GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-07 21:57:57 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HD160JJ rev.ZM100-47 Running: mq2i2435.exe; Driver: C:\DOCUME~1\KRZYSI~1\USTAWI~1\Temp\kxloqpow.sys ---- System - GMER 1.0.15 ---- SSDT BA6DF1E4 ZwClose SSDT BA6DF19E ZwCreateKey SSDT BA6DF1EE ZwCreateSection SSDT BA6DF194 ZwCreateThread SSDT BA6DF1A3 ZwDeleteKey SSDT BA6DF1AD ZwDeleteValueKey SSDT BA6DF1DF ZwDuplicateObject SSDT sptd.sys ZwEnumerateKey [0xB9EC3FB2] SSDT sptd.sys ZwEnumerateValueKey [0xB9EC4340] SSDT BA6DF1B2 ZwLoadKey SSDT sptd.sys ZwOpenKey [0xB9EBE0B0] SSDT BA6DF180 ZwOpenProcess SSDT BA6DF185 ZwOpenThread SSDT sptd.sys ZwQueryKey [0xB9EC4418] SSDT BA6DF207 ZwQueryValueKey SSDT BA6DF1BC ZwReplaceKey SSDT BA6DF1F8 ZwRequestWaitReplyPort SSDT BA6DF1B7 ZwRestoreKey SSDT BA6DF1F3 ZwSetContextThread SSDT BA6DF1FD ZwSetSecurityObject SSDT BA6DF1A8 ZwSetValueKey SSDT BA6DF202 ZwSystemDebugControl SSDT BA6DF18F ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINNT\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\WINNT\system32\DRIVERS\nv4_mini.sys section is writeable [0xB98B4360, 0x24526E, 0xE8000020] .text USBPORT.SYS!DllUnload B98718AC 5 Bytes JMP 8A854770 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EBEAD4] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EBEC1A] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EBEB9C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EBF748] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EBF61E] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9ED429A] sptd.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtCreateFile] [019E2F20] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [019E2C90] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtClose] [019E2CF0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [019E2CC0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1388] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8A9C91E8 Device \Driver\usbuhci \Device\USBPDO-0 8A843790 Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A95E1E8 Device \Driver\dmio \Device\DmControl\DmConfig 8A95E1E8 Device \Driver\dmio \Device\DmControl\DmPnP 8A95E1E8 Device \Driver\dmio \Device\DmControl\DmInfo 8A95E1E8 Device \Driver\usbuhci \Device\USBPDO-1 8A843790 Device \Driver\usbuhci \Device\USBPDO-2 8A843790 Device \Driver\usbuhci \Device\USBPDO-3 8A843790 Device \Driver\usbehci \Device\USBPDO-4 8A8ED1E8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8A9CB1E8 Device \Driver\Cdrom \Device\CdRom0 8A7A2790 Device \Driver\Ftdisk \Device\HarddiskVolume2 8A9CB1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP3T1L0-10 [B9E11B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 8A2AE1E8 Device \Driver\NetBT \Device\NetbiosSmb 8A2AE1E8 Device \Driver\usbuhci \Device\USBFDO-0 8A843790 Device \Driver\usbuhci \Device\USBFDO-1 8A843790 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A6971E8 Device \Driver\usbuhci \Device\USBFDO-2 8A843790 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A6971E8 Device \Driver\usbuhci \Device\USBFDO-3 8A843790 Device \Driver\NetBT \Device\NetBT_Tcpip_{EA7104C0-56C0-4CFE-9058-E37C2E2D4596} 8A2AE1E8 Device \Driver\usbehci \Device\USBFDO-4 8A8ED1E8 Device \Driver\Ftdisk \Device\FtControl 8A9CB1E8 Device \FileSystem\Cdfs \Cdfs 8A4DA790 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF3 0xC3 0x0B 0x6D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF3 0xC3 0x0B 0x6D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF3 0xC3 0x0B 0x6D ... ---- Files - GMER 1.0.15 ---- File C:\WINNT\$NtUninstallKB50032$\1927040595 0 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\@ 2048 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\L 0 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\L\eavokvcy 138496 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\loader.tlb 2632 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U 0 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@00000001 45968 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@000000c0 2560 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@000000cb 704 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@000000cf 1536 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@80000000 73728 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@800000c0 43008 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@800000cb 25600 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@800000cf 31232 bytes File C:\WINNT\$NtUninstallKB50032$\3677352482 0 bytes ---- EOF - GMER 1.0.15 ----