GMER 2.1.19081 - http://www.gmer.net Rootkit scan 2013-02-21 16:54:05 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-9 Hitachi_HDS721616PLA380 rev.P22OABEA 149,05GB Running: 6v6reo9p.exe; Driver: C:\DOCUME~1\DUMAN\USTAWI~1\Temp\axtdapoc.sys ---- System - GMER 2.1 ---- SSDT BA7937E4 ZwClose SSDT BA79379E ZwCreateKey SSDT BA7937EE ZwCreateSection SSDT BA793794 ZwCreateThread SSDT BA7937A3 ZwDeleteKey SSDT BA7937AD ZwDeleteValueKey SSDT BA7937DF ZwDuplicateObject SSDT sptd.sys ZwEnumerateKey [0xB9F03FFE] SSDT sptd.sys ZwEnumerateValueKey [0xB9F0438C] SSDT BA7937B2 ZwLoadKey SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0xAC580118] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0xAC5801E8] SSDT sptd.sys ZwOpenKey [0xB9ECFA30] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xAC57FD4A] SSDT BA793785 ZwOpenThread SSDT sptd.sys ZwQueryKey [0xB9F04464] SSDT BA793807 ZwQueryValueKey SSDT BA7937BC ZwReplaceKey SSDT BA7937F8 ZwRequestWaitReplyPort SSDT BA7937B7 ZwRestoreKey SSDT BA7937F3 ZwSetContextThread SSDT BA7937FD ZwSetSecurityObject SSDT BA7937A8 ZwSetValueKey SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwSuspendProcess [0xAC57FF38] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwSuspendThread [0xAC57FFCE] SSDT BA793802 ZwSystemDebugControl SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xAC57FE00] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xAC57FE9C] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xAC58006A] INT 0x63 ? 8A6FBCC8 INT 0x63 ? 8A6FBCC8 INT 0x63 ? 8A6FBCC8 INT 0x63 ? 8A6FBCC8 INT 0x63 ? 8A6FBCC8 INT 0x83 ? 8A6FBCC8 INT 0x83 ? 8A6FBCC8 INT 0x83 ? 8A4EACC8 INT 0x83 ? 8A6FBCC8 INT 0x84 ? 8A4EACC8 INT 0x94 ? 8A4EACC8 INT 0xA4 ? 8A4EACC8 INT 0xA4 ? 8A4EACC8 INT 0xA4 ? 8A4EACC8 INT 0xA4 ? 8A4EACC8 INT 0xB4 ? 8A4EACC8 Code szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) ZwSetSecurityObject [0xBA0BCE24] Code szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) NtSetSecurityObject ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FD0 805048C8 12 Bytes [38, FF, 57, AC, CE, FF, 57, ...] {CMP BH, BH; PUSH EDI; LODSB ; INTO ; CALL DWORD [EDI-0x54]; ADD BH, [EAX]; JNS 0xffffffc6} PAGE ntkrnlpa.exe!NtSetSecurityObject 805C0636 5 Bytes JMP BA0BCE28 szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) ? sptd.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8EF3000, 0x2DC7EC, 0xE8000020] .text USBPORT.SYS!DllUnload B8EAA8AC 5 Bytes JMP 8A4EA1D8 .vmp2 C:\WINDOWS\system32\drivers\acedrv11.sys entry point in ".vmp2" section [0xA89BF69D] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA8955300, 0x3B6D8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xABC7E300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[2920] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01588BF0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2920] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 018D7FF0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2920] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 018D7FCD C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2920] kernel32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 0159F1AD C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2920] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 018D7F4E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 2.1 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B9E96574] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B9E960C0] sptd.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B9E96FE0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9E960C0] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9E96362] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9E962A4] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9E971BC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9E96FE0] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EAB312] sptd.sys ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8A6C61F8 AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) Device \FileSystem\Udfs \UdfsCdRom 8A39B430 Device \FileSystem\Udfs \UdfsDisk 8A39B430 AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\NetBT \Device\NetBT_Tcpip_{908CF704-A853-4B62-B096-6A11692DAF20} 8A27A430 Device \Driver\usbuhci \Device\USBPDO-0 8A45F1F8 Device \Driver\usbuhci \Device\USBPDO-1 8A45F1F8 Device \Driver\usbuhci \Device\USBPDO-2 8A45F1F8 Device \Driver\usbehci \Device\USBPDO-3 8A4D81F8 Device \Driver\usbuhci \Device\USBPDO-4 8A45F1F8 AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbuhci \Device\USBPDO-5 8A45F1F8 Device \Driver\usbuhci \Device\USBPDO-6 8A45F1F8 Device \Driver\usbehci \Device\USBPDO-7 8A4D81F8 Device \Driver\Cdrom \Device\CdRom0 8A40B430 Device \Driver\atapi \Device\Ide\IdePort0 [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort4 [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort5 [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP5T0L0-16 [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-9 [B9DE8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBT_Tcpip_{61CB6F4D-A13F-4208-84FD-01D57D1AF8B2} 8A27A430 Device \Driver\NetBT \Device\NetBt_Wins_Export 8A27A430 AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbuhci \Device\USBFDO-0 8A45F1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{4520B8A0-01AE-48CF-9839-ADD5570E7329} 8A27A430 Device \Driver\usbuhci \Device\USBFDO-1 8A45F1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A3A1430 Device \Driver\usbuhci \Device\USBFDO-2 8A45F1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A3A1430 Device \Driver\usbehci \Device\USBFDO-3 8A4D81F8 Device \Driver\usbuhci \Device\USBFDO-4 8A45F1F8 Device \Driver\usbuhci \Device\USBFDO-5 8A45F1F8 Device \Driver\usbuhci \Device\USBFDO-6 8A45F1F8 Device \Driver\usbehci \Device\USBFDO-7 8A4D81F8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9E 0x51 0xC5 0x07 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x4B 0xF3 0xBE 0xFA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xD4 0x5B 0x21 0x41 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9A 0xFC 0x19 0x92 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x9E 0x51 0xC5 0x07 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x4B 0xF3 0xBE 0xFA ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xD4 0x5B 0x21 0x41 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x9A 0xFC 0x19 0x92 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 61 ! ---- EOF - GMER 2.1 ----