GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-03-05 08:10:09 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 Hitachi_HDT725050VLA360 rev.V56OA7EA Running: h23x4ch6.exe; Driver: C:\Users\DeeM\AppData\Local\Temp\kwlyypoc.sys ---- System - GMER 1.0.15 ---- SSDT 86E094A8 ZwAlertResumeThread SSDT 86E09588 ZwAlertThread SSDT 86E08228 ZwAllocateVirtualMemory SSDT 86CF45C0 ZwAlpcConnectPort SSDT 86E0AC40 ZwAssignProcessToJobObject SSDT 86E091F8 ZwCreateMutant SSDT 86E0A960 ZwCreateSymbolicLinkObject SSDT 86E08730 ZwCreateThread SSDT 86E0AA50 ZwCreateThreadEx SSDT 86E0AD20 ZwDebugActiveProcess SSDT 86E083F8 ZwDuplicateObject SSDT 86E09F60 ZwFreeVirtualMemory SSDT 86E092E8 ZwImpersonateAnonymousToken SSDT 86E093C8 ZwImpersonateThread SSDT 86BFA858 ZwLoadDriver SSDT 86E09E60 ZwMapViewOfSection SSDT 86E09118 ZwOpenEvent SSDT 86E085D8 ZwOpenProcess SSDT 86E08318 ZwOpenProcessToken SSDT 86E0AF48 ZwOpenSection SSDT 86E084E8 ZwOpenThread SSDT 86E0AB50 ZwProtectVirtualMemory SSDT 86E09668 ZwResumeThread SSDT 86E09B30 ZwSetContextThread SSDT 86E09C90 ZwSetInformationProcess SSDT 86E0AE00 ZwSetSystemInformation SSDT 86E0A008 ZwSuspendProcess SSDT 86E09748 ZwSuspendThread SSDT 86E08848 ZwTerminateProcess SSDT 86E09828 ZwTerminateThread SSDT 86E09D80 ZwUnmapViewOfSection SSDT 86E08138 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E4D599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E71F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 224 82E79734 8 Bytes [A8, 94, E0, 86, 88, 95, E0, ...] .text ntkrnlpa.exe!RtlSidHashLookup + 23C 82E7974C 4 Bytes [28, 82, E0, 86] .text ntkrnlpa.exe!RtlSidHashLookup + 248 82E79758 4 Bytes [C0, 45, CF, 86] {ROL BYTE [EBP-0x31], 0x86} .text ntkrnlpa.exe!RtlSidHashLookup + 29C 82E797AC 4 Bytes [40, AC, E0, 86] {INC EAX; LODSB ; LOOPNZ 0xffffffffffffff8a} .text ntkrnlpa.exe!RtlSidHashLookup + 318 82E79828 4 Bytes [F8, 91, E0, 86] {CLC ; XCHG ECX, EAX; LOOPNZ 0xffffffffffffff8a} .text ... ? System32\Drivers\spkt.sys System nie może odnaleźć określonej ścieżki. ! PAGE PCIIDEX.SYS!DllUnload 8BE77606 5 Bytes JMP 864351D8 .text USBPORT.SYS!DllUnload 9884CCA0 5 Bytes JMP 87536450 .text autochk.exe 002411D2 1 Byte [74] .text autochk.exe 002411D2 3 Bytes [74, 00, 65] .text autochk.exe 002411D6 1 Byte [72] .text autochk.exe 002411D6 3 Bytes [72, 00, 65] .text autochk.exe 002411DA 1 Byte [64] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[820] USER32.dll!TrackPopupMenu 76EC4B3B 4 Bytes JMP 63A0C35B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[4892] ntdll.dll!LdrLoadDll 774FF585 5 Bytes JMP 0067003A ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8BCA390E] \SystemRoot\System32\Drivers\spkt.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8BCA3F9C] \SystemRoot\System32\Drivers\spkt.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [8BCA33E6] \SystemRoot\System32\Drivers\spkt.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8BCA4178] \SystemRoot\System32\Drivers\spkt.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8BCA31D4] \SystemRoot\System32\Drivers\spkt.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 864391F8 Device \Driver\volmgr \Device\VolMgrControl 864341F8 Device \Driver\usbuhci \Device\USBPDO-0 875CE1F8 Device \Driver\usbuhci \Device\USBPDO-1 875CE1F8 Device \Driver\usbuhci \Device\USBPDO-2 875CE1F8 Device \Driver\usbehci \Device\USBPDO-3 87547470 Device \Driver\usbuhci \Device\USBPDO-4 875CE1F8 Device \Driver\usbuhci \Device\USBPDO-5 875CE1F8 Device \Driver\usbuhci \Device\USBPDO-6 875CE1F8 Device \Driver\volmgr \Device\HarddiskVolume1 864341F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-7 87547470 Device \Driver\volmgr \Device\HarddiskVolume2 864341F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 86ACB470 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 864371F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 864371F8 Device \Driver\atapi \Device\Ide\IdePort0 864371F8 Device \Driver\atapi \Device\Ide\IdePort1 864371F8 Device \Driver\atapi \Device\Ide\IdePort2 864371F8 Device \Driver\atapi \Device\Ide\IdePort3 864371F8 Device \Driver\atapi \Device\Ide\IdePort4 864371F8 Device \Driver\atapi \Device\Ide\IdePort5 864371F8 Device \Driver\atapi \Device\Ide\IdeDeviceP4T0L0-6 864371F8 Device \Driver\volmgr \Device\HarddiskVolume3 864341F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume4 864341F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\USBSTOR \Device\00000074 86A641F8 Device \Driver\USBSTOR \Device\00000075 86A641F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86B53470 Device \Driver\ACPI_HAL \Device\0000004f halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbuhci \Device\USBFDO-0 875CE1F8 Device \Driver\usbuhci \Device\USBFDO-1 875CE1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{022E29D8-0997-4378-80E7-234EC8B0C0B7} 86B53470 Device \Driver\usbuhci \Device\USBFDO-2 875CE1F8 Device \Driver\usbehci \Device\USBFDO-3 87547470 Device \Driver\usbuhci \Device\USBFDO-4 875CE1F8 Device \Driver\usbuhci \Device\USBFDO-5 875CE1F8 Device \Driver\usbuhci \Device\USBFDO-6 875CE1F8 Device \Driver\usbehci \Device\USBFDO-7 87547470 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE3 0x1F 0xCB 0x05 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE3 0x1F 0xCB 0x05 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x8E 0xAD 0x28 0x05 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD8 0x7A 0xCC 0xF1 ... ---- EOF - GMER 1.0.15 ----