GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-25 10:00:06 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHV2100BH rev.00000029 93,16GB Running: jpf9puy1.exe; Driver: C:\DOCUME~1\Kasprzyk\USTAWI~1\Temp\uwlyyfob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwAssignProcessToJobObject [0xB10494B0] SSDT spev.sys ZwCreateKey [0xB9EA70E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0xB10497F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDebugActiveProcess [0xB1049AB0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDuplicateObject [0xB10495D0] SSDT spev.sys ZwEnumerateKey [0xB9EC5CA4] SSDT spev.sys ZwEnumerateValueKey [0xB9EC6032] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0xB10498B0] SSDT spev.sys ZwOpenKey [0xB9EA70C0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenProcess [0xB1049350] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenThread [0xB1049410] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwProtectVirtualMemory [0xB1049570] SSDT spev.sys ZwQueryKey [0xB9EC610A] SSDT spev.sys ZwQueryValueKey [0xB9EC5F8A] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwQueueApcThread [0xB1049630] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetContextThread [0xB1049530] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetInformationThread [0xB10494F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSecurityObject [0xB1049670] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0xB1049870] SSDT spev.sys ZwSetValueKey [0xB9EC619C] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendProcess [0xB10493B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendThread [0xB1049430] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0xB1049830] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateProcess [0xB1049370] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateThread [0xB1049470] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwWriteVirtualMemory [0xB10495F0] INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys BA1DB16D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys BA1DAFC2 INT 0x62 ? 89988BF8 INT 0x63 ? 899FABF8 INT 0x73 ? 89988BF8 INT 0xA4 ? 8972DF00 INT 0xA4 ? 8972DF00 INT 0xA4 ? 8972DF00 INT 0xA4 ? 8972DF00 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [B0, 93, 04, B1, 30, 94, 04, ...] ? spev.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xAE842400, 0x87EE2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAE8E6620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAE8E6620] .protect˙˙˙˙hardlockunknown last code section [0xAE8E6400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xAE8E6400, 0x5126, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1876] kernel32.dll!SetUnhandledExceptionFilter 7C8449CD 4 Bytes [C2, 04, 00, 00] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 899871F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys Device \FileSystem\Fastfat \FatCdrom 896AE500 AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys Device \Driver\usbohci \Device\USBPDO-0 8972C1F8 Device \Driver\usbohci \Device\USBPDO-1 8972C1F8 Device \Driver\usbehci \Device\USBPDO-2 897C63E8 Device \Driver\PCI_PNP1492 \Device\00000053 spev.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys Device \Driver\Ftdisk \Device\HarddiskVolume1 899F81F8 Device \Driver\Cdrom \Device\CdRom0 8971D1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 [B9E20B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 89573500 Device \Driver\sptd \Device\1479035242 spev.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{C0D87A6E-1F0F-47A8-AE97-9DFBC04F5049} 89573500 Device \Driver\NetBT \Device\NetbiosSmb 89573500 AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys Device \Driver\usbohci \Device\USBFDO-0 8972C1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{2ADB33E9-D8D4-4D8F-9769-0E2D6662AFEA} 89573500 Device \Driver\usbohci \Device\USBFDO-1 8972C1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8959A500 Device \Driver\usbehci \Device\USBFDO-2 897C63E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8959A500 Device \Driver\Ftdisk \Device\FtControl 899F81F8 Device \Driver\af2nyea7 \Device\Scsi\af2nyea71 897AD1F8 Device \FileSystem\Fastfat \Fat 896AE500 AttachedDevice \FileSystem\Fastfat \Fat eamon.sys Device \FileSystem\Cdfs \Cdfs 895D2500 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys atapi.sys spev.sys hal.dll >>UNKNOWN [0x899a8938]<< 899a8938 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x899e5030] 899e5030 Trace 3 CLASSPNP.SYS[ba118fd7] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x898c2d98] 898c2d98 ---- Threads - GMER 2.1 ---- Thread System [4:128] 88668540 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC1 0x12 0x6E 0x2F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x30 0xD9 0xBB 0x53 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x73 0xE8 0x97 0xDB ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC1 0x12 0x6E 0x2F ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x30 0xD9 0xBB 0x53 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x73 0xE8 0x97 0xDB ... ---- EOF - GMER 2.1 ----