GMER 1.0.15.15640 - http://www.gmer.net Rootkit scan 2011-05-29 22:37:16 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 Maxtor_6Y080L0 rev.YAR41BW0 Running: gmer.exe; Driver: C:\DOCUME~1\Marcin\USTAWI~1\Temp\aflirfog.sys ---- System - GMER 1.0.15 ---- SSDT sptd.sys ZwCreateKey [0xF843DA50] SSDT sptd.sys ZwEnumerateKey [0xF8471FFE] SSDT sptd.sys ZwEnumerateValueKey [0xF847238C] SSDT sptd.sys ZwOpenKey [0xF843DA30] SSDT sptd.sys ZwQueryKey [0xF8472464] SSDT sptd.sys ZwQueryValueKey [0xF84722E4] SSDT sptd.sys ZwSetValueKey [0xF84724F6] INT 0x62 ? 823DFCC8 INT 0x63 ? 81F27F00 INT 0x82 ? 823DFCC8 INT 0xA4 ? 81F27F00 INT 0xB4 ? 81F27F00 ---- Kernel code sections - GMER 1.0.15 ---- .text sptd.sys F8403000 32 Bytes [5E, 57, 6F, 80, 20, 07, 6F, ...] .text sptd.sys F8403024 4 Bytes [74, 5F, 3F, F8] {JZ 0x61; AAS ; CLC } .text sptd.sys F840302C 424 Bytes [EA, 9D, 57, 80, 3E, BD, 5D, ...] .text sptd.sys F84031E4 4 Bytes [79, 62, 73, 4C] {JNS 0x64; JAE 0x50} .text sptd.sys F84031EC 1 Byte [02] .text ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF84FAD38] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF7BA7360, 0x372FAD, 0xE8000020] .text USBPORT.SYS!DllUnload F7B878AC 5 Bytes JMP 81F27410 ---- User code sections - GMER 1.0.15 ---- .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [28, 00, 16, 00] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [E2] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtMapViewOfSection + 6 7C90D506 1 Byte [28] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtMapViewOfSection + 6 7C90D506 4 Bytes [28, 03, 16, 00] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtMapViewOfSection + B 7C90D50B 1 Byte [E2] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [68, 00, 16, 00] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [E2] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [A8, 01, 16, 00] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [E2] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes CALL 7B90EBFC .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [E2] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [A8, 02, 16, 00] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [E2] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [68, 01, 16, 00] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [E2] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [68, 02, 16, 00] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [E2] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes CALL 7B90EC6D .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [E2] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [A8, 00, 16, 00] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [E2] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes CALL 7B90ED9B .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [E2] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [28, 01, 16, 00] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [E2] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [28, 02, 16, 00] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [E2] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtUnmapViewOfSection + 6 7C90DEF6 1 Byte [68] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtUnmapViewOfSection + 6 7C90DEF6 4 Bytes [68, 03, 16, 00] .text C:\Documents and Settings\Marcin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3580] ntdll.dll!NtUnmapViewOfSection + B 7C90DEFB 1 Byte [E2] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 823A0308 IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F8404574] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F84040C0] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F8404FE0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F84040C0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F8404362] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F84042A4] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F84051BC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F8404FE0] sptd.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 81F27540 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F8419312] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 823DE1F8 AttachedDevice \Driver\Tcpip \Device\Ip nltdi.sys (NetLimiter Driver/Locktime Software) Device \Driver\usbuhci \Device\USBPDO-0 81F78430 Device \Driver\usbuhci \Device\USBPDO-1 81F78430 Device \Driver\usbuhci \Device\USBPDO-2 81F78430 Device \Driver\usbehci \Device\USBPDO-3 81F3C430 AttachedDevice \Driver\Tcpip \Device\Tcp nltdi.sys (NetLimiter Driver/Locktime Software) Device \Driver\Cdrom \Device\CdRom0 821191F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F8356B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F8356B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F8356B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F8356B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F8356B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 821191F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{EEDD4731-F493-4723-8CC2-703A7745D744} 81FB5430 Device \Driver\NetBT \Device\NetBt_Wins_Export 81FB5430 Device \Driver\NetBT \Device\NetbiosSmb 81FB5430 AttachedDevice \Driver\Tcpip \Device\Udp nltdi.sys (NetLimiter Driver/Locktime Software) AttachedDevice \Driver\Tcpip \Device\RawIp nltdi.sys (NetLimiter Driver/Locktime Software) Device \Driver\usbuhci \Device\USBFDO-0 81F78430 Device \Driver\usbuhci \Device\USBFDO-1 81F78430 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81FB3430 Device \Driver\usbuhci \Device\USBFDO-2 81F78430 Device \FileSystem\MRxSmb \Device\LanmanRedirector 81FB3430 Device \Driver\usbehci \Device\USBFDO-3 81F3C430 Device \FileSystem\Cdfs \Cdfs 82020430 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 MBR read error Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0 ---- EOF - GMER 1.0.15 ----