GMER 1.0.15.15640 - http://www.gmer.net Rootkit scan 2011-06-02 16:56:35 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\0000006b ST3250310AS rev.3.AAF Running: gmer.exe; Driver: C:\DOCUME~1\admin\USTAWI~1\Temp\ugkyifod.sys ---- System - GMER 1.0.15 ---- SSDT spfw.sys ZwCreateKey [0xB9EA80E0] SSDT spfw.sys ZwEnumerateKey [0xB9EC6CA2] SSDT spfw.sys ZwEnumerateValueKey [0xB9EC7030] SSDT spfw.sys ZwOpenKey [0xB9EA80C0] SSDT spfw.sys ZwQueryKey [0xB9EC7108] SSDT spfw.sys ZwQueryValueKey [0xB9EC6F88] SSDT spfw.sys ZwSetValueKey [0xB9EC719A] INT 0x73 ? 8A5CDBF8 INT 0x83 ? 8A5CDBF8 INT 0xB4 ? 8A3B3F00 ---- Kernel code sections - GMER 1.0.15 ---- ? spfw.sys Nie można odnaleźć określonego pliku. ! .xreloc C:\WINDOWS\system32\drivers\ps6ah4nb.sys unknown last section [0xB9E4E000, 0x99C, 0x40000040] .text USBPORT.SYS!DllUnload B9A488AC 5 Bytes JMP 8A3B34E0 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB924B380, 0x2FF527, 0xE8000020] init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xB5613A00] ? system32\DRIVERS\ehdrv.sys System nie może odnaleźć określonej ścieżki. ! ? system32\DRIVERS\epfwtdir.sys System nie może odnaleźć określonej ścieżki. ! ? system32\DRIVERS\eamon.sys System nie może odnaleźć określonej ścieżki. ! ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EA9040] spfw.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EA913C] spfw.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EA90BE] spfw.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EA97FC] spfw.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EA96D2] spfw.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] spfw.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A5CC1F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys Device \FileSystem\Udfs \UdfsCdRom 89FC11F8 Device \FileSystem\Udfs \UdfsDisk 89FC11F8 Device \Driver\usbohci \Device\USBPDO-0 8A3B4500 Device \Driver\usbehci \Device\USBPDO-1 8A397500 AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5CE1F8 Device \Driver\Cdrom \Device\CdRom0 8A3AD500 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A5CE1F8 Device \Driver\atapi \Device\Ide\IdePort0 [B9E0FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9E0FB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Ftdisk \Device\HarddiskVolume3 8A5CE1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8A237368 Device \Driver\NetBT \Device\NetBT_Tcpip_{3756BBC2-B9D8-405C-A7FC-04674B2C1D0F} 8A237368 Device \Driver\NetBT \Device\NetbiosSmb 8A237368 Device \Driver\nvata \Device\0000006b 8A5CD1F8 Device \Driver\nvata \Device\0000006c 8A5CD1F8 Device \Driver\usbohci \Device\USBFDO-0 8A3B4500 Device \Driver\usbehci \Device\USBFDO-1 8A397500 Device \Driver\nvata \Device\NvAta0 8A5CD1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A0FD500 Device \Driver\nvata \Device\NvAta1 8A5CD1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A0FD500 Device \Driver\Ftdisk \Device\FtControl 8A5CE1F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB6 0x71 0x67 0xE7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x52 0x15 0xFA 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2A 0x55 0xD3 0x5E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x86 0x91 0x46 0x5F ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB6 0x71 0x67 0xE7 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x52 0x15 0xFA 0xBE ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2A 0x55 0xD3 0x5E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x86 0x91 0x46 0x5F ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xB6 0x71 0x67 0xE7 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x52 0x15 0xFA 0xBE ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x2A 0x55 0xD3 0x5E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x86 0x91 0x46 0x5F ... ---- EOF - GMER 1.0.15 ----