Discussione: Forse virus: Tattoodle + MyFace LOL+ Fast Browser Search
View Single Post
Old 04-02-2010, 15:36   #6
Matrixbob
Senior Member
 
L'Avatar di Matrixbob
 
Iscritto dal: Jul 2001
Messaggi: 9947
Anche il sig. Gmer ha finito

Quote:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-02-04 15:35:26
Windows 6.0.6002 Service Pack 2
Running: xkl0wn9s.exe; Driver: C:\Users\DeLL\AppData\Local\Temp\agrdrpow.sys


---- System - GMER 1.0.15 ----

SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0x9CFE11DE]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0x9CFE122A]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0x9CFE15D0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0x9CFE1478]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0x9CFE12D0]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0x9CFE118E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0x9CFE1770]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0x9CFE136E]
SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0x9CFE13B8]

INT 0x51 ? 858A7F00
INT 0x51 ? 858A7F00
INT 0x52 ? 858A7F00
INT 0x72 ? 84086BF8
INT 0x72 ? 84086BF8
INT 0x72 ? 84086BF8
INT 0x72 ? 858A7F00
INT 0x72 ? 858A7F00
INT 0x72 ? 84086BF8
INT 0x82 ? 84086BF8
INT 0x92 ? 84086BF8
INT 0xB3 ? 858A7F00

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 221 81CAD964 4 Bytes [2A, 12, FE, 9C]
.text ntkrnlpa.exe!KeSetEvent + 3F1 81CADB34 4 Bytes [D0, 15, FE, 9C]
.text ntkrnlpa.exe!KeSetEvent + 40D 81CADB50 4 Bytes [78, 14, FE, 9C]
.text ntkrnlpa.exe!KeSetEvent + 431 81CADB74 4 Bytes [D0, 12, FE, 9C]
.text ntkrnlpa.exe!KeSetEvent + 56D 81CADCB0 4 Bytes [8E, 11, FE, 9C]
.text ...
? System32\Drivers\spdj.sys Impossibile trovare il percorso specificato. !
.text USBPORT.SYS!DllUnload 87D5B41B 5 Bytes JMP 858A74E0
.text abd4v5gt.SYS 87D91000 22 Bytes [82, 13, FC, 81, 6C, 12, FC, ...]
.text abd4v5gt.SYS 87D91017 45 Bytes [00, 32, A7, 78, 80, 3D, A5, ...]
.text abd4v5gt.SYS 87D91045 135 Bytes [7A, CA, 81, FD, F9, C3, 81, ...]
.text abd4v5gt.SYS 87D910CE 10 Bytes [00, 00, 00, 00, 00, 00, C9, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; LEAVE ; HLT ; POP ESP; DEC EDX}
.text abd4v5gt.SYS 87D910DA 12 Bytes [00, 00, 02, 00, 00, 00, 24, ...]
.text ...

---- User code sections - GMER 1.0.15 ----

.text C:\Program Files\a-squared Free\a2service.exe[324] kernel32.dll!CreateThread + 1A 76F5C928 4 Bytes CALL 0045495D C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
.text C:\Windows\Explorer.EXE[3416] ntdll.dll!NtWriteFile 77295644 5 Bytes JMP 745F5CA0 C:\Windows\system32\PxSecure.dll (Prevx Security Library/Prevx)
.text C:\Windows\Explorer.EXE[3416] kernel32.dll!CreateThread 76F5C90E 5 Bytes JMP 745F5350 C:\Windows\system32\PxSecure.dll (Prevx Security Library/Prevx)

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8068E6D6] \SystemRoot\System32\Drivers\spdj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8068E042] \SystemRoot\System32\Drivers\spdj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8068E800] \SystemRoot\System32\Drivers\spdj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8068E0C0] \SystemRoot\System32\Drivers\spdj.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8068E13E] \SystemRoot\System32\Drivers\spdj.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8069DB90] \SystemRoot\System32\Drivers\spdj.sys
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortNotification] CC358B04
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortWritePortUchar] 8387DB7F
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortWritePortUlong] 458B38C6
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortGetPhysicalAddress] A5A5A514
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] [100D8BA5] \Program Files\DAEMON Tools Lite\Engine.dll (Helper library/DT Soft Ltd)
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortGetScatterGatherList] 5F87DB50
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortReadPortUchar] 30810889
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortStallExecution] 54771129
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortGetParentBusType] 10C25D5E
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortRequestCallback] 8B55CC00
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 084D8BEC
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortGetUnCachedExtension] 0CF0918B
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortCompleteRequest] 458B0000
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortMoveMemory] 8B108910
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 000CF491
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 04508900
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 053C7980
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortReadPortUshort] 560C558B
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortReadPortBufferUshort] C6127557
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortInitialize] B18D0502
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortGetDeviceBase] 00000CF8
IAT \SystemRoot\System32\Drivers\abd4v5gt.SYS[ataport.SYS!AtaPortDeviceStateChange] A508788D

---- User IAT/EAT - GMER 1.0.15 ----

IAT C:\Program Files\a-squared Free\a2service.exe[324] @ C:\Windows\system32\shell32.dll [KERNEL32.dll!QueueUserWorkItem] [00454AB4] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)
IAT C:\Program Files\a-squared Free\a2service.exe[324] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!QueueUserWorkItem] [00454AB4] C:\Program Files\a-squared Free\a2service.exe (a-squared Service/Emsi Software GmbH)

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 84A1C1F8
Device \FileSystem\fastfat \FatCdrom 86848500

AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF dinamico/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 pxkbf.sys (Prevx Keyboard Security/Prevx)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF dinamico/Microsoft Corporation)
AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 pxkbf.sys (Prevx Keyboard Security/Prevx)

Device \Driver\volmgr \Device\VolMgrControl 840881F8
Device \Driver\usbuhci \Device\USBPDO-0 858761F8
Device \Driver\PCI_PNP3113 \Device\00000051 spdj.sys
Device \Driver\usbuhci \Device\USBPDO-1 858761F8
Device \Driver\usbehci \Device\USBPDO-2 85895500
Device \Driver\usbuhci \Device\USBPDO-3 858761F8
Device \Driver\usbuhci \Device\USBPDO-4 858761F8

AttachedDevice \Driver\tdx \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx)

Device \Driver\usbuhci \Device\USBPDO-5 858761F8
Device \Driver\usbehci \Device\USBPDO-6 85895500
Device \Driver\volmgr \Device\HarddiskVolume1 840881F8
Device \Driver\volmgr \Device\HarddiskVolume2 840881F8
Device \Driver\cdrom \Device\CdRom0 859F71F8
Device \Driver\volmgr \Device\HarddiskVolume3 840881F8
Device \Driver\cdrom \Device\CdRom1 859F71F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 84A1A1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 84A1A1F8
Device \Driver\atapi \Device\Ide\IdePort0 84A1A1F8
Device \Driver\atapi \Device\Ide\IdePort1 84A1A1F8
Device \Driver\atapi \Device\Ide\IdePort2 84A1A1F8
Device \Driver\atapi \Device\Ide\IdePort3 84A1A1F8
Device \Driver\atapi \Device\Ide\IdePort4 84A1A1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel0 84A1B1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel1 84A1B1F8
Device \Driver\msahci \Device\Ide\PciIde1Channel2 84A1B1F8
Device \Driver\volmgr \Device\HarddiskVolume4 840881F8
Device \Driver\volmgr \Device\HarddiskVolume5 840881F8
Device \Driver\netbt \Device\NetBt_Wins_Export 85DF11F8
Device \Driver\netbt \Device\NetBT_Tcpip_{CF8354D3-9997-4E11-A8C8-943BB5D5B54A} 85DF11F8
Device \Driver\Smb \Device\NetbiosSmb 85E14500
Device \Driver\iScsiPrt \Device\RaidPort0 8408B1F8
Device \Driver\usbuhci \Device\USBFDO-0 858761F8
Device \Driver\usbuhci \Device\USBFDO-1 858761F8
Device \Driver\netbt \Device\NetBT_Tcpip_{9C057DAB-88C9-4F6E-83A5-83EF426154D1} 85DF11F8
Device \Driver\usbehci \Device\USBFDO-2 85895500
Device \Driver\usbuhci \Device\USBFDO-3 858761F8
Device \Driver\usbuhci \Device\USBFDO-4 858761F8
Device \Driver\usbuhci \Device\USBFDO-5 858761F8
Device \Driver\usbehci \Device\USBFDO-6 85895500
Device \Driver\sptd \Device\2039641131 spdj.sys
Device \Driver\abd4v5gt \Device\Scsi\abd4v5gt1 840891F8
Device \Driver\abd4v5gt \Device\Scsi\abd4v5gt1Port8Path0Target0Lun0 840891F8
Device \FileSystem\fastfat \Fat 86848500

AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Gestione filtri file system Microsoft/Microsoft Corporation)

Device \FileSystem\cdfs \Cdfs 8781B1F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE2 0x33 0xDA 0x36 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0B 0x7A 0xF6 0xEC ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0F 0x98 0x42 0xCF ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE2 0x33 0xDA 0x36 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0B 0x7A 0xF6 0xEC ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x0F 0x98 0x42 0xCF ...

---- EOF - GMER 1.0.15 ----
__________________
Aiuta la ricerca col tuo PC: >>Calcolo distribuito BOINC.Italy: unisciti anche tu<<
Più largo è il sorriso, più affilato è il coltello.
Matrixbob è offline   Rispondi citando il messaggio o parte di esso