GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-15 22:02:23 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0001 465,76GB Running: r9quo9rl.exe; Driver: C:\Users\QBASZE~1\AppData\Local\Temp\pxldapow.sys ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1409 828709A5 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82890512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [72F324CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [72F1562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [72F156EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [72F32546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [72F285AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [72F24D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [72F25105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [72F251DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [72F26707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [72F28301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [72F28850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [72F290B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [72F2E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1532] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [72F24C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5ad59 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5ad59@001ea329bea3 0xB6 0x7A 0xFD 0x1E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5ad59@0026683d5991 0xD6 0x4A 0xF9 0xD3 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5ad59@a87e33fcc68b 0xAF 0x02 0x8A 0xE7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5ad59@9c4a7b4ad430 0xEA 0x55 0x10 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5ad59@c038f9a2ccc0 0x1E 0x31 0xF6 0x32 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5ad59@045a9523e1fa 0x46 0xF8 0x14 0xE8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5ad59@98d6f7a7eac0 0xFE 0x37 0xF7 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5ad59@30f31d39a65a 0x80 0x21 0xC7 0x1F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x19 0x55 0xC5 0x24 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x44 0xEE 0xFF 0xF2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4D 0xDD 0x8F 0xF8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x36 0xAC 0x80 0x39 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1E6F1B28-0CC3-4E3F-BE83-6D665EA7ED33}@LeaseObtainedTime 1381865232 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1E6F1B28-0CC3-4E3F-BE83-6D665EA7ED33}@T1 1381865359 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1E6F1B28-0CC3-4E3F-BE83-6D665EA7ED33}@T2 1381865455 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{1E6F1B28-0CC3-4E3F-BE83-6D665EA7ED33}@LeaseTerminatesTime 1381865487 Reg HKLM\SYSTEM\CurrentControlSet\services\{1E6F1B28-0CC3-4E3F-BE83-6D665EA7ED33}\Parameters\Tcpip@LeaseObtainedTime 1381865232 Reg HKLM\SYSTEM\CurrentControlSet\services\{1E6F1B28-0CC3-4E3F-BE83-6D665EA7ED33}\Parameters\Tcpip@T1 1381865359 Reg HKLM\SYSTEM\CurrentControlSet\services\{1E6F1B28-0CC3-4E3F-BE83-6D665EA7ED33}\Parameters\Tcpip@T2 1381865455 Reg HKLM\SYSTEM\CurrentControlSet\services\{1E6F1B28-0CC3-4E3F-BE83-6D665EA7ED33}\Parameters\Tcpip@LeaseTerminatesTime 1381865487 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5ad59 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5ad59@001ea329bea3 0xB6 0x7A 0xFD 0x1E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5ad59@0026683d5991 0xD6 0x4A 0xF9 0xD3 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5ad59@a87e33fcc68b 0xAF 0x02 0x8A 0xE7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5ad59@9c4a7b4ad430 0xEA 0x55 0x10 0xAC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5ad59@c038f9a2ccc0 0x1E 0x31 0xF6 0x32 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5ad59@045a9523e1fa 0x46 0xF8 0x14 0xE8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5ad59@98d6f7a7eac0 0xFE 0x37 0xF7 0x3E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5ad59@30f31d39a65a 0x80 0x21 0xC7 0x1F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x19 0x55 0xC5 0x24 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x44 0xEE 0xFF 0xF2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4D 0xDD 0x8F 0xF8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x36 0xAC 0x80 0x39 ... ---- EOF - GMER 2.1 ----