GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-16 09:43:38 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-6 ST3500320AS rev.SD15 465,76GB Running: h4e6tdis.exe; Driver: C:\DOCUME~1\user_2\USTAWI~1\Temp\fwdiykog.sys ---- System - GMER 2.2 ---- SSDT splt.sys ZwCreateKey [0xF72860E0] SSDT splt.sys ZwEnumerateKey [0xF72A4CA4] SSDT splt.sys ZwEnumerateValueKey [0xF72A5032] SSDT splt.sys ZwOpenKey [0xF72860C0] SSDT splt.sys ZwQueryKey [0xF72A510A] SSDT splt.sys ZwQueryValueKey [0xF72A4F8A] SSDT splt.sys ZwSetValueKey [0xF72A519C] INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70D6 INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys F030916D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys F0308FC2 INT 0x62 ? 8A8EABF8 INT 0x73 ? 8A8EABF8 INT 0x73 ? 8A8EABF8 INT 0x73 ? 8A5BCF00 INT 0x73 ? 8A8EABF8 INT 0x82 ? 8A8EABF8 INT 0x83 ? 8A5BCF00 INT 0xA4 ? 8A5BCF00 INT 0xB4 ? 8A5BCF00 ---- Kernel code sections - GMER 2.2 ---- ? splt.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6499000, 0x276947, 0xE8000020] init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xF313E280] .text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0xEFEF1000, 0x47E35, 0xE0000020] .init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0xEFF45224] .init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0xEFF45000, 0x4000, 0xE20000E0] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xEFE38400, 0x6E6E2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xEFEC2820] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xEFEC2820] .protect˙˙˙˙hardlockunknown last code section [0xEFEC2600, 0x512A, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xEFEC2600, 0x512A, 0xE0000020] ---- Devices - GMER 2.2 ---- Device \FileSystem\Ntfs \Ntfs 8A8E91F8 Device \FileSystem\Fastfat \FatCdrom 8A4CC500 Device \Driver\usbuhci \Device\USBPDO-0 8A532500 Device \Driver\usbuhci \Device\USBPDO-1 8A532500 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A87A1F8 Device \Driver\dmio \Device\DmControl\DmConfig 8A87A1F8 Device \Driver\dmio \Device\DmControl\DmPnP 8A87A1F8 Device \Driver\dmio \Device\DmControl\DmInfo 8A87A1F8 Device \Driver\usbuhci \Device\USBPDO-2 8A532500 Device \Driver\usbuhci \Device\USBPDO-3 8A532500 Device \Driver\usbehci \Device\USBPDO-4 8A67E360 Device \Driver\NetBT \Device\NetBT_Tcpip_{07ED5E48-6FB2-4F5D-974E-0966BB57DD8B} 8A52C500 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A8EB1F8 Device \Driver\USBSTOR \Device\00000071 8A4CB500 Device \Driver\Cdrom \Device\CdRom0 8A400500 Device \Driver\atapi \Device\Ide\IdePort0 [F71D9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F71D9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-6 [F71D9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [F71D9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T1L0-e [F71D9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [F71D9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\USBSTOR \Device\00000073 8A4CB500 Device \Driver\USBSTOR \Device\00000075 8A4CB500 Device \Driver\USBSTOR \Device\00000076 8A4CB500 Device \Driver\NetBT \Device\NetBt_Wins_Export 8A52C500 Device \Driver\NetBT \Device\NetbiosSmb 8A52C500 Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys Device \Driver\Disk \Device\Harddisk1\DR2 aksfridge.sys Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+3 aksfridge.sys Device \Driver\Disk \Device\Harddisk2\DR4 aksfridge.sys Device \Driver\Disk \Device\Harddisk2\DP(1)0-0+5 aksfridge.sys Device \Driver\usbuhci \Device\USBFDO-0 8A532500 Device \Driver\usbuhci \Device\USBFDO-1 8A532500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A443500 Device \Driver\usbuhci \Device\USBFDO-2 8A532500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A443500 Device \Driver\usbuhci \Device\USBFDO-3 8A532500 Device \Driver\Ftdisk \Device\FtControl 8A8EB1F8 Device \Driver\usbehci \Device\USBFDO-4 8A67E360 Device \FileSystem\Fastfat \Fat 8A4CC500 Device \FileSystem\Cdfs \Cdfs 8A644500 ---- Trace I/O - GMER 2.2 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys splt.sys >>UNKNOWN [0x8a89a938]<< 8a89a938 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a8dbab8] 8a8dbab8 Trace 3 CLASSPNP.SYS[f74c7fd7] -> nt!IofCallDriver -> \Device\00000066[0x8a8f2858] 8a8f2858 Trace 5 ACPI.sys[f7244620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-6[0x8a839d98] 8a839d98 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x63 0xD3 0x3C 0x21 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x63 0xD3 0x3C 0x21 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@C:\Program Files\Common Files\Vbox\Licenses\CorelDRAW\xae Graphics Suite_11_D639.lic 2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@C:\Program Files\Common Files\Vbox\Licenses\CorelDRAW\xae Graphics Suite_11_D639.prf 2 ---- Files - GMER 2.2 ---- File C:\Documents and Settings\user_2\Ustawienia lokalne\Temp\2016Y0K5.bat 37460 bytes File C:\Rem-VBS.log 708 bytes File C:\Rem-VBSqt 0 bytes File C:\Rem-VBSqt\Rem-VBSqt.log 1124 bytes ---- EOF - GMER 2.2 ----