GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-10 06:25:11 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST3808110AS rev.3.ADH 74,51GB Running: jg10xfzv.exe; Driver: C:\DOCUME~1\admin\USTAWI~1\Temp\pxtdapob.sys ---- System - GMER 2.1 ---- SSDT sptd.sys ZwCreateKey [0xB9ECFA50] SSDT sptd.sys ZwEnumerateKey [0xB9F03FFE] SSDT sptd.sys ZwEnumerateValueKey [0xB9F0438C] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0xBA3E16E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0xBA3E1800] SSDT sptd.sys ZwOpenKey [0xB9ECFA30] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0xBA3E1010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0xBA3E14D0] SSDT sptd.sys ZwQueryKey [0xB9F04464] SSDT sptd.sys ZwQueryValueKey [0xB9F042E4] SSDT sptd.sys ZwSetValueKey [0xB9F044F6] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0xBA3E1300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0xBA3E13E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0xBA3E1120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0xBA3E1210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0xBA3E15E0] INT 0x62 ? 89E08CC8 INT 0x63 ? 89E08CC8 INT 0x84 ? 89C0BCC8 INT 0x94 ? 89C0BCC8 INT 0xA4 ? 89C0BCC8 INT 0xB4 ? 89C0BCC8 ---- Kernel code sections - GMER 2.1 ---- PAGE sptd.sys B9EF3000 1 Byte [74] PAGE sptd.sys B9EF3004 5 Bytes [40, 33, EF, B9, A3] PAGE sptd.sys B9EF300C 5 Bytes [50, 34, EF, B9, 98] PAGE sptd.sys B9EF3014 5 Bytes [B8, 33, EF, B9, 59] {MOV EAX, 0x59b9ef33} PAGE sptd.sys B9EF301C 5 Bytes [78, 32, EF, B9, 61] PAGE ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB9F8CD38] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB8C79F80] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[2896] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 013D561E C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[2896] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 02074805 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[2896] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 0207484D C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[2896] kernel32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 013E627E C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[2896] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 01BF86B9 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[2896] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 02074874 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3728] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10001FFD C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3728] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01B10455 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3728] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01B1049D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3728] kernel32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 01725A06 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3728] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01B104C4 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 89E071F8 AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys Device \Driver\usbuhci \Device\USBPDO-0 89CB81F8 Device \Driver\usbuhci \Device\USBPDO-1 89CB81F8 Device \Driver\usbuhci \Device\USBPDO-2 89CB81F8 Device \Driver\usbuhci \Device\USBPDO-3 89CB81F8 Device \Driver\usbehci \Device\USBPDO-4 89BF21F8 AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys Device \Driver\Cdrom \Device\CdRom0 89A6C1F8 Device \Driver\atapi \Device\Ide\IdePort0 [B9E0EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E0EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9E0EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9E0EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBT_Tcpip_{E3559496-1DC4-4E8E-93ED-98AF18AFDEA2} 896B91F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 896B91F8 Device \Driver\NetBT \Device\NetbiosSmb 896B91F8 AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys Device \Driver\usbuhci \Device\USBFDO-0 89CB81F8 Device \Driver\usbuhci \Device\USBFDO-1 89CB81F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8969C1F8 Device \Driver\usbuhci \Device\USBFDO-2 89CB81F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8969C1F8 Device \Driver\usbuhci \Device\USBFDO-3 89CB81F8 Device \Driver\usbehci \Device\USBFDO-4 89BF21F8 Device \FileSystem\Cdfs \Cdfs 896261F8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3F 0x94 0xFC 0x56 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3F 0x94 0xFC 0x56 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UnreadMail\kokkos@tlen.pl@MessageCount 44 ---- Files - GMER 2.1 ---- File C:\Documents and Settings\admin\Dane aplikacji\Thunderbird\Profiles\p54rse9m.default\global-messages-db.sqlite-journal 229944 bytes File C:\WINDOWS\$NtUninstallKB59812$\1694338393 0 bytes File C:\WINDOWS\$NtUninstallKB59812$\577627693 0 bytes ---- EOF - GMER 2.1 ----