GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-03-14 09:13:29 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FB4O Running: cu49d1cq.exe; Driver: C:\Users\Krystyna\AppData\Local\Temp\fxddrkoc.sys ---- System - GMER 1.0.15 ---- INT 0x52 ? 87BBABF8 INT 0x72 ? 87BBABF8 INT 0x72 ? 87BBABF8 INT 0x82 ? 87BBABF8 INT 0x92 ? 87BBABF8 INT 0xA2 ? 87BBABF8 INT 0xB2 ? 85F2CBF8 INT 0xB3 ? 87BBABF8 ---- Kernel code sections - GMER 1.0.15 ---- ? System32\Drivers\spia.sys System nie może odnaleźć określonej ścieżki. ! ? C:\windows\System32\Drivers\SafeBoot.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F602000, 0x1FB95A, 0xE8000020] .text USBPORT.SYS!DllUnload 8FBB741B 3 Bytes JMP 87BBA1D8 .text USBPORT.SYS!DllUnload + 4 8FBB741F 1 Byte [F8] ? C:\Users\Krystyna\AppData\Local\Temp\fxddrkoc.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[408] kernel32.dll!SetUnhandledExceptionFilter 75D0A84F 4 Bytes [C2, 04, 00, 00] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806906D6] \SystemRoot\System32\Drivers\spia.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80690042] \SystemRoot\System32\Drivers\spia.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80690800] \SystemRoot\System32\Drivers\spia.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806900C0] \SystemRoot\System32\Drivers\spia.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069013E] \SystemRoot\System32\Drivers\spia.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8069FE9C] \SystemRoot\System32\Drivers\spia.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73127817] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7317A86D] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7312BB22] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7311F695] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [731275E9] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7311E7CA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73158395] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7312DA60] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7311FFFA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7311FF61] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [731171CF] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [731ACAE2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7314C8D8] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7311D968] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [73116853] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7311687E] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[3668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73122AD1] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 85F4F1F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \FileSystem\fastfat \FatCdrom 8A8BE1F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) Device \Driver\BTHUSB \Device\000000dc bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \Driver\volmgr \Device\VolMgrControl 85F2A1F8 Device \Driver\BTHUSB \Device\000000de bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \FileSystem\fastfat \Fat 8A8BE1F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET) Device \FileSystem\cdfs \Cdfs A27321F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00247e272a30 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00247e272a30@0016b8ffe14d 0x1E 0x48 0xF4 0x52 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00247e272a30@0017e695391b 0x40 0x71 0x1C 0xCD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00247e272a30@002490c10da2 0xE0 0x07 0x68 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x03 0x2E 0xA5 0x38 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00247e272a30 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00247e272a30@0016b8ffe14d 0x1E 0x48 0xF4 0x52 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00247e272a30@0017e695391b 0x40 0x71 0x1C 0xCD ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00247e272a30@002490c10da2 0xE0 0x07 0x68 0x3E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x03 0x2E 0xA5 0x38 ... ---- EOF - GMER 1.0.15 ----