GMER 1.0.15.14944 — http://www.gmer.net
Rootkit scan 2009-03-27 12:16:04
Windows 5.1.2600 Service Pack 3
—- System — GMER 1.0.15 —-
SSDT spcs.sys ZwCreateKey [0xF730A0E0]
SSDT F7C48844 ZwCreateThread
SSDT spcs.sys ZwEnumerateKey [0xF7327CA2]
SSDT spcs.sys ZwEnumerateValueKey [0xF7328030]
SSDT spcs.sys ZwOpenKey [0xF730A0C0]
SSDT F7C48830 ZwOpenProcess
SSDT F7C48835 ZwOpenThread
SSDT spcs.sys ZwQueryKey [0xF7328108]
SSDT spcs.sys ZwQueryValueKey [0xF7327F88]
SSDT spcs.sys ZwSetValueKey [0xF732819A]
SSDT F7C4883F ZwTerminateProcess
SSDT F7C4883A ZwWriteVirtualMemory
INT 0x62 ? 86D68BF8
INT 0x82 ? 86D68BF8
INT 0xB4 ? 86AE2BF8
INT 0xB4 ? 86AE2BF8
—- Kernel code sections — GMER 1.0.15 —-
? spcs.sys Íå óäàåòñÿ íàéòè óêàçàííûé ôàéë. !
.text USBPORT.SYS!DllUnload F683C8AC 5 Bytes JMP 86AE21D8
.text a0h3kmdv.SYS F674B384 1 Byte [20]
.text a0h3kmdv.SYS F674B384 37 Bytes [20, 00, 00, 68, 00, 00, 00, …]
.text a0h3kmdv.SYS F674B3AA 24 Bytes [00, 00, 20, 00, 00, E0, 00, …]
.text a0h3kmdv.SYS F674B3C4 3 Bytes [00, 00, 00]
.text a0h3kmdv.SYS F674B3C9 1 Byte [00]
.text …
—- Kernel IAT/EAT — GMER 1.0.15 —-
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F730B040] spcs.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F730B13C] spcs.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F730B0BE] spcs.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F730B7FC] spcs.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F730B6D2] spcs.sys
IAT SystemRootSystem32Driversa0h3kmdv.SYS[HAL.dll!KfAcquireSpinLock] 00000034
IAT SystemRootSystem32Driversa0h3kmdv.SYS[HAL.dll!READ_PORT_UCHAR] 0000008E
IAT SystemRootSystem32Driversa0h3kmdv.SYS[HAL.dll!KeGetCurrentIrql] 00000043
IAT SystemRootSystem32Driversa0h3kmdv.SYS[HAL.dll!KfRaiseIrql] 00000044
IAT SystemRootSystem32Driversa0h3kmdv.SYS[HAL.dll!KfLowerIrql] 000000C4
IAT SystemRootSystem32Driversa0h3kmdv.SYS[HAL.dll!HalGetInterruptVector] 000000DE
IAT SystemRootSystem32Driversa0h3kmdv.SYS[HAL.dll!HalTranslateBusAddress] 000000E9
IAT SystemRootSystem32Driversa0h3kmdv.SYS[HAL.dll!KeStallExecutionProcessor] 000000CB
IAT SystemRootSystem32Driversa0h3kmdv.SYS[HAL.dll!KfReleaseSpinLock] 00000054
IAT SystemRootSystem32Driversa0h3kmdv.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 0000007B
IAT SystemRootSystem32Driversa0h3kmdv.SYS[HAL.dll!READ_PORT_USHORT] 00000094
IAT SystemRootSystem32Driversa0h3kmdv.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 00000032
IAT SystemRootSystem32Driversa0h3kmdv.SYS[HAL.dll!WRITE_PORT_UCHAR] 000000A6
IAT SystemRootSystem32Driversa0h3kmdv.SYS[WMILIB.SYS!WmiSystemControl] 00000023
IAT SystemRootSystem32Driversa0h3kmdv.SYS[WMILIB.SYS!WmiCompleteRequest] 0000003D
—- Devices — GMER 1.0.15 —-
Device FileSystemFastfat FatCdrom 86D671F8
AttachedDevice DriverTcpip DeviceIp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
Device Driverusbuhci DeviceUSBPDO-0 86B591F8
Device Driverusbehci DeviceUSBPDO-1 86A311F8
Device Driverdmio DeviceDmControlDmIoDaemon 86DD81F8
Device Driverdmio DeviceDmControlDmConfig 86DD81F8
Device Driverdmio DeviceDmControlDmPnP 86DD81F8
Device Driverdmio DeviceDmControlDmInfo 86DD81F8
Device DriverPCI_PNP7718 Device0000055 spcs.sys
AttachedDevice DriverTcpip DeviceTcp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
Device DriverFtdisk DeviceHarddiskVolume1 86D691F8
Device DriverFtdisk DeviceHarddiskVolume2 86D691F8
Device DriverCdrom DeviceCdRom0 86A88500
Device DriverFtdisk DeviceHarddiskVolume3 86D691F8
Device DriverCdrom DeviceCdRom1 86A88500
Device DriverNetBT DeviceNetBT_Tcpip_{11BD6EB6-C0DE-41CD-8455-DEE482CA4083} 86947500
Device DriverNetBT DeviceNetBt_Wins_Export 86947500
Device DriverNetBT DeviceNetbiosSmb 86947500
AttachedDevice DriverTcpip DeviceUdp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
AttachedDevice DriverTcpip DeviceRawIp avfwot.sys (TDI filtering kernel driver/Avira GmbH)
Device Driversptd Device2507090218 spcs.sys
Device Driverusbuhci DeviceUSBFDO-0 86B591F8
Device Driverusbehci DeviceUSBFDO-1 86A311F8
Device FileSystemMRxSmb DeviceLanmanDatagramReceiver 86B671F8
Device FileSystemMRxSmb DeviceLanmanRedirector 86B671F8
Device DriverNetBT DeviceNetBT_Tcpip_{8CF33562-65EC-43D1-9720-278EE0D512A5} 86947500
Device DriverFtdisk DeviceFtControl 86D691F8
Device Drivera0h3kmdv DeviceScsia0h3kmdv1 86951500
Device Drivera0h3kmdv DeviceScsia0h3kmdv1Port2Path0Target0Lun0 86951500
Device FileSystemFastfat Fat 86D671F8
AttachedDevice FileSystemFastfat Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
Device FileSystemCdfs Cdfs 8686B1F8
—- Registry — GMER 1.0.15 —-
Reg HKLMSYSTEMCurrentControlSetControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}Descriptions@34484=484?4>4@4B4 WAN (L002TP) 1?
Reg HKLMSYSTEMCurrentControlSetControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}Descriptions@34484=484?4>4@4B4 WAN (PPTP) 1?
Reg HKLMSYSTEMCurrentControlSetControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}Descriptions@34484=484?4>4@4B4 WAN (PPPoE) 1?
Reg HKLMSYSTEMCurrentControlSetControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}Descriptions@374@4O4494 ?0404@0404;4;0454;4L4=4K494 ?4>4@4B4 1?
Reg HKLMSYSTEMCurrentControlSetControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}Descriptions@34484=484?4>4@4B4 WAN (IP) 1?
Reg HKLMSYSTEMCurrentControlSetControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}Descriptions@34484=484?4>4@4B4 ?4;0404=484@4>0424I484:0404 ?0404:0454B4>0424 1?2?3?
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg@s1 771343423
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg@s2 285507792
Reg HKLMSYSTEMCurrentControlSetServicessptdCfg@h0 1
Reg HKLMSYSTEMCurrentControlSetServicessptdCfgD79C293C1ED61418462E24595C90D04
Reg HKLMSYSTEMCurrentControlSetServicessptdCfgD79C293C1ED61418462E24595C90D04@p0 D:Alcohol 120% 1.9.7.6022Alcohol 120
Reg HKLMSYSTEMCurrentControlSetServicessptdCfgD79C293C1ED61418462E24595C90D04@h0 0
Reg HKLMSYSTEMCurrentControlSetServicessptdCfgD79C293C1ED61418462E24595C90D04@ujdew 0x95 0xD7 0x59 0x93 …
Reg HKLMSYSTEMCurrentControlSetServicessptdCfgD79C293C1ED61418462E24595C90D040000001
Reg HKLMSYSTEMCurrentControlSetServicessptdCfgD79C293C1ED61418462E24595C90D040000001@a0 0x20 0x01 0x00 0x00 …
Reg HKLMSYSTEMCurrentControlSetServicessptdCfgD79C293C1ED61418462E24595C90D040000001@ujdew 0xCE 0xA4 0x35 0xAE …
Reg HKLMSYSTEMCurrentControlSetServicessptdCfgD79C293C1ED61418462E24595C90D040000001jdgg40
Reg HKLMSYSTEMCurrentControlSetServicessptdCfgD79C293C1ED61418462E24595C90D040000001jdgg40@ujdew 0xF7 0x2F 0xE0 0xF0 …
Reg HKLMSYSTEMControlSet002ServicessptdCfgD79C293C1ED61418462E24595C90D04
Reg HKLMSYSTEMControlSet002ServicessptdCfgD79C293C1ED61418462E24595C90D04@p0 D:Alcohol 120% 1.9.7.6022Alcohol 120
Reg HKLMSYSTEMControlSet002ServicessptdCfgD79C293C1ED61418462E24595C90D04@h0 0
Reg HKLMSYSTEMControlSet002ServicessptdCfgD79C293C1ED61418462E24595C90D04@ujdew 0x95 0xD7 0x59 0x93 …
Reg HKLMSYSTEMControlSet002ServicessptdCfgD79C293C1ED61418462E24595C90D040000001
Reg HKLMSYSTEMControlSet002ServicessptdCfgD79C293C1ED61418462E24595C90D040000001@a0 0x20 0x01 0x00 0x00 …
Reg HKLMSYSTEMControlSet002ServicessptdCfgD79C293C1ED61418462E24595C90D040000001@ujdew 0xCE 0xA4 0x35 0xAE …
Reg HKLMSYSTEMControlSet002ServicessptdCfgD79C293C1ED61418462E24595C90D040000001jdgg40
Reg HKLMSYSTEMControlSet002ServicessptdCfgD79C293C1ED61418462E24595C90D040000001jdgg40@ujdew 0xF7 0x2F 0xE0 0xF0 …
Reg HKLMSYSTEMControlSet003ControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}Descriptions@34484=484?4>4@4B4 WAN (L002TP) 1?
Reg HKLMSYSTEMControlSet003ControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}Descriptions@34484=484?4>4@4B4 WAN (PPTP) 1?
Reg HKLMSYSTEMControlSet003ControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}Descriptions@34484=484?4>4@4B4 WAN (PPPoE) 1?
Reg HKLMSYSTEMControlSet003ControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}Descriptions@374@4O4494 ?0404@0404;4;0454;4L4=4K494 ?4>4@4B4 1?
Reg HKLMSYSTEMControlSet003ControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}Descriptions@34484=484?4>4@4B4 WAN (IP) 1?
Reg HKLMSYSTEMControlSet003ControlNetwork{4D36E972-E325-11CE-BFC1-08002BE10318}Descriptions@34484=484?4>4@4B4 ?4;0404=484@4>0424I484:0404 ?0404:0454B4>0424 1?2?3?
Reg HKLMSYSTEMControlSet003ServicessptdCfgD79C293C1ED61418462E24595C90D04
Reg HKLMSYSTEMControlSet003ServicessptdCfgD79C293C1ED61418462E24595C90D04@p0 D:Alcohol 120% 1.9.7.6022Alcohol 120
Reg HKLMSYSTEMControlSet003ServicessptdCfgD79C293C1ED61418462E24595C90D04@h0 0
Reg HKLMSYSTEMControlSet003ServicessptdCfgD79C293C1ED61418462E24595C90D04@ujdew 0x95 0xD7 0x59 0x93 …
Reg HKLMSYSTEMControlSet003ServicessptdCfgD79C293C1ED61418462E24595C90D040000001
Reg HKLMSYSTEMControlSet003ServicessptdCfgD79C293C1ED61418462E24595C90D040000001@a0 0x20 0x01 0x00 0x00 …
Reg HKLMSYSTEMControlSet003ServicessptdCfgD79C293C1ED61418462E24595C90D040000001@ujdew 0xCE 0xA4 0x35 0xAE …
Reg HKLMSYSTEMControlSet003ServicessptdCfgD79C293C1ED61418462E24595C90D040000001jdgg40
Reg HKLMSYSTEMControlSet003ServicessptdCfgD79C293C1ED61418462E24595C90D040000001jdgg40@ujdew 0xF7 0x2F 0xE0 0xF0 …
Reg HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows@DeviceNotSelectedTimeout 15
Reg HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows@GDIProcessHandleQuota 10000
Reg HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows@Spooler yes
Reg HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows@swapdisk
Reg HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows@TransmissionRetryTimeout 90
Reg HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows@USERProcessHandleQuota 10000
Reg HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWindows@appinit_dlls
Reg HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{A6C514F6-D7D8-F038-464A-0AAE17B106DE}
Reg HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{A6C514F6-D7D8-F038-464A-0AAE17B106DE}@japeajgiohefniblbipd 0x6B 0x61 0x64 0x67 …
Reg HKCUSoftwareMicrosoftWindowsCurrentVersionShell ExtensionsApproved{A6C514F6-D7D8-F038-464A-0AAE17B106DE}@iafaghhpjphbpdcief 0x6B 0x61 0x64 0x67 …
—- Disk sectors — GMER 1.0.15 —-
Disk DeviceHarddisk0DR0 sector 62: copy of MBR
—- EOF — GMER 1.0.15 —-
