GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-04-28 22:36:52 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST3500418AS rev.CC34 Running: k23mxtc8.exe; Driver: C:\DOCUME~1\PC\USTAWI~1\Temp\kxpcqpod.sys ---- System - GMER 1.0.15 ---- SSDT spao.sys ZwCreateKey [0xBA6B50E0] SSDT spao.sys ZwEnumerateKey [0xBA6CDDA4] SSDT spao.sys ZwEnumerateValueKey [0xBA6CE132] SSDT spao.sys ZwOpenKey [0xBA6B50C0] SSDT spao.sys ZwQueryKey [0xBA6CE20A] SSDT spao.sys ZwQueryValueKey [0xBA6CE08A] SSDT spao.sys ZwSetValueKey [0xBA6CE29C] INT 0x62 ? 89BE5BF8 INT 0x63 ? 89A25BF8 INT 0x73 ? 89BE5BF8 INT 0x73 ? 89BE5BF8 INT 0x73 ? 89A25BF8 INT 0x83 ? 89A25BF8 INT 0xB4 ? 89A25BF8 Code \??\C:\DOCUME~1\PC\USTAWI~1\Temp\catchme.sys pIofCallDriver ---- Kernel code sections - GMER 1.0.15 ---- ? spao.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xBA0D3360, 0x24526E, 0xE8000020] .text USBPORT.SYS!DllUnload BA08F62C 5 Bytes JMP 89A251D8 .text ax13y08a.SYS B9F83386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text ax13y08a.SYS B9F833AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ax13y08a.SYS B9F833C4 3 Bytes [00, 80, 02] .text ax13y08a.SYS B9F833C9 1 Byte [30] .text ax13y08a.SYS B9F833C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL} .text ... ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ? C:\DOCUME~1\PC\USTAWI~1\Temp\catchme.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[2740] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3872] USER32.dll!TrackPopupMenu 77D84F16 5 Bytes JMP 10402024 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [BA6B6042] spao.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [BA6B613E] spao.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [BA6B60C0] spao.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [BA6B6800] spao.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [BA6B66D6] spao.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [BA6C5B90] spao.sys IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46 IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[HAL.dll!READ_PORT_UCHAR] B48B8932 IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[HAL.dll!KeGetCurrentIrql] 89000001 IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[HAL.dll!KfRaiseIrql] 0001C083 IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[HAL.dll!KfLowerIrql] 24468B00 IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[HAL.dll!HalGetInterruptVector] 89820C8D IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639 IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[HAL.dll!KfReleaseSpinLock] 000000BD IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 020CB389 IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[HAL.dll!READ_PORT_USHORT] 83660000 IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320 IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00 IAT \SystemRoot\System32\Drivers\ax13y08a.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89BE41F8 Device \Driver\sptd \Device\2272426766 spao.sys Device \Driver\usbuhci \Device\USBPDO-0 898BA500 Device \Driver\usbuhci \Device\USBPDO-1 898BA500 Device \Driver\dmio \Device\DmControl\DmIoDaemon 89C551F8 Device \Driver\dmio \Device\DmControl\DmConfig 89C551F8 Device \Driver\dmio \Device\DmControl\DmPnP 89C551F8 Device \Driver\dmio \Device\DmControl\DmInfo 89C551F8 Device \Driver\PCI_PNP6766 \Device\00000045 spao.sys Device \Driver\usbuhci \Device\USBPDO-2 898BA500 Device \Driver\usbuhci \Device\USBPDO-3 898BA500 Device \Driver\usbehci \Device\USBPDO-4 899A91F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 89BE61F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 89BE61F8 Device \Driver\Cdrom \Device\CdRom0 89A321F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89BE51F8 Device \Driver\atapi \Device\Ide\IdePort0 89BE51F8 Device \Driver\atapi \Device\Ide\IdePort1 89BE51F8 Device \Driver\atapi \Device\Ide\IdePort2 89BE51F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 89BE51F8 Device \Driver\Cdrom \Device\CdRom1 89A321F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 895F61F8 Device \Driver\NetBT \Device\NetbiosSmb 895F61F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{557B8751-2174-49E2-93D0-7F9F8ED36330} 895F61F8 Device \Driver\usbuhci \Device\USBFDO-0 898BA500 Device \Driver\usbuhci \Device\USBFDO-1 898BA500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 895EC1F8 Device \Driver\usbuhci \Device\USBFDO-2 898BA500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 895EC1F8 Device \Driver\usbuhci \Device\USBFDO-3 898BA500 Device \Driver\usbehci \Device\USBFDO-4 899A91F8 Device \Driver\Ftdisk \Device\FtControl 89BE61F8 Device \Driver\ax13y08a \Device\Scsi\ax13y08a1Port3Path0Target0Lun0 89A5C1F8 Device \Driver\ax13y08a \Device\Scsi\ax13y08a1 89A5C1F8 Device \FileSystem\Cdfs \Cdfs 89986500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x50 0x0C 0xA7 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0x78 0xBA 0xED ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x8B 0x4C 0xE3 0xA7 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x50 0x0C 0xA7 0x47 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x41 0x78 0xBA 0xED ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x8B 0x4C 0xE3 0xA7 ... ---- EOF - GMER 1.0.15 ----