1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132 | GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-09-08 00:37:18
Windows 5.1.2600 Dodatek Service Pack 2
Running: gmer.exe; Driver: C:\DOCUME~1\jar\USTAWI~1\Temp\fxroiaob.sys
---- System - GMER 1.0.15 ----
SSDT spfj.sys ZwCreateKey [0xB7EB50E0]
SSDT spfj.sys ZwEnumerateKey [0xB7ECDDA4]
SSDT spfj.sys ZwEnumerateValueKey [0xB7ECE132]
SSDT spfj.sys ZwOpenKey [0xB7EB50C0]
SSDT spfj.sys ZwQueryKey [0xB7ECE20A]
SSDT spfj.sys ZwQueryValueKey [0xB7ECE08A]
SSDT spfj.sys ZwSetValueKey [0xB7ECE29C]
INT 0x62 ? 8A613BF8
INT 0x63 ? 8A3AEBF8
INT 0x83 ? 8A613BF8
INT 0x83 ? 8A613BF8
INT 0x83 ? 8A3AEBF8
INT 0x83 ? 8A613BF8
---- Kernel code sections - GMER 1.0.15 ----
? spfj.sys Nie można odnaleźć określonego pliku. !
.text USBPORT.SYS!DllUnload B7C6962C 5 Bytes JMP 8A3AE1D8
.text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB714A3A0, 0x592C35, 0xE8000020]
.text a4x3et0w.SYS B70E3386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...]
.text a4x3et0w.SYS B70E33AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a4x3et0w.SYS B70E33C4 3 Bytes [00, 80, 02]
.text a4x3et0w.SYS B70E33C9 1 Byte [30]
.text a4x3et0w.SYS B70E33C9 11 Bytes [30, 00, 00, 00, 5E, 02, 00, ...] {XOR [EAX], AL; ADD [EAX], AL; POP ESI; ADD AL, [EAX]; ADD [EAX], AL; ADD [EAX], AL}
.text ...
---- User code sections - GMER 1.0.15 ----
.text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1232] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 00]
.text C:\Program Files\Mozilla Firefox\firefox.exe[2420] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7EB6042] spfj.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7EB613E] spfj.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7EB60C0] spfj.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7EB6800] spfj.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7EB66D6] spfj.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EC5B90] spfj.sys
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[HAL.dll!KfAcquireSpinLock] 0C8D1C46
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[HAL.dll!READ_PORT_UCHAR] B48B8932
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[HAL.dll!KeGetCurrentIrql] 89000001
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[HAL.dll!KfRaiseIrql] 0001C083
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[HAL.dll!KfLowerIrql] 24468B00
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[HAL.dll!HalGetInterruptVector] 89820C8D
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[HAL.dll!HalTranslateBusAddress] D18BF84D
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[HAL.dll!KeStallExecutionProcessor] 860F1639
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[HAL.dll!KfReleaseSpinLock] 000000BD
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 020CB389
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[HAL.dll!READ_PORT_USHORT] 83660000
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 7400067E
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[HAL.dll!WRITE_PORT_UCHAR] 89D60320
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[WMILIB.SYS!WmiSystemControl] 8D168B00
IAT \SystemRoot\System32\Drivers\a4x3et0w.SYS[WMILIB.SYS!WmiCompleteRequest] F0003284
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8A6121F8
AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET)
Device \Driver\usbohci \Device\USBPDO-0 8A464500
Device \Driver\PCI_PNP2478 \Device\00000051 spfj.sys
Device \Driver\dmio \Device\DmControl\DmIoDaemon 8A6821F8
Device \Driver\dmio \Device\DmControl\DmConfig 8A6821F8
Device \Driver\dmio \Device\DmControl\DmPnP 8A6821F8
Device \Driver\dmio \Device\DmControl\DmInfo 8A6821F8
Device \Driver\usbehci \Device\USBPDO-1 8A46B500
AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET)
Device \Driver\Ftdisk \Device\HarddiskVolume1 8A6141F8
Device \Driver\sptd \Device\3647217478 spfj.sys
Device \Driver\Ftdisk \Device\HarddiskVolume2 8A6141F8
Device \Driver\Cdrom \Device\CdRom0 8A39F500
Device \Driver\Ftdisk \Device\HarddiskVolume3 8A6141F8
Device \Driver\Cdrom \Device\CdRom1 8A39F500
Device \Driver\atapi \Device\Ide\IdePort0 8A6131F8
Device \Driver\atapi \Device\Ide\IdePort1 8A6131F8
Device \Driver\atapi \Device\Ide\IdePort2 8A6131F8
Device \Driver\atapi \Device\Ide\IdePort3 8A6131F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 8A6131F8
Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 8A6131F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A349500
Device \Driver\NetBT \Device\NetbiosSmb 8A349500
Device \Driver\usbohci \Device\USBFDO-0 8A464500
Device \Driver\usbehci \Device\USBFDO-1 8A46B500
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 896A61F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 896A61F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{745265EB-1035-4202-9F12-E06EE5F1D06A} 8A349500
Device \Driver\Ftdisk \Device\FtControl 8A6141F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{DA7ADB04-7C36-4CC1-AF31-ED9E441529F2} 8A349500
Device \Driver\a4x3et0w \Device\Scsi\a4x3et0w1 8A3EC1F8
Device \Driver\a4x3et0w \Device\Scsi\a4x3et0w1Port4Path0Target0Lun0 8A3EC1F8
Device \FileSystem\Cdfs \Cdfs 8A4751F8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x37 0x49 0xCD 0x55 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x91 0x28 0x79 0x44 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF5 0x4C 0x49 0x91 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x37 0x49 0xCD 0x55 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x91 0x28 0x79 0x44 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xF5 0x4C 0x49 0x91 ...
---- EOF - GMER 1.0.15 ----
|
