GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-23 18:21:49 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3160815AS rev.3.AAD 149,05GB Running: y311q0xr.exe; Driver: C:\DOCUME~1\Tomal2\USTAWI~1\Temp\kwqdrpoc.sys ---- System - GMER 2.1 ---- SSDT spcb.sys ZwCreateKey [0xB9EB50E0] SSDT spcb.sys ZwEnumerateKey [0xB9ECDDA4] SSDT spcb.sys ZwEnumerateValueKey [0xB9ECE132] SSDT spcb.sys ZwOpenKey [0xB9EB50C0] SSDT spcb.sys ZwQueryKey [0xB9ECE20A] SSDT spcb.sys ZwQueryValueKey [0xB9ECE08A] SSDT spcb.sys ZwSetValueKey [0xB9ECE29C] SSDT \??\C:\WINDOWS\system32\DRIVERS\PavProc.sys ZwTerminateProcess [0xAD6AF4E8] INT 0x62 ? 8A5F5BF8 INT 0x73 ? 8A13DF00 INT 0x73 ? 8A13DF00 INT 0x83 ? 8A5F5BF8 INT 0xA4 ? 8A13DF00 INT 0xB4 ? 8A13DF00 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FC8 80504854 4 Bytes [E8, F4, 6A, AD] ? spcb.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8E97000, 0x1C5D38, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xADAC7300, 0x3AE88, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA388300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3276] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 003DA161 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3276] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 112313A8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3276] USER32.dll!SetWindowLongA + 19 7E37C2B6 7 Bytes JMP 1123147D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3276] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 11233769 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3276] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 11231D03 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 0139374A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] ntdll.dll!NtFlushBuffersFile 7C90D310 5 Bytes JMP 0139348A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] ntdll.dll!NtQueryFullAttributesFile 7C90D790 5 Bytes JMP 013935C2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] ntdll.dll!NtReadFile 7C90D9B0 5 Bytes JMP 013934C4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] ntdll.dll!NtReadFileScatter 7C90D9C0 5 Bytes JMP 016ECB1D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] ntdll.dll!NtWriteFile 7C90DF60 5 Bytes JMP 013938EE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] ntdll.dll!NtWriteFileGather 7C90DF70 5 Bytes JMP 016ECB6D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 1000A161 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 016D5EF6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 016D510F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 0145DBC1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 016D4981 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 021CE1E3 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys Device \FileSystem\Ntfs \Ntfs 8A5F41F8 AttachedDevice \FileSystem\Ntfs \Ntfs pavdrv51.sys AttachedDevice \FileSystem\Ntfs \Ntfs av5flt.sys Device \Driver\usbohci \Device\USBPDO-0 8A2E21F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{0FAF8BF6-2719-413F-864C-3CC5954EBE68} 8A09D500 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A5841F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A5841F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A5841F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A5841F8 Device \Driver\usbohci \Device\USBPDO-1 8A2E21F8 Device \Driver\usbohci \Device\USBPDO-2 8A2E21F8 Device \Driver\usbohci \Device\USBPDO-3 8A2E21F8 Device \Driver\usbohci \Device\USBPDO-4 8A2E21F8 Device \Driver\usbehci \Device\USBPDO-5 8A17C500 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A5F61F8 Device \Driver\Cdrom \Device\CdRom0 8A063500 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-12 [B9E08B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 8A063500 Device \Driver\NetBT \Device\NetBt_Wins_Export 8A09D500 Device \Driver\PCI_PNP4252 \Device\0000004c spcb.sys Device \Driver\sptd \Device\3716360502 spcb.sys Device \Driver\usbohci \Device\USBFDO-0 8A2E21F8 Device \Driver\usbohci \Device\USBFDO-1 8A2E21F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A03F500 Device \Driver\usbohci \Device\USBFDO-2 8A2E21F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A03F500 Device \Driver\usbohci \Device\USBFDO-3 8A2E21F8 Device \Driver\usbohci \Device\USBFDO-4 8A2E21F8 Device \Driver\Ftdisk \Device\FtControl 8A5F61F8 Device \Driver\usbehci \Device\USBFDO-5 8A17C500 Device \Driver\a8posr1u \Device\Scsi\a8posr1u1 8A05B500 Device \Driver\a8posr1u \Device\Scsi\a8posr1u1Port4Path0Target0Lun0 8A05B500 Device \FileSystem\Cdfs \Cdfs 8A1641F8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spcb.sys >>UNKNOWN [0x8a5a4938]<< 8a5a4938 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a533ab8] 8a533ab8 Trace 3 CLASSPNP.SYS[ba0e8fd7] -> nt!IofCallDriver -> \Device\0000006f[0x8a5ee1d0] 8a5ee1d0 Trace 5 ACPI.sys[b9e73620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x8a535940] 8a535940 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x10 0xE1 0xDE 0x22 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x66 0xA6 0x08 0xAB ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x6B 0xAF 0x7D 0x83 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 474542 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x91 0x5A 0xD4 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x66 0xA6 0x08 0xAB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9E 0x99 0x45 0x81 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0FAF8BF6-2719-413F-864C-3CC5954EBE68}@LeaseObtainedTime 1443015374 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0FAF8BF6-2719-413F-864C-3CC5954EBE68}@T1 1443015824 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0FAF8BF6-2719-413F-864C-3CC5954EBE68}@T2 1443016161 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0FAF8BF6-2719-413F-864C-3CC5954EBE68}@LeaseTerminatesTime 1443016274 Reg HKLM\SYSTEM\CurrentControlSet\Services\{0FAF8BF6-2719-413F-864C-3CC5954EBE68}\Parameters\Tcpip@LeaseObtainedTime 1443015374 Reg HKLM\SYSTEM\CurrentControlSet\Services\{0FAF8BF6-2719-413F-864C-3CC5954EBE68}\Parameters\Tcpip@T1 1443015824 Reg HKLM\SYSTEM\CurrentControlSet\Services\{0FAF8BF6-2719-413F-864C-3CC5954EBE68}\Parameters\Tcpip@T2 1443016161 Reg HKLM\SYSTEM\CurrentControlSet\Services\{0FAF8BF6-2719-413F-864C-3CC5954EBE68}\Parameters\Tcpip@LeaseTerminatesTime 1443016274 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCF 0xFD 0xFB 0x85 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x66 0xA6 0x08 0xAB ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x9E 0x99 0x45 0x81 ... ---- EOF - GMER 2.1 ----