GMER 1.0.15.15565 - http://www.gmer.net Rootkit scan 2011-03-19 11:33:26 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST320414A rev.3.25 Running: 7inuoyqt.exe; Driver: C:\DOCUME~1\AKA~1.MOK\USTAWI~1\Temp\ffwcakod.sys ---- System - GMER 1.0.15 ---- SSDT 85D3EC90 ZwAssignProcessToJobObject SSDT spwf.sys ZwCreateKey [0xF73950E0] SSDT 85D3F200 ZwDebugActiveProcess SSDT 85D3F2F0 ZwDuplicateObject SSDT spwf.sys ZwEnumerateKey [0xF73ADDA4] SSDT spwf.sys ZwEnumerateValueKey [0xF73AE132] SSDT spwf.sys ZwOpenKey [0xF73950C0] SSDT 85D3E590 ZwOpenProcess SSDT 85D3E800 ZwOpenThread SSDT 85D3EFD0 ZwProtectVirtualMemory SSDT spwf.sys ZwQueryKey [0xF73AE20A] SSDT spwf.sys ZwQueryValueKey [0xF73AE08A] SSDT 85D3F0E0 ZwQueueApcThread SSDT 85D3EEC0 ZwSetContextThread SSDT 85D3ED90 ZwSetInformationThread SSDT 85D3BDA0 ZwSetSecurityObject SSDT spwf.sys ZwSetValueKey [0xF73AE29C] SSDT 85D3EB90 ZwSuspendProcess SSDT 85D3EA80 ZwSuspendThread SSDT 85D3E6E0 ZwTerminateProcess SSDT 85D3EA50 ZwTerminateThread SSDT 85D3F6D0 ZwWriteVirtualMemory INT 0x62 ? 865D8BF8 INT 0x63 ? 865D8BF8 INT 0x63 ? 865D8BF8 INT 0x63 ? 86309F00 INT 0x63 ? 865D8BF8 INT 0x82 ? 865D8BF8 INT 0x83 ? 865D8BF8 INT 0x84 ? 86309F00 INT 0x94 ? 86309F00 INT 0xA4 ? 86309F00 INT 0xB4 ? 86309F00 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D34 80503934 4 Bytes CALL 3F7EBF0C ? spwf.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload F630D62C 5 Bytes JMP 863094E0 ---- User code sections - GMER 1.0.15 ---- .text D:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[252] kernel32.dll!SetUnhandledExceptionFilter 7C810386 4 Bytes [C2, 04, 00, 00] .text D:\Program Files\Mozilla Firefox\firefox.exe[676] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 D:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text D:\Program Files\Mozilla Firefox\plugin-container.exe[2320] USER32.dll!TrackPopupMenu 77D84F16 5 Bytes JMP 10402342 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F7396042] spwf.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F739613E] spwf.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F73960C0] spwf.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F7396800] spwf.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F73966D6] spwf.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F73A5B90] spwf.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 865D71F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \FileSystem\Fastfat \FatCdrom 85E4D1F8 Device \Driver\usbuhci \Device\USBPDO-0 863081F8 Device \Driver\usbuhci \Device\USBPDO-1 863081F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 865681F8 Device \Driver\dmio \Device\DmControl\DmConfig 865681F8 Device \Driver\dmio \Device\DmControl\DmPnP 865681F8 Device \Driver\dmio \Device\DmControl\DmInfo 865681F8 Device \Driver\usbehci \Device\USBPDO-2 863071F8 Device \Driver\usbuhci \Device\USBPDO-3 863081F8 Device \Driver\usbuhci \Device\USBPDO-4 863081F8 AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) Device \Driver\usbuhci \Device\USBPDO-5 863081F8 Device \Driver\usbehci \Device\USBPDO-6 863071F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 865D91F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 865D91F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{D37B60A8-30CE-42E0-9566-A3824221F875} 863C8500 Device \Driver\Cdrom \Device\CdRom0 863B01F8 Device \Driver\atapi \Device\Ide\IdePort0 865D81F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 865D81F8 Device \Driver\atapi \Device\Ide\IdePort1 865D81F8 Device \Driver\atapi \Device\Ide\IdePort2 865D81F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 865D81F8 Device \Driver\atapi \Device\Ide\IdePort3 865D81F8 Device \Driver\atapi \Device\Ide\IdePort4 865D81F8 Device \Driver\atapi \Device\Ide\IdePort5 865D81F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 865D91F8 Device \Driver\Ftdisk \Device\HarddiskVolume4 865D91F8 Device \Driver\usbstor \Device\00000083 85E461F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 863C8500 Device \Driver\usbstor \Device\00000084 85E461F8 Device \Driver\NetBT \Device\NetbiosSmb 863C8500 Device \Driver\NetBT \Device\NetBT_Tcpip_{A8AC8AFC-04EC-4A09-81EF-455D688B78B8} 863C8500 Device \Driver\usbuhci \Device\USBFDO-0 863081F8 Device \Driver\usbuhci \Device\USBFDO-1 863081F8 Device \Driver\usbehci \Device\USBFDO-2 863071F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 86417500 Device \Driver\usbuhci \Device\USBFDO-3 863081F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 86417500 Device \Driver\Ftdisk \Device\FtControl 865D91F8 Device \Driver\usbuhci \Device\USBFDO-4 863081F8 Device \Driver\usbuhci \Device\USBFDO-5 863081F8 Device \Driver\usbehci \Device\USBFDO-6 863071F8 Device \FileSystem\Fastfat \Fat 85E4D1F8 AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET) Device \FileSystem\Cdfs \Cdfs 85CAB500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8F 0xF3 0x6E 0x07 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB8 0x00 0xCF 0xCB ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8F 0xF3 0x6E 0x07 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB8 0x00 0xCF 0xCB ... ---- EOF - GMER 1.0.15 ----