GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-05-05 23:00:48 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FBEO Running: qw51iujl.exe; Driver: C:\Users\MICHA~1\AppData\Local\Temp\pxldapoc.sys ---- System - GMER 1.0.15 ---- INT 0x52 ? 877BDCC8 INT 0x62 ? 877BDCC8 INT 0x72 ? 85571CC8 INT 0x72 ? 877BDCC8 INT 0x72 ? 877BDCC8 INT 0x72 ? 85571CC8 INT 0x82 ? 877BDCC8 INT 0xA2 ? 877BDCC8 INT 0xA2 ? 85569CC8 INT 0xA2 ? 85569CC8 INT 0xA2 ? 85569CC8 INT 0xA2 ? 85569CC8 INT 0xA2 ? 877BDCC8 INT 0xA2 ? 877BDCC8 ---- Kernel code sections - GMER 1.0.15 ---- .text sptd.sys 80696000 32 Bytes [9E, BF, 3D, 82, 60, 2F, 3D, ...] .text sptd.sys 80696024 4 Bytes [D2, 53, 7C, 80] .text sptd.sys 8069602C 196 Bytes [04, 3F, 21, 82, C9, 7A, 1C, ...] .text sptd.sys 806960F1 3 Bytes [8A, 06, 82] .text sptd.sys 806960F5 219 Bytes [86, 06, 82, C0, 43, 02, 82, ...] .text ... .sptd2 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd2" section [0x8078DD38] ? C:\Windows\System32\Drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F20A320, 0x3E4E87, 0xE8000020] .text USBPORT.SYS!DllUnload 8B1DA46F 5 Bytes JMP 877BD1D8 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3444] USER32.dll!GetWindowInfo 76550560 5 Bytes JMP 60BA4822 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3444] USER32.dll!SetWindowLongA 76550736 5 Bytes JMP 60DB5EE6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3444] USER32.dll!SetWindowLongW 76551F35 5 Bytes JMP 60DB5E78 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3444] USER32.dll!TrackPopupMenu 76561417 5 Bytes JMP 60BA4DD6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5744] ntdll.dll!LdrLoadDll 77807933 5 Bytes JMP 60A2C930 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5744] kernel32.dll!MapViewOfFile 766A7F30 5 Bytes JMP 60C5E083 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5744] kernel32.dll!VirtualAlloc 766AB86F 5 Bytes JMP 60C5E0AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5744] GDI32.dll!CreateDIBSection 767475C0 5 Bytes JMP 60C5E00D C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [80697FE0] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [80697574] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [806970C0] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [806981BC] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806972A4] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [80697362] \SystemRoot\System32\Drivers\sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806AC312] \SystemRoot\System32\Drivers\sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 855941F8 Device \FileSystem\fastfat \FatCdrom 87313430 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) Device \Driver\netbt \Device\NetBT_Tcpip_{6F333765-C4DF-409D-9CE9-B2CB1868750F} 886AA1F8 Device \Driver\usbuhci \Device\USBPDO-0 8794A1F8 Device \Driver\usbuhci \Device\USBPDO-1 8794A1F8 Device \Driver\usbehci \Device\USBPDO-2 8794B1F8 Device \Driver\usbuhci \Device\USBPDO-3 8794A1F8 Device \Driver\usbuhci \Device\USBPDO-4 8794A1F8 Device \Driver\usbuhci \Device\USBPDO-5 8794A1F8 Device \Driver\usbuhci \Device\USBPDO-6 8794A1F8 Device \Driver\usbehci \Device\USBPDO-7 8794B1F8 Device \Driver\cdrom \Device\CdRom0 879181F8 Device \Driver\iaStor \Device\Ide\iaStor0 [8AC46EB0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8AC46EB0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [8AC46EB0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\netbt \Device\NetBt_Wins_Export 886AA1F8 Device \Driver\Smb \Device\NetbiosSmb 886B21F8 Device \Driver\netbt \Device\NetBT_Tcpip_{773B8C9E-4E1D-4E5E-97BF-BAA66F533195} 886AA1F8 Device \Driver\iScsiPrt \Device\RaidPort0 879561F8 Device \Driver\usbuhci \Device\USBFDO-0 8794A1F8 Device \Driver\netbt \Device\NetBT_Tcpip_{9A679A12-9A20-4A1B-82C2-BA18469303ED} 886AA1F8 Device \Driver\usbuhci \Device\USBFDO-1 8794A1F8 Device \Driver\usbehci \Device\USBFDO-2 8794B1F8 Device \Driver\BTHUSB \Device\000000ad bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \Driver\usbuhci \Device\USBFDO-3 8794A1F8 Device \Driver\usbuhci \Device\USBFDO-4 8794A1F8 Device \Driver\BTHUSB \Device\000000af bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \Driver\usbuhci \Device\USBFDO-5 8794A1F8 Device \Driver\usbuhci \Device\USBFDO-6 8794A1F8 Device \Driver\usbehci \Device\USBFDO-7 8794B1F8 Device \Driver\JMCR \Device\Scsi\JMCR1 878D71F8 Device \Driver\JMCR \Device\Scsi\JMCR2 878D71F8 Device \Driver\JMCR \Device\Scsi\JMCR3 878D71F8 Device \Driver\JMCR \Device\Scsi\JMCR4 878D71F8 Device \FileSystem\fastfat \Fat 87313430 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) Device \FileSystem\cdfs \Cdfs 8959E1F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186bef833 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE0 0x59 0xEF 0x05 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\002186bef833 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA6 0xD2 0x98 0x10 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x29 0x1B 0x4C 0x19 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x52 0xE0 0x65 0xF0 ... ---- EOF - GMER 1.0.15 ----