GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-07 00:41:58 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD2500BEVS-60UST0 rev.01.01A01 232,89GB Running: dsr48mxn.exe; Driver: C:\Users\biernak\AppData\Local\Temp\awdiyfob.sys ---- System - GMER 2.1 ---- SSDT 8C42B78E ZwCreateSection SSDT 8C42B798 ZwRequestWaitReplyPort SSDT 8C42B793 ZwSetContextThread SSDT 8C42B79D ZwSetSecurityObject SSDT 8C42B7A2 ZwSystemDebugControl SSDT 8C42B72F ZwTerminateProcess INT 0x52 ? 863A0BF8 INT 0x72 ? 863A0BF8 INT 0x72 ? 863A0BF8 INT 0x82 ? 84747BF8 INT 0x82 ? 84747BF8 INT 0x82 ? 84747BF8 INT 0x82 ? 863A0BF8 INT 0x82 ? 84747BF8 INT 0x92 ? 84747BF8 INT 0xA2 ? 84747BF8 INT 0xB2 ? 863A0BF8 INT 0xB3 ? 863A0BF8 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 215 820AC958 4 Bytes [8E, B7, 42, 8C] .text ntkrnlpa.exe!KeSetEvent + 539 820ACC7C 4 Bytes [98, B7, 42, 8C] .text ntkrnlpa.exe!KeSetEvent + 56D 820ACCB0 4 Bytes [93, B7, 42, 8C] .text ntkrnlpa.exe!KeSetEvent + 5D1 820ACD14 4 Bytes [9D, B7, 42, 8C] .text ntkrnlpa.exe!KeSetEvent + 619 820ACD5C 4 Bytes [A2, B7, 42, 8C] .text ... ? System32\Drivers\spqj.sys System nie może odnaleźć określonej ścieżki. ! ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdiplusShutdown] [74817817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipCloneImage] [7486A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipDrawImageRectI] [7481BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipSetInterpolationMode] [7480F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdiplusStartup] [748175E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipCreateFromHDC] [7480E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74848395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7481DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipGetImageHeight] [7480FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipGetImageWidth] [7480FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipDisposeImage] [748071CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7489CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipLoadImageFromFile] [7483C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipDeleteGraphics] [7480D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipFree] [74806853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipAlloc] [7480687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll IAT C:\Windows\EXPLORER.EXE[2696] @ C:\Windows\EXPLORER.EXE [gdiplus.dll!GdipSetCompositingMode] [74812AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8474D1F8 Device \Driver\volmgr \Device\VolMgrControl 847491F8 Device \Driver\usbuhci \Device\USBPDO-0 863721F8 Device \Driver\usbuhci \Device\USBPDO-1 863721F8 Device \Driver\usbehci \Device\USBPDO-2 8638D1F8 Device \Driver\usbuhci \Device\USBPDO-3 863721F8 Device \Driver\usbuhci \Device\USBPDO-4 863721F8 Device \Driver\sptd \Device\2405790305 spqj.sys Device \Driver\usbuhci \Device\USBPDO-5 863721F8 Device \Driver\PCI_PNP2292 \Device\00000057 spqj.sys Device \Driver\usbehci \Device\USBPDO-6 8638D1F8 Device \Driver\volmgr \Device\HarddiskVolume1 847491F8 Device \Driver\cdrom \Device\CdRom0 864991F8 Device \Driver\volmgr \Device\HarddiskVolume2 847491F8 Device \Driver\cdrom \Device\CdRom1 864991F8 Device \Driver\volmgr \Device\HarddiskVolume3 847491F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8474B1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 8474B1F8 Device \Driver\atapi \Device\Ide\IdePort0 8474B1F8 Device \Driver\atapi \Device\Ide\IdePort1 8474B1F8 Device \Driver\atapi \Device\Ide\IdePort2 8474B1F8 Device \Driver\atapi \Device\Ide\IdePort3 8474B1F8 Device \Driver\atapi \Device\Ide\IdePort4 8474B1F8 Device \Driver\msahci \Device\Ide\PciIde1Channel0 8474C1F8 Device \Driver\msahci \Device\Ide\PciIde1Channel1 8474C1F8 Device \Driver\msahci \Device\Ide\PciIde1Channel2 8474C1F8 Device \Driver\volmgr \Device\HarddiskVolume4 847491F8 Device \Driver\netbt \Device\NetBt_Wins_Export 89A2E500 Device \Driver\netbt \Device\NetBT_Tcpip_{E5DE5C3D-19F7-4A18-97A9-550F1F0F8BEA} 89A2E500 Device \Driver\Smb \Device\NetbiosSmb 89A371F8 Device \Driver\netbt \Device\NetBT_Tcpip_{524EF1A6-84C4-42FD-B0DC-FD9B6D68FA22} 89A2E500 Device \Driver\iScsiPrt \Device\RaidPort0 8643C1F8 Device \Driver\usbuhci \Device\USBFDO-0 863721F8 Device \Driver\usbuhci \Device\USBFDO-1 863721F8 Device \Driver\usbehci \Device\USBFDO-2 8638D1F8 Device \Driver\usbuhci \Device\USBFDO-3 863721F8 Device \Driver\usbuhci \Device\USBFDO-4 863721F8 Device \Driver\usbuhci \Device\USBFDO-5 863721F8 Device \Driver\usbehci \Device\USBFDO-6 8638D1F8 Device \Driver\adgxcant \Device\Scsi\adgxcant1Port6Path0Target0Lun0 864981F8 Device \Driver\adgxcant \Device\Scsi\adgxcant1 864981F8 Device \FileSystem\cdfs \Cdfs 84CC9500 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x8474b1f8]<< 8474b1f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85c54ac8] 85c54ac8 Trace 3 CLASSPNP.SYS[8a79d8b3] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x85591b98] 85591b98 Trace \Driver\atapi[0x855a0898] -> IRP_MJ_CREATE -> 0x8474b1f8 8474b1f8 ---- Services - GMER 2.1 ---- Service C:\Windows\system32\vcjsyqnt.dll (*** hidden *** ) [AUTO] dfhbspz <-- ROOTKIT !!! ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\dfhbspz@DisplayName Task Security Reg HKLM\SYSTEM\CurrentControlSet\Services\dfhbspz@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\dfhbspz@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\dfhbspz@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\dfhbspz@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\dfhbspz@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\dfhbspz@Description Zapewnia zarz?dzanie kompozycjami obs?ugiwanymi przez u?ytkownika. Reg HKLM\SYSTEM\CurrentControlSet\Services\dfhbspz\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\dfhbspz\Parameters@ServiceDll C:\Windows\system32\vcjsyqnt.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\dfhbspz Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7B 0x1C 0xD3 0xEC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDC 0x16 0x59 0xD9 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB3 0x64 0x82 0xC3 ... Reg HKLM\SYSTEM\ControlSet003\Services\dfhbspz@DisplayName Task Security Reg HKLM\SYSTEM\ControlSet003\Services\dfhbspz@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\dfhbspz@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\dfhbspz@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\dfhbspz@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\dfhbspz@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\dfhbspz@Description Zapewnia zarz?dzanie kompozycjami obs?ugiwanymi przez u?ytkownika. Reg HKLM\SYSTEM\ControlSet003\Services\dfhbspz\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\dfhbspz\Parameters@ServiceDll C:\Windows\system32\vcjsyqnt.dll Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x7B 0x1C 0xD3 0xEC ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xDC 0x16 0x59 0xD9 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0xB3 0x64 0x82 0xC3 ... ---- EOF - GMER 2.1 ----