!HalGetInterruptVector] 74AAB000 IAT \SystemRoot\System32\Drivers\a09y0891.SYS[HAL.dll!HalTranslateBusAddress] 8986C636 IAT \SystemRoot\System32\Drivers\a09y0891.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C IAT \SystemRoot\System32\Drivers\a09y0891.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6 IAT \SystemRoot\System32\Drivers\a09y0891.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000 IAT \SystemRoot\System32\Drivers\a09y0891.SYS[HAL.dll!READ_PORT_USHORT] 001C9686 IAT \SystemRoot\System32\Drivers\a09y0891.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200 IAT \SystemRoot\System32\Drivers\a09y0891.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2 IAT \SystemRoot\System32\Drivers\a09y0891.SYS[WMILIB.SYS!WmiSystemControl] 8800001C IAT \SystemRoot\System32\Drivers\a09y0891.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[1012] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1012] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/AVAST Software) Device \FileSystem\Ntfs \Ntfs 89E511F8 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\NetBT \Device\NetBT_Tcpip_{AFB0BE39-DFEA-4309-9E23-453A6A2308B0} 890E11F8 Device \Driver\usbuhci \Device\USBPDO-0 89B491F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{6CE6581B-E9CC-4991-9B31-02CF0C39C3A8} 890E11F8 Device \Driver\sptd \Device\835073078 spxf.sys Device \Driver\dmio \Device\DmControl\DmIoDaemon 89E531F8 Device \Driver\dmio \Device\DmControl\DmConfig 89E531F8 Device \Driver\dmio \Device\DmControl\DmPnP 89E531F8 Device \Driver\dmio \Device\DmControl\DmInfo 89E531F8 Device \Driver\usbuhci \Device\USBPDO-1 89B491F8 Device \Driver\usbuhci \Device\USBPDO-2 89B491F8 Device \Driver\usbuhci \Device\USBPDO-3 89B491F8 Device \Driver\usbehci \Device\USBPDO-4 89A481F8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\Ftdisk \Device\HarddiskVolume1 89DE41F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 89DE41F8 Device \Driver\Cdrom \Device\CdRom0 89A401F8 Device \Driver\atapi \Device\Ide\IdePort0 [B7DF2B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B7DF2B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 [B7DF2B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B7DF2B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 89A401F8 Device \Driver\Cdrom \Device\CdRom2 89A401F8 Device \Driver\usbstor \Device\00000076 89075500 Device \Driver\NetBT \Device\NetBt_Wins_Export 890E11F8 Device \Driver\PCI_PNP5578 \Device\0000004b spxf.sys Device \Driver\usbstor \Device\00000079 89075500 Device \Driver\NetBT \Device\NetbiosSmb 890E11F8 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \Driver\NetBT \Device\NetBT_Tcpip_{CFEB3CA6-EEAA-4286-967E-9C0D4C53CB8F} 890E11F8 Device \Driver\usbuhci \Device\USBFDO-0 89B491F8 Device \Driver\usbstor \Device\0000007a 89075500 Device \Driver\usbuhci \Device\USBFDO-1 89B491F8 Device \Driver\usbstor \Device\0000007b 89075500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 891001F8 Device \Driver\usbuhci \Device\USBFDO-2 89B491F8 Device \Driver\usbstor \Device\0000007c 89075500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 891001F8 Device \Driver\usbuhci \Device\USBFDO-3 89B491F8 Device \Driver\usbehci \Device\USBFDO-4 89A481F8 Device \Driver\Ftdisk \Device\FtControl 89DE41F8 Device \Driver\Imagedrv \Device\Scsi\Imagedrv1Port0Path0Target0Lun0 89DE31F8 Device \Driver\a09y0891 \Device\Scsi\a09y08911 89B1E1F8 Device \Driver\a09y0891 \Device\Scsi\a09y08911Port3Path0Target0Lun0 89B1E1F8 Device \Driver\Imagedrv \Device\Scsi\Imagedrv1 89DE31F8 Device \FileSystem\Cdfs \Cdfs 89B5E1F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8F 0x0E 0x77 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x64 0x6B 0xF4 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7D 0x66 0xB8 0xAA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA9 0xC8 0xEE 0x9B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x45 0x9D 0xF9 0x3C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5D 0x48 0x74 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xDE 0x28 0xDC 0xD3 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8F 0x0E 0x77 0x31 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x64 0x6B 0xF4 0x93 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x7D 0x66 0xB8 0xAA ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA9 0xC8 0xEE 0x9B ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x45 0x9D 0xF9 0x3C ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5D 0x48 0x74 0x17 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xDE 0x28 0xDC 0xD3 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B81FAA57-3D73-17F4-8AF3-10FC54533DC0} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B81FAA57-3D73-17F4-8AF3-10FC54533DC0}@hacadpingcihebig 0x61 0x61 0x00 0xFF Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B81FAA57-3D73-17F4-8AF3-10FC54533DC0}@jacadpingcihebigbfio 0x63 0x61 0x64 0x63 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B81FAA57-3D73-17F4-8AF3-10FC54533DC0}@pakaejmlphmlaocchpolibaangommnag 0x64 0x61 0x68 0x63 ... ---- EOF - GMER 1.0.15 ----