GMER 1.0.15.15627 - http://www.gmer.net Rootkit scan 2011-05-17 20:28:07 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 ST930814AM rev.3.02 Running: o078dpy5.exe; Driver: C:\DOCUME~1\rtvxD\USTAWI~1\Temp\uxldipoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwClose [0xEDC206B8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateKey [0xEDC20574] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDeleteValueKey [0xEDC20A52] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwDuplicateObject [0xEDC2014C] SSDT spmo.sys ZwEnumerateKey [0xF8672CA2] SSDT spmo.sys ZwEnumerateValueKey [0xF8673030] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenKey [0xEDC2064E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenProcess [0xEDC2008C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwOpenThread [0xEDC200F0] SSDT spmo.sys ZwQueryKey [0xF8673108] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwQueryValueKey [0xEDC2076E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwRestoreKey [0xEDC2072E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwSetValueKey [0xEDC208AE] INT 0x3A ? 82E3ABF8 INT 0x3A ? 82E3ABF8 INT 0x3A ? 82E3ABF8 INT 0x3A ? 82E3ABF8 INT 0x3E ? 82FDEBF8 INT 0x3F ? 82FDEBF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spmo.sys Nie można odnaleźć określonego pliku. ! .text USBPORT.SYS!DllUnload F83348AC 5 Bytes JMP 82E3A1D8 .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xED417300, 0x3AE88, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF8B2C300, 0x1B7E, 0xE8000020] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82F715E0 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F8685C4C] spmo.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F8685CA0] spmo.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F8655040] spmo.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F865513C] spmo.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F86550BE] spmo.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F86557FC] spmo.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F86556D2] spmo.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82E3A2D8 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8665048] spmo.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[748] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[748] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 82FDD1F8 AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XP/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company) Device \Driver\usbuhci \Device\USBPDO-0 82E221F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 82F6F1F8 Device \Driver\dmio \Device\DmControl\DmConfig 82F6F1F8 Device \Driver\dmio \Device\DmControl\DmPnP 82F6F1F8 Device \Driver\dmio \Device\DmControl\DmInfo 82F6F1F8 Device \Driver\usbuhci \Device\USBPDO-1 82E221F8 Device \Driver\usbuhci \Device\USBPDO-2 82E221F8 Device \Driver\usbehci \Device\USBPDO-3 82E001F8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\Ftdisk \Device\HarddiskVolume1 82FDF1F8 Device \Driver\Cdrom \Device\CdRom0 82DCD1F8 Device \Driver\atapi \Device\Ide\IdePort0 [F8589B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F8589B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F8589B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F8589B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 82AD51F8 Device \Driver\NetBT \Device\NetbiosSmb 82AD51F8 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\usbuhci \Device\USBFDO-0 82E221F8 Device \Driver\usbuhci \Device\USBFDO-1 82E221F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82ACA1F8 Device \Driver\usbuhci \Device\USBFDO-2 82E221F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 82ACA1F8 Device \Driver\usbehci \Device\USBFDO-3 82E001F8 Device \Driver\Ftdisk \Device\FtControl 82FDF1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{85E1159D-EEF3-4E41-A6D6-F755AD26DAFB} 82AD51F8 Device \FileSystem\Cdfs \Cdfs 82B5F1F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE8 0xF5 0x5E 0x5C ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x2C 0xE0 0xB6 0x44 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB2 0x4A 0x3A 0x53 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBE 0x17 0x26 0xC7 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBE 0x17 0x26 0xC7 ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 MBR read error Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0 ---- EOF - GMER 1.0.15 ----