GMER 1.0.15.15627 - http://www.gmer.net Rootkit scan 2011-05-15 07:12:34 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk1\DR1 -> \Device\Ide\IdePort3 ST3250410AS rev.3.AAC Running: cg8dl7hr.exe; Driver: C:\DOCUME~1\UKASZ~1\USTAWI~1\Temp\kxadifoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xF45B4610] SSDT sptd.sys ZwCreateKey [0xF7740AC8] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xF45B4C10] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xF45B4730] SSDT sptd.sys ZwEnumerateKey [0xF7740C22] SSDT sptd.sys ZwEnumerateValueKey [0xF7740F9A] SSDT sptd.sys ZwOpenKey [0xF774098E] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xF45B44B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xF45B4570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xF45B46D0] SSDT sptd.sys ZwQueryKey [0xF7741064] SSDT sptd.sys ZwQueryValueKey [0xF7740EFC] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xF45B4790] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xF45B4690] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xF45B4650] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xF45B47D0] SSDT sptd.sys ZwSetValueKey [0xF77410EC] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xF45B4510] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xF45B4590] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xF45B44D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xF45B45D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xF45B4750] ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ? C:\WINDOWS\System32\Drivers\SPTD3261.SYS Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6B6C3A0, 0x5FE082, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[720] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[2036] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00401410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2808] USER32.dll!SetWindowLongA 7E37C29D 5 Bytes JMP 10698DD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2808] USER32.dll!SetWindowLongW 7E37C2BB 5 Bytes JMP 10698D6B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2808] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 104C7187 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2808] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 104C7781 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F774989E] sptd.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F775FD86] sptd.sys IAT ftdisk.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F7749E24] sptd.sys IAT ftdisk.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F7749D28] sptd.sys IAT ftdisk.sys[ntoskrnl.exe!IofCallDriver] [F7749EF4] sptd.sys IAT dmio.sys[ntoskrnl.exe!IofCallDriver] [F7749EF4] sptd.sys IAT dmio.sys[ntoskrnl.exe!IoGetAttachedDeviceReference] [F7749E24] sptd.sys IAT dmio.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] [F7749D28] sptd.sys IAT PartMgr.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F775F1AE] sptd.sys IAT PartMgr.sys[ntoskrnl.exe!IoDetachDevice] [F7749A5A] sptd.sys IAT atapi.sys[ntoskrnl.exe!IofCompleteRequest] [F775F04A] sptd.sys IAT atapi.sys[ntoskrnl.exe!IoConnectInterrupt] [F77498F2] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F773CAD2] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F773CC0E] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F773CB96] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F773D76C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F773D642] sptd.sys IAT disk.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F775FE4A] sptd.sys IAT \WINDOWS\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IoDetachDevice] [F774E8C6] sptd.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!IofCompleteRequest] [F775F04A] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F775F056] sptd.sys IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F775FE4A] sptd.sys IAT \SystemRoot\system32\DRIVERS\rdbss.sys[ntoskrnl.exe!IofCallDriver] [F7749CC6] sptd.sys IAT \SystemRoot\system32\DRIVERS\mrxsmb.sys[ntoskrnl.exe!IofCallDriver] [F7749CC6] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 867935D0 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) Device \Driver\NetBT \Device\NetBT_Tcpip_{B43CF060-A23B-418E-BCBB-4C9D2471E92B} 863BDEB0 Device \Driver\dmio \Device\DmControl\DmIoDaemon 86793C78 Device \Driver\dmio \Device\DmControl\DmConfig 86793C78 Device \Driver\dmio \Device\DmControl\DmPnP 86793C78 Device \Driver\dmio \Device\DmControl\DmInfo 86793C78 AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) Device \Driver\Ftdisk \Device\HarddiskVolume1 86793EB0 Device \Driver\Ftdisk \Device\HarddiskVolume2 86793EB0 Device \Driver\Cdrom \Device\CdRom0 865D8350 Device \FileSystem\Rdbss \Device\FsWrap 856ABC50 Device \Driver\atapi \Device\Ide\IdePort0 [F768FB40] atapi.sys[unknown section] {MOV EAX, 0x86793960; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7750e12; RET } Device \Driver\atapi \Device\Ide\IdePort1 [F768FB40] atapi.sys[unknown section] {MOV EAX, 0x86793960; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7750e12; RET } Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-5 [F768FB40] atapi.sys[unknown section] {MOV EAX, 0x86793960; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7750e12; RET } Device \Driver\atapi \Device\Ide\IdePort2 [F768FB40] atapi.sys[unknown section] {MOV EAX, 0x86793960; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7750e12; RET } Device \Driver\atapi \Device\Ide\IdePort3 [F768FB40] atapi.sys[unknown section] {MOV EAX, 0x86793960; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7750e12; RET } Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1b [F768FB40] atapi.sys[unknown section] {MOV EAX, 0x86793960; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7750e12; RET } Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [F768FB40] atapi.sys[unknown section] {MOV EAX, 0x86793960; XCHG [ESP], EAX; PUSH EAX; PUSH 0xf7750e12; RET } Device \Driver\Ftdisk \Device\HarddiskVolume3 86793EB0 Device \Driver\NetBT \Device\NetBt_Wins_Export 863BDEB0 AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) Device \Driver\Disk \Device\Harddisk0\DR0 86793808 Device \Driver\Disk \Device\Harddisk1\DR1 86793808 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 856C70E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 856C70E8 Device \FileSystem\Npfs \Device\NamedPipe 85C5F0E8 Device \Driver\Ftdisk \Device\FtControl 86793EB0 Device \FileSystem\Msfs \Device\Mailslot 856CB898 Device \FileSystem\Cdfs \Cdfs 85699EB0 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 1174803498 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -487867841 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 1312788164 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC3 0xCE 0x71 0xA7 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2E 0xEE 0x02 0x1A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x86 0x32 0x21 0x97 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x4C 0x20 0x37 0x51 ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk1\DR1 MBR read error Disk \Device\Harddisk1\DR1 MBR BIOS signature not found 0 ---- EOF - GMER 1.0.15 ----