GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-06 19:43:56 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD1002FAEX-00Z3A0 rev.05.01D05 Running: luq4912h.exe; Driver: C:\Users\Mac\AppData\Local\Temp\pxldqpow.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 83077349 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830B0D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? System32\Drivers\spsa.sys System nie może odnaleźć określonej ścieżki. ! .text USBPORT.SYS!DllUnload 8F96ED81 5 Bytes JMP 86432438 .text alu9c4q0.SYS 91D76000 2 Bytes [44, 78] .text alu9c4q0.SYS 91D76003 9 Bytes [83, EE, 76, 00, 83, A0, 57, ...] {SUB ESI, 0x76; ADD [EBX-0x7cffa860], AL} .text alu9c4q0.SYS 91D7600D 9 Bytes [57, 00, 83, 48, 7B, 00, 83, ...] {PUSH EDI; ADD [EBX-0x7cff84b8], AL; ADD [EAX], AL} .text alu9c4q0.SYS 91D76017 170 Bytes [00, DE, D7, F8, 88, E6, D5, ...] .text alu9c4q0.SYS 91D760C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1620] ntdll.dll!LdrLoadDll 77A922B8 4 Bytes JMP 64775B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1848] kernel32.dll!SetUnhandledExceptionFilter 75ECF4FB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2576] USER32.dll!SetWindowLongA 75F98BA3 5 Bytes JMP 64B601A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2576] USER32.dll!SetWindowLongW 75FA4449 5 Bytes JMP 64B60135 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2576] USER32.dll!GetWindowInfo 75FA4B5E 5 Bytes JMP 648F0924 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2576] USER32.dll!TrackPopupMenu 75FB2228 5 Bytes JMP 648F0ECF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [88E91042] \SystemRoot\System32\Drivers\spsa.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [88E916D6] \SystemRoot\System32\Drivers\spsa.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [88E91800] \SystemRoot\System32\Drivers\spsa.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [88E9113E] \SystemRoot\System32\Drivers\spsa.sys IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortNotification] 00147880 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortStallExecution] C25DC033 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortInitialize] 157B805E IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500 IAT \SystemRoot\System32\Drivers\alu9c4q0.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\HPSIsvc.exe[1992] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75ABFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[1992] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75ABFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[1992] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75ABFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[1992] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75ABFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[1992] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75ABFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[1992] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75ABFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 852751F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \Driver\volmgr \Device\VolMgrControl 852711F8 Device \Driver\usbuhci \Device\USBPDO-0 86176500 Device \Driver\usbuhci \Device\USBPDO-1 86176500 Device \Driver\usbuhci \Device\USBPDO-2 86176500 Device \Driver\usbehci \Device\USBPDO-3 866861F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{AE5A8848-A1E0-4CFB-A63F-65CFF3CA4134} 863431F8 Device \Driver\USBSTOR \Device\000000a0 862E1500 Device \Driver\usbuhci \Device\USBPDO-4 86176500 AttachedDevice \Driver\tdx \Device\Tcp epfwtdir.sys Device \Driver\USBSTOR \Device\000000a1 862E1500 Device \Driver\usbuhci \Device\USBPDO-5 86176500 Device \Driver\PCI_PNP8041 \Device\00000056 spsa.sys Device \Driver\usbuhci \Device\USBPDO-6 86176500 Device \Driver\volmgr \Device\HarddiskVolume1 852711F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-7 866861F8 Device \Driver\volmgr \Device\HarddiskVolume2 852711F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 862A31F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 852731F8 Device \Driver\atapi \Device\Ide\IdePort0 852731F8 Device \Driver\atapi \Device\Ide\IdePort1 852731F8 Device \Driver\atapi \Device\Ide\IdePort2 852731F8 Device \Driver\atapi \Device\Ide\IdePort3 852731F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 852731F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-5 852731F8 Device \Driver\volmgr \Device\HarddiskVolume3 852711F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom1 862A31F8 Device \Driver\sptd \Device\3593042042 spsa.sys Device \Driver\volmgr \Device\HarddiskVolume4 852711F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume5 852711F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume6 852711F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume7 852711F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\NetBT \Device\NetBt_Wins_Export 863431F8 Device \Driver\USBSTOR \Device\00000079 862E1500 Device \Driver\ACPI_HAL \Device\0000004e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbuhci \Device\USBFDO-0 86176500 Device \Driver\USBSTOR \Device\0000007a 862E1500 Device \Driver\usbuhci \Device\USBFDO-1 86176500 Device \Driver\usbuhci \Device\USBFDO-2 86176500 Device \Driver\usbehci \Device\USBFDO-3 866861F8 Device \Driver\usbuhci \Device\USBFDO-4 86176500 Device \Driver\usbuhci \Device\USBFDO-5 86176500 Device \Driver\usbuhci \Device\USBFDO-6 86176500 Device \Driver\usbehci \Device\USBFDO-7 866861F8 Device \Driver\volmgr \Device\HarddiskVolume11 852711F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume11 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\alu9c4q0 \Device\Scsi\alu9c4q01Port4Path0Target0Lun0 866F91F8 Device \Driver\alu9c4q0 \Device\Scsi\alu9c4q01 866F91F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x21 0x3B 0x95 0xE1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x47 0xE4 0xE0 0x25 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x17 0xC2 0x75 0xFF ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x21 0x3B 0x95 0xE1 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x47 0xE4 0xE0 0x25 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x17 0xC2 0x75 0xFF ... ---- EOF - GMER 1.0.15 ----