GMER 1.0.15.15640 - http://www.gmer.net Rootkit scan 2011-07-13 13:42:08 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3320820AS rev.3.AAX Running: ck198ygv.exe; Driver: C:\Users\RABAYS~1\AppData\Local\Temp\axgdqpob.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwSaveKey + 13CD 82C75A09 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C95512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text sptd.sys 89637001 31 Bytes [C7, C0, 82, 34, 62, C1, 82, ...] .text sptd.sys 89637024 152 Bytes [32, AE, CB, 82, 05, 80, D5, ...] .text sptd.sys 896370BD 119 Bytes [2D, E0, 82, ED, 27, CA, 82, ...] .text sptd.sys 89637135 151 Bytes [FB, D9, 82, 40, 42, C7, 82, ...] .text sptd.sys 896371D4 4 Bytes [F3, A5, 6A, 4D] {REP MOVSD ; PUSH 0x4d} .text ... .sptd2 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd2" section [0x896E19E3] ? C:\Windows\System32\Drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text USBPORT.SYS!DllUnload 91F90DB9 5 Bytes JMP 862A1410 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1836] kernel32.dll!SetUnhandledExceptionFilter 7606F4FB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2216] USER32.dll!SetWindowLongA 778C8BA3 5 Bytes JMP 669AEDA6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2216] USER32.dll!SetWindowLongW 778D4449 5 Bytes JMP 669AED38 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2216] USER32.dll!GetWindowInfo 778D4B5E 5 Bytes JMP 667C5451 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2216] USER32.dll!TrackPopupMenu 778E2228 5 Bytes JMP 667C5A99 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3636] ntdll.dll!LdrLoadDll 77AF22B8 5 Bytes JMP 01261410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8963870C] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [89638EEE] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [8963920E] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [896390CC] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [896388F0] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\ataport.SYS[ntoskrnl.exe!KeInsertQueueDpc] 84C5C5E8 IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!KeInsertQueueDpc] 862A1830 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74792437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74775600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [747756BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [747924B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74788514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74784CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7478506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74785144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74786671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7478826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [747887BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7478901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7478E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1604] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74784BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [74792437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [74775600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [747756BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [747924B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [74788514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [74784CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [7478506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [74785144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74786671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [7478826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [747887BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [7478901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7478E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2264] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [74784BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [74792437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [74775600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [747756BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [747924B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [74788514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [74784CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [7478506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [74785144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74786671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [7478826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [747887BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [7478901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7478E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2640] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [74784BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 84C641E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{B17A58C7-96E6-483C-AC7C-6825D9D2AB1D} 85D831E8 Device \Driver\usbohci \Device\USBPDO-0 862AA1E8 Device \Driver\usbohci \Device\USBPDO-1 862AA1E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{DB742AEF-A45D-4DCF-A7A4-18B0C52B9523} 85D831E8 Device \Driver\ACPI_HAL \Device\00000053 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbohci \Device\USBPDO-2 862AA1E8 Device \Driver\usbehci \Device\USBPDO-3 862C61E8 Device \Driver\USBSTOR \Device\00000070 85DAD1E8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\USBSTOR \Device\00000071 85DAD1E8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 85D961E8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84C621E8 Device \Driver\atapi \Device\Ide\IdePort0 84C621E8 Device \Driver\atapi \Device\Ide\IdePort1 84C621E8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 84C621E8 Device \Driver\USBSTOR \Device\00000073 85DAD1E8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\USBSTOR \Device\00000074 85DAD1E8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\USBSTOR \Device\00000075 85DAD1E8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 85D831E8 Device \Driver\usbohci \Device\USBFDO-0 862AA1E8 Device \Driver\usbohci \Device\USBFDO-1 862AA1E8 Device \Driver\usbohci \Device\USBFDO-2 862AA1E8 Device \Driver\usbehci \Device\USBFDO-3 862C61E8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 ---- Files - GMER 1.0.15 ---- File C:\Windows\Temp\TMP000001801541A5BBF6B86498 524288 bytes ---- EOF - GMER 1.0.15 ----