GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-04-23 11:36:03 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c ST3120026AS rev.3.05 Running: vjgesqxc.exe; Driver: C:\DOCUME~1\PANIWL~1\USTAWI~1\Temp\uwtdqpob.sys ---- System - GMER 1.0.15 ---- SSDT spux.sys ZwCreateKey [0xB7EB50E0] SSDT spux.sys ZwEnumerateKey [0xB7ECDDA4] SSDT spux.sys ZwEnumerateValueKey [0xB7ECE132] SSDT spux.sys ZwOpenKey [0xB7EB50C0] SSDT spux.sys ZwQueryKey [0xB7ECE20A] SSDT spux.sys ZwQueryValueKey [0xB7ECE08A] SSDT spux.sys ZwSetValueKey [0xB7ECE29C] INT 0x62 ? 8A002BF8 INT 0x63 ? 89E31BF8 INT 0x63 ? 89E31BF8 INT 0x63 ? 89E31BF8 INT 0x73 ? 8A002BF8 INT 0x73 ? 8A002BF8 INT 0x82 ? 8A002BF8 INT 0x83 ? 89E31BF8 INT 0x83 ? 89E31BF8 INT 0x83 ? 89E31BF8 INT 0xA4 ? 89E31BF8 INT 0xB1 ? 8A005BF8 INT 0xB1 ? 8A005BF8 INT 0xB4 ? 89E31BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spux.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB31E6380, 0x550AF5, 0xE8000020] .text USBPORT.SYS!DllUnload B31868AC 5 Bytes JMP 89E311D8 .text ai8kh5z8.SYS B310F386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text ai8kh5z8.SYS B310F3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ai8kh5z8.SYS B310F3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH} .text ai8kh5z8.SYS B310F3C9 1 Byte [2E] .text ai8kh5z8.SYS B310F3C9 11 Bytes [2E, 00, 00, 00, 5C, 02, 00, ...] {ADD CS:[EAX], AL; ADD [EDX+EAX+0x0], BL; ADD [EAX], AL; ADD [EAX], AL} .text ... .text a2pongyn.SYS B30D6386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text a2pongyn.SYS B30D63AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text a2pongyn.SYS B30D63C4 3 Bytes [00, 80, 02] .text a2pongyn.SYS B30D63C9 1 Byte [30] .text a2pongyn.SYS B30D63C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EB6042] spux.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EB613E] spux.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EB60C0] spux.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EB6800] spux.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EB66D6] spux.sys IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[HAL.dll!KfAcquireSpinLock] CCCCCCC3 IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[HAL.dll!READ_PORT_UCHAR] CCCCCCCC IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[HAL.dll!KeGetCurrentIrql] CCCCCCCC IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[HAL.dll!KfRaiseIrql] CCCCCCCC IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[HAL.dll!KfLowerIrql] 8BEC8B55 IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[HAL.dll!HalGetInterruptVector] 00C73445 IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[HAL.dll!HalTranslateBusAddress] 00000000 IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[HAL.dll!KeStallExecutionProcessor] 830C458B IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[HAL.dll!KfReleaseSpinLock] C0840CEC IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 053C0D74 IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[HAL.dll!READ_PORT_USHORT] 57B80974 IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 8B000000 IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[HAL.dll!WRITE_PORT_UCHAR] 56C35DE5 IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[WMILIB.SYS!WmiSystemControl] 8D51FC4D IAT \SystemRoot\System32\Drivers\ai8kh5z8.SYS[WMILIB.SYS!WmiCompleteRequest] 8D52FD55 IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[HAL.dll!KfAcquireSpinLock] 18C4830E IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[HAL.dll!READ_PORT_UCHAR] 1C959E88 IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[HAL.dll!KeGetCurrentIrql] 9E880000 IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[HAL.dll!KfRaiseIrql] 00001CB1 IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[HAL.dll!KfLowerIrql] 0E798366 IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[HAL.dll!HalGetInterruptVector] 74AAB000 IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[HAL.dll!HalTranslateBusAddress] 8986C636 IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[HAL.dll!KeStallExecutionProcessor] 1A00001C IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[HAL.dll!KfReleaseSpinLock] 1C8B86C6 IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] C6020000 IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[HAL.dll!READ_PORT_USHORT] 001C9686 IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 86C60200 IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[HAL.dll!WRITE_PORT_UCHAR] 00001CB2 IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[WMILIB.SYS!WmiSystemControl] 8800001C IAT \SystemRoot\System32\Drivers\a2pongyn.SYS[WMILIB.SYS!WmiCompleteRequest] 001CB99E IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EC5B90] spux.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A0741F8 Device \Driver\usbohci \Device\USBPDO-0 89E301F8 Device \Driver\usbohci \Device\USBPDO-1 89E301F8 Device \Driver\sptd \Device\4292655122 spux.sys Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A0781F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A0781F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A0781F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A0781F8 Device \Driver\usbehci \Device\USBPDO-2 89E181F8 Device \Driver\PCI_PNP8872 \Device\00000053 spux.sys Device \Driver\usbohci \Device\USBPDO-3 89E301F8 Device \Driver\PCI_PNP8872 \Device\00000054 spux.sys Device \Driver\usbohci \Device\USBPDO-4 89E301F8 AttachedDevice \Driver\Tcpip \Device\Tcp idmtdi.sys (Internet Download Manager TDI Driver/Tonec Inc.) Device \Driver\usbehci \Device\USBPDO-5 89E181F8 Device \Driver\usbohci \Device\USBPDO-6 89E301F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A0031F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A0031F8 Device \Driver\Cdrom \Device\CdRom0 8A0011F8 Device \Driver\atapi \Device\Ide\IdePort0 [B7E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B7E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B7E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B7E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B7E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B7E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-19 [B7E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-2d [B7E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-25 [B7E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 8A0031F8 Device \Driver\Cdrom \Device\CdRom1 8A0011F8 Device \Driver\Ftdisk \Device\HarddiskVolume4 8A0031F8 Device \Driver\Cdrom \Device\CdRom2 8A0011F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 890BD1F8 Device \Driver\NetBT \Device\NetbiosSmb 890BD1F8 Device \Driver\sptd \Device\4292498872 spux.sys Device \Driver\usbohci \Device\USBFDO-0 89E301F8 Device \Driver\usbohci \Device\USBFDO-1 89E301F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 890BC1F8 Device \Driver\usbehci \Device\USBFDO-2 89E181F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 890BC1F8 Device \Driver\usbohci \Device\USBFDO-3 89E301F8 Device \Driver\usbohci \Device\USBFDO-4 89E301F8 Device \Driver\Ftdisk \Device\FtControl 8A0031F8 Device \Driver\usbehci \Device\USBFDO-5 89E181F8 Device \Driver\usbohci \Device\USBFDO-6 89E301F8 Device \Driver\a2pongyn \Device\Scsi\a2pongyn1 89DEB500 Device \Driver\ai8kh5z8 \Device\Scsi\ai8kh5z81Port4Path0Target0Lun0 89DDF1F8 Device \Driver\a2pongyn \Device\Scsi\a2pongyn1Port5Path0Target0Lun0 89DEB500 Device \Driver\ai8kh5z8 \Device\Scsi\ai8kh5z81 89DDF1F8 Device \FileSystem\Cdfs \Cdfs 89040500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x77 0xBB 0x0F 0xAF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x19 0x88 0x4A 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x89 0xC5 0xAE 0xAB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x63 0xB7 0xC2 0xF7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0xE3 0x12 0x4D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5F 0xC6 0x3B 0x65 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x77 0xBB 0x0F 0xAF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x19 0x88 0x4A 0x80 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x89 0xC5 0xAE 0xAB ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1D 0x9A 0x4F 0xF6 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0xE3 0x12 0x4D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x5F 0xC6 0x3B 0x65 ... Reg HKLM\SOFTWARE\Classes\CLSID\{2d99c544-f06e-4d52-a7fb-8ed1fc9b8fd2}@Model 76 Reg HKLM\SOFTWARE\Classes\CLSID\{2d99c544-f06e-4d52-a7fb-8ed1fc9b8fd2}@Therad 1 Reg HKLM\SOFTWARE\Classes\CLSID\{2d99c544-f06e-4d52-a7fb-8ed1fc9b8fd2}@MData 0x73 0xD5 0xCF 0xB8 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0xDF 0xDC 0x65 0xD6 ... ---- EOF - GMER 1.0.15 ----