GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-16 17:41:11 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST380817AS rev.3.42 74,53GB Running: gqiuipsb.exe; Driver: C:\DOCUME~1\agatka\USTAWI~1\Temp\uxrdrpow.sys ---- System - GMER 2.1 ---- SSDT spjf.sys ZwCreateKey [0xF84230E0] SSDT spjf.sys ZwEnumerateKey [0xF843BDA4] SSDT spjf.sys ZwEnumerateValueKey [0xF843C132] SSDT spjf.sys ZwOpenKey [0xF84230C0] SSDT spjf.sys ZwQueryKey [0xF843C20A] SSDT spjf.sys ZwQueryValueKey [0xF843C08A] SSDT spjf.sys ZwSetValueKey [0xF843C29C] INT 0x62 ? 823DEBF8 INT 0x63 ? 82331BF8 INT 0x63 ? 82331BF8 INT 0x82 ? 823DEBF8 INT 0x83 ? 823DEBF8 INT 0x83 ? 823DEBF8 INT 0x83 ? 82331BF8 INT 0x83 ? 823DEBF8 INT 0xA4 ? 82331BF8 INT 0xB4 ? 82331BF8 ---- Kernel code sections - GMER 2.1 ---- PAGE ntoskrnl.exe!ZwResumeThread 8058ECB2 1 Byte [CC] {INT 3 } ? spjf.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\drivers\ACPI.sys section is writeable [0xF83DB300, 0x1AF00, 0xE8000020] .rsrc C:\WINDOWS\system32\drivers\ACPI.sys section is executable [0xF8404F00, 0x1BF8, 0xE8000040] .reloc C:\WINDOWS\system32\drivers\ACPI.sys section is executable [0xF8406B00, 0x2506, 0xE8000040] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[2760] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 10001FFD C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2760] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 01B10455 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2760] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 01B1049D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2760] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 01725A06 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2760] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 01B104C4 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 823DD1F8 Device \Driver\usbuhci \Device\USBPDO-0 8232F1F8 Device \Driver\usbuhci \Device\USBPDO-1 8232F1F8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 823711F8 Device \Driver\dmio \Device\DmControl\DmConfig 823711F8 Device \Driver\dmio \Device\DmControl\DmPnP 823711F8 Device \Driver\dmio \Device\DmControl\DmInfo 823711F8 Device \Driver\usbuhci \Device\USBPDO-2 8232F1F8 Device \Driver\usbuhci \Device\USBPDO-3 8232F1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{B3947588-9D49-4287-9432-E21508B455C1} 820741F8 Device \Driver\usbehci \Device\USBPDO-4 8232A1F8 Device \Driver\Ftdisk \Device\HarddiskVolume1 823DF1F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 823DF1F8 Device \Driver\Cdrom \Device\CdRom0 82321500 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F8376B40] atapi.sys[unknown section] {INT 3 ; PUSH ESP; AND AL, 0x8; LEA ECX, [ESP+0x4]; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F8376B40] atapi.sys[unknown section] {INT 3 ; PUSH ESP; AND AL, 0x8; LEA ECX, [ESP+0x4]; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F8376B40] atapi.sys[unknown section] {INT 3 ; PUSH ESP; AND AL, 0x8; LEA ECX, [ESP+0x4]; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [F8376B40] atapi.sys[unknown section] {INT 3 ; PUSH ESP; AND AL, 0x8; LEA ECX, [ESP+0x4]; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [F8376B40] atapi.sys[unknown section] {INT 3 ; PUSH ESP; AND AL, 0x8; LEA ECX, [ESP+0x4]; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-e [F8376B40] atapi.sys[unknown section] {INT 3 ; PUSH ESP; AND AL, 0x8; LEA ECX, [ESP+0x4]; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 820741F8 Device \Driver\NetBT \Device\NetbiosSmb 820741F8 Device \Driver\usbuhci \Device\USBFDO-0 8232F1F8 Device \Driver\usbuhci \Device\USBFDO-1 8232F1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81F1D1F8 Device \Driver\usbuhci \Device\USBFDO-2 8232F1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{8A242C83-8405-4DB6-9BA4-07FB54E6B1BF} 820741F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 81F1D1F8 Device \Driver\usbuhci \Device\USBFDO-3 8232F1F8 Device \Driver\usbehci \Device\USBFDO-4 8232A1F8 Device \Driver\Ftdisk \Device\FtControl 823DF1F8 Device \FileSystem\Cdfs \Cdfs 81EEE1F8 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys >>UNKNOWN [0x822f7ca1]<< 822f7ca1 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82340ab8] 82340ab8 Trace 3 CLASSPNP.SYS[f8576fd7] -> nt!IofCallDriver -> \Device\00000065[0x823519e8] 823519e8 Trace 5 ACPI.sys[f83e1620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-e[0x822f7d98] 822f7d98 ---- Threads - GMER 2.1 ---- Thread System [4:388] 8221739F Thread System [4:604] 81EF40F4 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5D 0x37 0x76 0x5D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x5D 0x37 0x76 0x5D ... ---- EOF - GMER 2.1 ----