GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-10-10 07:06:37 Windows 5.1.2600 Szervizcsomag 3 Running: 6pbyehsy.exe; Driver: C:\DOCUME~1\Daisuke\LOCALS~1\Temp\fgdciaoc.sys ---- System - GMER 1.0.15 ---- SSDT 89484050 ZwAlertResumeThread SSDT 88F56050 ZwAlertThread SSDT 88E02338 ZwAllocateVirtualMemory SSDT 88F54050 ZwAssignProcessToJobObject SSDT 895ECED0 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA7233210] SSDT 88DFAA40 ZwCreateMutant SSDT 88DF2528 ZwCreateSymbolicLinkObject SSDT 895642B8 ZwCreateThread SSDT 895AB050 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA7233490] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA72339F0] SSDT 88E03970 ZwDuplicateObject SSDT sptd.sys ZwEnumerateKey [0xB7EC3FB2] SSDT sptd.sys ZwEnumerateValueKey [0xB7EC4340] SSDT 88E00D00 ZwFreeVirtualMemory SSDT 8957E050 ZwImpersonateAnonymousToken SSDT 88ED7050 ZwImpersonateThread SSDT 895DD2F0 ZwLoadDriver SSDT 88E00C20 ZwMapViewOfSection SSDT 895AC050 ZwOpenEvent SSDT sptd.sys ZwOpenKey [0xB7EBE0B0] SSDT 88E066A8 ZwOpenProcess SSDT 895AE050 ZwOpenProcessToken SSDT 89483050 ZwOpenSection SSDT 88E03A40 ZwOpenThread SSDT 88DF25F8 ZwProtectVirtualMemory SSDT sptd.sys ZwQueryKey [0xB7EC4418] SSDT sptd.sys ZwQueryValueKey [0xB7EC4298] SSDT 895AD050 ZwResumeThread SSDT 89485050 ZwSetContextThread SSDT 88DFF638 ZwSetInformationProcess SSDT 8957D050 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA7233C40] SSDT 88F55050 ZwSuspendProcess SSDT 8957F050 ZwSuspendThread SSDT 89580050 ZwTerminateProcess SSDT 88ED8050 ZwTerminateThread SSDT 88F57050 ZwUnmapViewOfSection SSDT 88E02268 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\sptd.sys A folyamat nem fér hozzá a fájlhoz, mert azt egy másik folyamat használja. ? SYMDS.SYS A rendszer nem találja a megadott fájlt. ! ? SYMEFA.SYS A rendszer nem találja a megadott fájlt. ! .text USBPORT.SYS!DllUnload B7BBD8AC 5 Bytes JMP 89973770 ? System32\Drivers\ata1v3o6.SYS A rendszer nem találja a megadott elérési utat. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[548] ntdll.dll!RtlValidateUnicodeString + 554 7C9163BE 10 Bytes JMP 01F2003A .text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3592] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89A4A1E8 AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\usbohci \Device\USBPDO-0 899681E8 Device \Driver\PCI_NTPNP2700 \Device\00000051 sptd.sys Device \Driver\usbehci \Device\USBPDO-1 898FF1E8 Device \Driver\dmio \Device\DmControl\DmIoDaemon 89A4C1E8 Device \Driver\dmio \Device\DmControl\DmConfig 89A4C1E8 Device \Driver\dmio \Device\DmControl\DmPnP 89A4C1E8 Device \Driver\dmio \Device\DmControl\DmInfo 89A4C1E8 AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\Ftdisk \Device\HarddiskVolume1 899E11E8 Device \Driver\Ftdisk \Device\HarddiskVolume2 899E11E8 Device \Driver\Cdrom \Device\CdRom0 8993B1E8 Device \Driver\Ftdisk \Device\HarddiskVolume3 899E11E8 Device \Driver\Cdrom \Device\CdRom1 8993B1E8 Device \Driver\atapi \Device\Ide\IdePort0 [B7E12B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [B7E12B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B7E12B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B7E12B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [B7E12B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B7E12B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort4 [B7E12B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort5 [B7E12B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1f [B7E12B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 895D6560 Device \Driver\NetBT \Device\NetbiosSmb 895D6560 AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{7567155E-A5BD-4F3D-940A-27F46FF6E246} 895D6560 Device \Driver\usbohci \Device\USBFDO-0 899681E8 Device \Driver\usbehci \Device\USBFDO-1 898FF1E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 895CE790 Device \FileSystem\MRxSmb \Device\LanmanRedirector 895CE790 Device \Driver\Ftdisk \Device\FtControl 899E11E8 Device \Driver\ata1v3o6 \Device\Scsi\ata1v3o61 899381E8 Device \Driver\ata1v3o6 \Device\Scsi\ata1v3o61Port6Path0Target0Lun0 899381E8 Device \FileSystem\Cdfs \Cdfs 88D7B790 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFB 0x55 0x02 0x09 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC9 0x5E 0x92 0xE7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x43 0x09 0xDE 0xED ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xC1 0x28 0xB4 0x85 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x79 0xD9 0xFD 0x42 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xFF 0x9A 0xC4 0x11 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xFB 0x55 0x02 0x09 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xC9 0x5E 0x92 0xE7 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x43 0x09 0xDE 0xED ... ---- EOF - GMER 1.0.15 ----