GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-04 18:47:15 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEKT-00PVMT0 rev.01.01A01 298,09GB Running: ddliu8b5.exe; Driver: C:\Users\$\AppData\Local\Temp\kgldrpob.sys ---- System - GMER 2.1 ---- SSDT 99A53766 ZwCreateSection SSDT 99A53770 ZwRequestWaitReplyPort SSDT 99A5376B ZwSetContextThread SSDT 99A53775 ZwSetSecurityObject SSDT 99A5377A ZwSystemDebugControl SSDT 99A53707 ZwTerminateProcess ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83281A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832BB212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 832C258C 4 Bytes [66, 37, A5, 99] {AAA ; MOVSD ; CDQ } .text ntkrnlpa.exe!KeRemoveQueueEx + 1553 832C28E8 4 Bytes [70, 37, A5, 99] {JO 0x39; MOVSD ; CDQ } .text ntkrnlpa.exe!KeRemoveQueueEx + 1597 832C292C 4 Bytes [6B, 37, A5, 99] {IMUL ESI, [EDI], -0x5b; CDQ } .text ntkrnlpa.exe!KeRemoveQueueEx + 1613 832C29A8 4 Bytes [75, 37, A5, 99] {JNZ 0x39; MOVSD ; CDQ } .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 832C29FC 4 Bytes [7A, 37, A5, 99] {JP 0x39; MOVSD ; CDQ } .text ... .text sptd.sys 8B6A1001 31 Bytes [07, 21, 83, 34, A2, 21, 83, ...] .text sptd.sys 8B6A1024 164 Bytes [B5, FA, 2D, 83, 05, 40, 36, ...] .text sptd.sys 8B6A10C9 259 Bytes [CB, 27, 83, B8, 9F, 2B, 83, ...] .text sptd.sys 8B6A11D4 4 Bytes [F3, A5, 6A, 4D] {REP MOVSD ; PUSH 0x4d} .text sptd.sys 8B6A11DC 1 Byte [02] .text ... .sptd2 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd2" section [0x8B74B9E3] ? C:\Windows\System32\Drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ? C:\Users\$\AppData\Local\Temp\mbr.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[3704] ntdll.dll!LdrGetProcedureAddress + 26 77DC22A9 7 Bytes JMP 62B3E210 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3704] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 761D941E 7 Bytes JMP 633022AA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3704] kernel32.dll!QueryPerformanceCounter + 13 761DC425 7 Bytes JMP 633022CD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3704] kernel32.dll!LoadAppInitDlls + 355 761DF4E6 7 Bytes JMP 62B42C10 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3704] GDI32.dll!GetViewportOrgEx + 26C 77F4884B 7 Bytes JMP 6330222B C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [746724CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [7465562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [746556EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74672546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [746685AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74664D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74665105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [746651DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74666707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74668301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74668850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [746690B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7466E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1848] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74664C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [746724CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [7465562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [746556EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [74672546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [746685AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [74664D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [74665105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [746651DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74666707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [74668301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [74668850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [746690B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7466E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\explorer.exe[5764] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [74664C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 859721E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{2D8041B8-1A76-4F71-9EF5-7F72C6DF770C} 86A971E8 Device \Driver\usbuhci \Device\USBPDO-0 86CD01E8 Device \Driver\usbuhci \Device\USBPDO-1 86CD01E8 Device \Driver\usbuhci \Device\USBPDO-2 86CD01E8 Device \Driver\usbehci \Device\USBPDO-3 86CE7430 Device \Driver\usbuhci \Device\USBPDO-4 86CD01E8 AttachedDevice \Driver\tdx \Device\Tcp prio.sys AttachedDevice \Driver\tdx \Device\Tcp ntkrnlpa.exe Device \Driver\usbuhci \Device\USBPDO-5 86CD01E8 Device \Driver\usbuhci \Device\USBPDO-6 86CD01E8 Device \Driver\usbehci \Device\USBPDO-7 86CE7430 Device \Driver\cdrom \Device\CdRom0 86A5F1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8596E1E8 Device \Driver\atapi \Device\Ide\IdePort0 8596E1E8 Device \Driver\atapi \Device\Ide\IdePort1 8596E1E8 Device \Driver\atapi \Device\Ide\IdePort2 8596E1E8 Device \Driver\atapi \Device\Ide\IdePort3 8596E1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 8596E1E8 Device \Driver\msahci \Device\Ide\PciIde0Channel0 8596F1E8 Device \Driver\msahci \Device\Ide\PciIde0Channel1 8596F1E8 Device \Driver\msahci \Device\Ide\PciIde0Channel4 8596F1E8 Device \Driver\msahci \Device\Ide\PciIde0Channel5 8596F1E8 Device \Driver\cdrom \Device\CdRom1 86A5F1E8 Device \Driver\PCI_PNP0661 \Device\00000069 sptd.sys Device \Driver\PCI_PNP0661 \Device\00000069 sptd.sys Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl 868EA1E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86A971E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{57C5C1E7-0F02-4655-83BA-4BF7571C48E1} 86A971E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{5BD1D015-9033-429C-ADDD-1A4DE66F6A4C} 86A971E8 AttachedDevice \Driver\tdx \Device\Udp prio.sys AttachedDevice \Driver\tdx \Device\Udp ntkrnlpa.exe Device \Driver\usbuhci \Device\USBFDO-0 86CD01E8 Device \Driver\usbuhci \Device\USBFDO-1 86CD01E8 Device \Driver\usbuhci \Device\USBFDO-2 86CD01E8 Device \Driver\usbehci \Device\USBFDO-3 86CE7430 Device \Driver\dtsoftbus01 \Device\0000007d 868EA1E8 Device \Driver\usbuhci \Device\USBFDO-4 86CD01E8 Device \Driver\usbuhci \Device\USBFDO-5 86CD01E8 Device \Driver\usbuhci \Device\USBFDO-6 86CD01E8 Device \Driver\usbehci \Device\USBFDO-7 86CE7430 Device \Driver\JMCR \Device\Scsi\JMCR4Port8Path0TargetffLun0 86DCC430 Device \Driver\a0r76c2t \Device\Scsi\a0r76c2t1 866B9430 Device \Driver\JMCR \Device\Scsi\JMCR1Port5Path0TargetffLun0 86DCC430 Device \Driver\JMCR \Device\Scsi\JMCR1 86DCC430 Device \Driver\JMCR \Device\Scsi\JMCR2 86DCC430 Device \Driver\JMCR \Device\Scsi\JMCR3 86DCC430 Device \Driver\JMCR \Device\Scsi\JMCR4 86DCC430 Device \Driver\JMCR \Device\Scsi\JMCR3Port7Path0TargetffLun0 86DCC430 Device \Driver\JMCR \Device\Scsi\JMCR2Port6Path0TargetffLun0 86DCC430 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8596e1e8]<< 8596e1e8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x867de4c8] 867de4c8 Trace 3 CLASSPNP.SYS[8bd9859e] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x866d7908] 866d7908 Trace \Driver\atapi[0x866c5d20] -> IRP_MJ_CREATE -> 0x8596e1e8 8596e1e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x36 0x22 0xE8 0x32 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6A 0x5D 0xF2 0xA6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x08 0x64 0xE8 0xEE ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x87 0x4E 0xF6 0x70 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x36 0x22 0xE8 0x32 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6A 0x5D 0xF2 0xA6 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x08 0x64 0xE8 0xEE ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x87 0x4E 0xF6 0x70 ... ---- EOF - GMER 2.1 ----