GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-02-27 20:57:22 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3500320AS rev.SD15 Running: gfjeqtj5.exe; Driver: C:\DOCUME~1\User\USTAWI~1\Temp\awwoifod.sys ---- System - GMER 1.0.15 ---- SSDT spge.sys ZwCreateKey [0xB9EB50E0] SSDT spge.sys ZwEnumerateKey [0xB9ECDDA4] SSDT spge.sys ZwEnumerateValueKey [0xB9ECE132] SSDT spge.sys ZwOpenKey [0xB9EB50C0] SSDT spge.sys ZwQueryKey [0xB9ECE20A] SSDT spge.sys ZwQueryValueKey [0xB9ECE08A] SSDT spge.sys ZwSetValueKey [0xB9ECE29C] INT 0x62 ? 89E53BF8 INT 0x63 ? 89E53BF8 INT 0x63 ? 89E53BF8 INT 0x63 ? 89ADFBF8 INT 0x63 ? 89E53BF8 INT 0x73 ? 89DE6BF8 INT 0x73 ? 89ADFBF8 INT 0x73 ? 89DE6BF8 INT 0x82 ? 89E53BF8 INT 0x84 ? 89ADFBF8 INT 0xA4 ? 89ADFBF8 INT 0xA4 ? 89ADFBF8 INT 0xA4 ? 89ADFBF8 INT 0xA4 ? 89ADFBF8 INT 0xB4 ? 89ADFBF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spge.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9154000, 0x253E67, 0xE8000020] .text USBPORT.SYS!DllUnload B910B8AC 5 Bytes JMP 89ADF1D8 .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA98C4300, 0x3B6D8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA4A0300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3400] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 10402342 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3680] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EB6042] spge.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EB613E] spge.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EB60C0] spge.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EB6800] spge.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EB66D6] spge.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EC5B90] spge.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89DE21F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{175E582C-C291-4BFB-8E0E-788E1AB2BC00} 8987B500 Device \Driver\usbuhci \Device\USBPDO-0 89BD01F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 89DE41F8 Device \Driver\dmio \Device\DmControl\DmConfig 89DE41F8 Device \Driver\dmio \Device\DmControl\DmPnP 89DE41F8 Device \Driver\dmio \Device\DmControl\DmInfo 89DE41F8 Device \Driver\usbuhci \Device\USBPDO-1 89BD01F8 Device \Driver\usbuhci \Device\USBPDO-2 89BD01F8 Device \Driver\usbehci \Device\USBPDO-3 89AD21F8 Device \Driver\usbuhci \Device\USBPDO-4 89BD01F8 Device \Driver\usbuhci \Device\USBPDO-5 89BD01F8 Device \Driver\usbuhci \Device\USBPDO-6 89BD01F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 89E541F8 Device \Driver\usbehci \Device\USBPDO-7 89AD21F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 89E541F8 Device \Driver\Cdrom \Device\CdRom0 89BA41F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 89E541F8 Device \Driver\Cdrom \Device\CdRom1 89BA41F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8987B500 Device \Driver\NetBT \Device\NetbiosSmb 8987B500 Device \Driver\NetBT \Device\NetBT_Tcpip_{0462E283-EC5C-487C-9EE3-DE882EC87D9C} 8987B500 Device \Driver\usbuhci \Device\USBFDO-0 89BD01F8 Device \Driver\usbuhci \Device\USBFDO-1 89BD01F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 898B5500 Device \Driver\usbuhci \Device\USBFDO-2 89BD01F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 898B5500 Device \Driver\usbehci \Device\USBFDO-3 89AD21F8 Device \Driver\usbuhci \Device\USBFDO-4 89BD01F8 Device \Driver\Ftdisk \Device\FtControl 89E541F8 Device \Driver\usbuhci \Device\USBFDO-5 89BD01F8 Device \Driver\usbuhci \Device\USBFDO-6 89BD01F8 Device \Driver\usbehci \Device\USBFDO-7 89AD21F8 Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target0Lun0 89DE31F8 Device \Driver\JRAID \Device\Scsi\JRAID1 89DE31F8 Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target1Lun0 89DE31F8 Device \FileSystem\Cdfs \Cdfs 898AC500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5E 0x31 0x75 0xA7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x31 0x25 0x5D 0x21 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3A 0xC1 0x93 0x74 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3D 0x8F 0x50 0xA7 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xA1 0xCE 0xAD 0xBA ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x35 0xDA 0xC9 0xD4 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 2 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5E 0x31 0x75 0xA7 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x31 0x25 0x5D 0x21 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x3A 0xC1 0x93 0x74 ... ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\User\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\1v8vypdo.default\Cache\323D030Fd01 26949 bytes File C:\Documents and Settings\User\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\1v8vypdo.default\Cache\E4B8446Ed01 16833 bytes File C:\Documents and Settings\User\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\1v8vypdo.default\Cache\7C631FCEd01 34832 bytes ---- EOF - GMER 1.0.15 ----