GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-11-20 14:42:15 Windows 6.0.6000 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD32 rev.11.0 Running: d50tthlv.exe; Driver: C:\Users\Ania\AppData\Local\Temp\kwrdrpow.sys ---- System - GMER 1.0.15 ---- INT 0x51 ? 86EEBBF8 INT 0x52 ? 86EEBBF8 INT 0x62 ? 84B90BF8 INT 0x72 ? 84B90BF8 INT 0x92 ? 8551EBF8 INT 0x92 ? 86EEBBF8 INT 0x92 ? 8551EBF8 INT 0xA2 ? 86EEBBF8 INT 0xA3 ? 86EEBBF8 ---- Kernel code sections - GMER 1.0.15 ---- ? System32\Drivers\spak.sys System nie może odnaleźć określonej ścieżki. ! .text USBPORT.SYS!DllUnload 8E472FEB 5 Bytes JMP 86EEB1D8 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[2084] kernel32.dll!SetUnhandledExceptionFilter 770CD177 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\OO Software\Defrag\oodag.exe[2276] kernel32.dll!SetUnhandledExceptionFilter 770CD177 5 Bytes JMP 00402FB0 C:\Program Files\OO Software\Defrag\oodag.exe (O&O Defrag Agent (Win32)/O&O Software GmbH) .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] ntdll.dll!LdrLoadDll 7726EB00 5 Bytes JMP 63955B00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] kernel32.dll!ActivateActCtx + 2C 770C7379 7 Bytes JMP 63B97B35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] kernel32.dll!VirtualQuery + 24 770CD172 7 Bytes JMP 6395EF12 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] kernel32.dll!VirtualAllocEx + 54 770E9BC5 7 Bytes JMP 63B97B58 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3820] GDI32.dll!SetTextAlign + E6 75F17EEF 7 Bytes JMP 63B97AB6 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [807016D6] \SystemRoot\System32\Drivers\spak.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80701042] \SystemRoot\System32\Drivers\spak.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80701800] \SystemRoot\System32\Drivers\spak.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [807010C0] \SystemRoot\System32\Drivers\spak.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8070113E] \SystemRoot\System32\Drivers\spak.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [80710E9C] \SystemRoot\System32\Drivers\spak.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7332FBC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [732FB9AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [732EA31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [732ECBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [732E8AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [732FCF28] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [732E7D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [732E7CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [732E6A64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7337C1D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73307F56] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [732E90CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [732F2179] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [732F21A4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [732F7F1C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [732F7D3E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2044] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [733283D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 855211F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \Driver\volmgr \Device\VolMgrControl 8551C1F8 Device \Driver\usbuhci \Device\USBPDO-0 86EFB500 Device \Driver\usbuhci \Device\USBPDO-1 86EFB500 Device \Driver\usbehci \Device\USBPDO-2 86FF71F8 Device \Driver\usbuhci \Device\USBPDO-3 86EFB500 Device \Driver\usbuhci \Device\USBPDO-4 86EFB500 AttachedDevice \Driver\tdx \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) Device \Driver\usbuhci \Device\USBPDO-5 86EFB500 Device \Driver\usbehci \Device\USBPDO-6 86FF71F8 Device \Driver\volmgr \Device\HarddiskVolume1 8551C1F8 Device \Driver\volmgr \Device\HarddiskVolume2 8551C1F8 Device \Driver\cdrom \Device\CdRom0 86F5C1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8551F1F8 Device \Driver\iaStor \Device\Ide\iaStor0 [8237FD30] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 8551F1F8 Device \Driver\atapi \Device\Ide\IdePort1 8551F1F8 Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8237FD30] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\volmgr \Device\HarddiskVolume3 8551C1F8 Device \Driver\netbt \Device\NetBT_Tcpip_{0416E862-C9D6-43FF-8A8D-4168D8740C35} 8890A1F8 Device \Driver\netbt \Device\NetBt_Wins_Export 8890A1F8 Device \Driver\Smb \Device\NetbiosSmb 8890D1F8 Device \Driver\iScsiPrt \Device\RaidPort0 86EFD500 Device \Driver\netbt \Device\NetBT_Tcpip_{EF4CF1A1-60FC-4319-BA2A-EE37289A34F8} 8890A1F8 Device \Driver\usbuhci \Device\USBFDO-0 86EFB500 Device \Driver\usbuhci \Device\USBFDO-1 86EFB500 Device \Driver\usbehci \Device\USBFDO-2 86FF71F8 Device \Driver\usbuhci \Device\USBFDO-3 86EFB500 Device \Driver\usbuhci \Device\USBFDO-4 86EFB500 Device \Driver\usbuhci \Device\USBFDO-5 86EFB500 Device \Driver\usbehci \Device\USBFDO-6 86FF71F8 Device \FileSystem\cdfs \Cdfs 8890C1F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x20 0x01 0x6F 0xBB ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x20 0x01 0x6F 0xBB ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG14.00.00.01PROFESSIONAL A0126EFB8AA8D99DAF86A1D2CCC8A717D51B14A34C3CA4950F1E1640C439F7CB406EDAA4897D3B67E77389401A95B2EB18A99ADA052C521840BD0EFD9EEE9B58D1B065F583FE3ED3A21C7860EEF318FEB37415C95C71FB42B368ED5D01C246AF624B5E9F0B95494FBC8975C33836066C733CDD833D643081BE3B069074380EB278CF2A94650E184885E7993D1C1079D216E4E25A4946D349AF7339FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808A2D97226D213B5558EDD5E5BE2F6E6679DB7CE019D40AA5CF9CFA3E7EC01C8D368BB45BC798F1081E14848F64D2C8FA3A836648360B846E2E80EC48555A848A8DD479C209E8D249077BDC28F38F2C327A272EA0FE68DEB00102266141834440D17ABF457C03175D62240A62A58D94E7C2F6D53215E7A057F5AE9158C6D9AF96602C1653F687F19B0F0C8342B2A11BF911D59A243D07FB906F873423A12454B30CF17E609A26FCA8CB47D8DC52A3D4BEC009EC6CDCE8CD8CD5F83C23D4691BF79756A5A3980EA6A6C83BDBA05DBF64A242FD591706B06D0A5C69050884FD27FE12C3180279AD1F869B99A284746C93664C44E352EBF46B86BAA4688E476CE58A27093818187F51F2E7259243D74B4B0EE9F8ACBDC66994796CA046C6E86BEBC0584EEE448671F267A13F2616CF ---- EOF - GMER 1.0.15 ----