GMER 1.0.15.15627 - http://www.gmer.net Rootkit scan 2011-05-25 17:23:16 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-3 MAXTOR_STM3500320AS rev.MX15 Running: pb2y69xn.exe; Driver: C:\Users\Liesmith\AppData\Local\Temp\ugtyypob.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E56579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E7AF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text sptd.sys 8B4A2001 31 Bytes [67, 22, 83, A6, 01, 23, 83, ...] .text sptd.sys 8B4A2024 26 Bytes [D5, 7B, ED, 82, AB, 2B, F3, ...] .text sptd.sys 8B4A203F 343 Bytes [83, A0, 2A, E5, 82, BF, A3, ...] .text sptd.sys 8B4A2197 53 Bytes [83, 63, 1B, E9, 82, BD, F5, ...] .text sptd.sys 8B4A21D4 4 Bytes [F3, A5, 6A, 4D] {REP MOVSD ; PUSH 0x4d} .text ... .sptd2 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd2" section [0x8B54C9E3] ? C:\Windows\System32\Drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. PAGE PCIIDEX.SYS!DllUnload 8B691606 5 Bytes JMP 857681C8 .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91025000, 0x38CD55, 0xE8000020] .text USBPORT.SYS!DllUnload 90F76CA0 5 Bytes JMP 868BF1C8 PAGE spsys.sys!?SPRevision@@3PADA + 4F90 9BE9A000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 9BE9A123 629 Bytes JMP CFEF9FC3 PAGE spsys.sys!?SPRevision@@3PADA + 5329 9BE9A399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F 9BE9A3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE spsys.sys!?SPRevision@@3PADA + 543B 9BE9A4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...] PAGE ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2176] USER32.dll!SetWindowLongA 7795B1E3 5 Bytes JMP 62828DD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2176] USER32.dll!SetWindowLongW 77966614 5 Bytes JMP 62828D6B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2176] USER32.dll!GetWindowInfo 77966A82 5 Bytes JMP 62657187 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2176] USER32.dll!TrackPopupMenu 77984B3B 5 Bytes JMP 62657781 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3384] ntdll.dll!LdrLoadDll 77A7F585 5 Bytes JMP 00BC1410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8B4A370C] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8B4A3EEE] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [8B4A420E] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8B4A40CC] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8B4A38F0] \SystemRoot\System32\Drivers\sptd.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7491250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74912494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [748F5624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [748F56E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74908573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74904D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [749050CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [749051A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [749066D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [749082CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74908819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7490907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7490E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1492] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74904C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8576D1E8 Device \Driver\usbuhci \Device\USBPDO-0 868B31E8 Device \Driver\usbuhci \Device\USBPDO-1 868B31E8 Device \Driver\usbuhci \Device\USBPDO-2 868B31E8 Device \Driver\usbehci \Device\USBPDO-3 868C1430 Device \Driver\usbuhci \Device\USBPDO-4 868B31E8 Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbuhci \Device\USBPDO-5 868B31E8 Device \Driver\usbuhci \Device\USBPDO-6 868B31E8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-7 868C1430 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 867611E8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-2 8576A1E8 Device \Driver\atapi \Device\Ide\IdePort0 8576A1E8 Device \Driver\atapi \Device\Ide\IdePort1 8576A1E8 Device \Driver\atapi \Device\Ide\IdePort2 8576A1E8 Device \Driver\atapi \Device\Ide\IdePort3 8576A1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 8576A1E8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 8679A1E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{23B229DD-2F6E-4DD1-8C6C-059047C014DB} 8679A1E8 Device \Driver\usbuhci \Device\USBFDO-0 868B31E8 Device \Driver\usbuhci \Device\USBFDO-1 868B31E8 Device \Driver\usbuhci \Device\USBFDO-2 868B31E8 Device \Driver\usbehci \Device\USBFDO-3 868C1430 Device \Driver\usbuhci \Device\USBFDO-4 868B31E8 Device \Driver\usbuhci \Device\USBFDO-5 868B31E8 Device \Driver\usbuhci \Device\USBFDO-6 868B31E8 Device \Driver\usbehci \Device\USBFDO-7 868C1430 Device \Driver\JRAID \Device\Scsi\JRAID1Port4Path0Target0Lun0 8576B1E8 Device \Driver\JRAID \Device\Scsi\JRAID1 8576B1E8 ---- Threads - GMER 1.0.15 ---- Thread System [4:3136] 9BEA7F2E ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0xA2 0xA6 0x6F 0xC4 ... ---- EOF - GMER 1.0.15 ----