GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-07-14 21:01:57 Windows 6.0.6002 Service Pack 2 Running: fi431ubw.exe; Driver: C:\Users\AGNIES~1\AppData\Local\Temp\uwdoruod.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.sys ZwTerminateProcess [0x8D2D40B0] INT 0x51 ? 8640CC88 INT 0x51 ? 8640CC88 INT 0x52 ? 8640CC88 INT 0x72 ? 84A26C88 INT 0x72 ? 8640CC88 INT 0x72 ? 8640CC88 INT 0x72 ? 84A26C88 INT 0x82 ? 8407DC88 INT 0x92 ? 8407DC88 INT 0xB3 ? 8640CC88 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 621 81EE2D84 4 Bytes [B0, 40, 2D, 8D] ? System32\Drivers\speu.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8BC00340, 0x3E9407, 0xE8000020] .text USBPORT.SYS!DllUnload 8C43541B 5 Bytes JMP 8640C1D8 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [80690F9C] \SystemRoot\System32\Drivers\speu.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [806903E6] \SystemRoot\System32\Drivers\speu.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8069090E] \SystemRoot\System32\Drivers\speu.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80691178] \SystemRoot\System32\Drivers\speu.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [80690116] \SystemRoot\System32\Drivers\speu.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [806901D4] \SystemRoot\System32\Drivers\speu.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A1976] \SystemRoot\System32\Drivers\speu.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 84A281F8 Device \FileSystem\fastfat \FatCdrom A00A01F8 Device \FileSystem\udfs \UdfsCdRom 864BA1F8 Device \FileSystem\udfs \UdfsDisk 864BA1F8 Device \Driver\netbt \Device\NetBT_Tcpip_{06FB4E2C-C94B-4227-A737-DFF980235C30} 86901470 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) Device \Driver\volmgr \Device\VolMgrControl 8407F1F8 Device \Driver\usbuhci \Device\USBPDO-0 864A21F8 Device \Driver\usbuhci \Device\USBPDO-1 864A21F8 Device \Driver\usbehci \Device\USBPDO-2 864A31F8 Device \Driver\usbuhci \Device\USBPDO-3 864A21F8 Device \Driver\usbuhci \Device\USBPDO-4 864A21F8 AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbuhci \Device\USBPDO-5 864A21F8 Device \Driver\usbehci \Device\USBPDO-6 864A31F8 Device \Driver\volmgr \Device\HarddiskVolume1 8407F1F8 Device \Driver\volmgr \Device\HarddiskVolume2 8407F1F8 Device \Driver\cdrom \Device\CdRom0 864F91F8 Device \Driver\volmgr \Device\HarddiskVolume3 8407F1F8 Device \Driver\cdrom \Device\CdRom1 864F91F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84A271F8 Device \Driver\iaStor \Device\Ide\iaStor0 [87AD68E0] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 84A271F8 Device \Driver\atapi \Device\Ide\IdePort1 84A271F8 Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [87AD68E0] \SystemRoot\system32\drivers\iastor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\BTHUSB \Device\00000075 bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \Driver\netbt \Device\NetBt_Wins_Export 86901470 Device \Driver\BTHUSB \Device\00000077 bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \Driver\Smb \Device\NetbiosSmb 8690A1F8 Device \Driver\iScsiPrt \Device\RaidPort0 865071F8 AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\netbt \Device\NetBT_Tcpip_{544BF711-F10F-4B10-8123-1CF958AFF464} 86901470 AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbuhci \Device\USBFDO-0 864A21F8 Device \Driver\usbuhci \Device\USBFDO-1 864A21F8 Device \Driver\usbehci \Device\USBFDO-2 864A31F8 Device \Driver\usbuhci \Device\USBFDO-3 864A21F8 Device \Driver\usbuhci \Device\USBFDO-4 864A21F8 Device \Driver\usbuhci \Device\USBFDO-5 864A21F8 Device \Driver\netbt \Device\NetBT_Tcpip_{69B9DC90-1991-469C-8D6B-DC5D0C4FF057} 86901470 Device \Driver\usbehci \Device\USBFDO-6 864A31F8 Device \Driver\netbt \Device\NetBT_Tcpip_{86342735-AEB5-497C-BEF7-790B14AE3E27} 86901470 Device \FileSystem\fastfat \Fat A00A01F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) Device \FileSystem\cdfs \Cdfs 86FE41F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186a96bad Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186a96bad@0021fea3a145 0x2E 0x0D 0xD5 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186a96bad@002243f27caf 0x87 0x8A 0x96 0xB4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186a96bad@001ea324fa7c 0xD2 0x9F 0x69 0x83 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186a96bad@002669dedb80 0x1B 0xE0 0xE1 0xC4 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186a96bad@1886acfe72c7 0x29 0xDE 0xDC 0x46 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9B 0x49 0xD1 0xAC ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186a96bad (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186a96bad@0021fea3a145 0x2E 0x0D 0xD5 0x96 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186a96bad@002243f27caf 0x87 0x8A 0x96 0xB4 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186a96bad@001ea324fa7c 0xD2 0x9F 0x69 0x83 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186a96bad@002669dedb80 0x1B 0xE0 0xE1 0xC4 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186a96bad@1886acfe72c7 0x29 0xDE 0xDC 0x46 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9B 0x49 0xD1 0xAC ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E678BED1-7824-B728-950F-75CB7F739694} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E678BED1-7824-B728-950F-75CB7F739694}@oalngiicamdpmpelcpnomnmejleccm 0x61 0x69 0x6A 0x62 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E678BED1-7824-B728-950F-75CB7F739694}@iaimcmgbhimlpmhoai 0x6A 0x61 0x66 0x62 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E678BED1-7824-B728-950F-75CB7F739694}@haommjdlgekmpoeo 0x6A 0x61 0x66 0x62 ... ---- EOF - GMER 1.0.15 ----