GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-27 19:47:29 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2500BEVT-22ZCT0 rev.11.01A11 232,89GB Running: lqleoqvn.exe; Driver: C:\DOCUME~1\Fabisiak\USTAWI~1\Temp\kwnoapog.sys ---- System - GMER 2.1 ---- SSDT F7B6AFB4 ZwClose SSDT F7B6AF6E ZwCreateKey SSDT F7B6AFBE ZwCreateSection SSDT F7B6AF64 ZwCreateThread SSDT F7B6AF73 ZwDeleteKey SSDT F7B6AF7D ZwDeleteValueKey SSDT F7B6AFAF ZwDuplicateObject SSDT F7B6AF82 ZwLoadKey SSDT F7B6AF50 ZwOpenProcess SSDT F7B6AF55 ZwOpenThread SSDT F7B6AFD7 ZwQueryValueKey SSDT F7B6AF8C ZwReplaceKey SSDT F7B6AFC8 ZwRequestWaitReplyPort SSDT F7B6AF87 ZwRestoreKey SSDT F7B6AFC3 ZwSetContextThread SSDT F7B6AFCD ZwSetSecurityObject SSDT F7B6AF78 ZwSetValueKey SSDT F7B6AFD2 ZwSystemDebugControl SSDT F7B6AF5F ZwTerminateProcess INT 0x63 ? 852B8CC8 INT 0x63 ? 852B8CC8 INT 0x73 ? 857A2CC8 INT 0x73 ? 857A2CC8 INT 0x73 ? 857A2CC8 INT 0x73 ? 857A2CC8 INT 0x73 ? 852B8CC8 INT 0x73 ? 852B8CC8 INT 0x73 ? 857A2CC8 INT 0x94 ? 852B8CC8 INT 0xA4 ? 852B8CC8 INT 0xB4 ? 852B8CC8 ---- Kernel code sections - GMER 2.1 ---- .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF738B346] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 857A11F8 Device \FileSystem\Fastfat \FatCdrom 841BF430 Device \Driver\usbehci \Device\USBPDO-0 852AC1F8 Device \Driver\usbuhci \Device\USBPDO-1 855CB1F8 Device \Driver\usbuhci \Device\USBPDO-2 855CB1F8 Device \Driver\usbuhci \Device\USBPDO-3 855CB1F8 Device \Driver\usbuhci \Device\USBPDO-4 855CB1F8 Device \Driver\usbehci \Device\USBPDO-5 852AC1F8 Device \Driver\usbuhci \Device\USBPDO-6 855CB1F8 Device \Driver\usbuhci \Device\USBPDO-7 855CB1F8 Device \Driver\Cdrom \Device\CdRom0 85288430 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F71FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F71FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F71FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [F71FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [F71FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F71FAB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 853D0430 Device \Driver\NetBT \Device\NetbiosSmb 853D0430 Device \Driver\usbuhci \Device\USBFDO-0 855CB1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{5347FFB3-BCC5-49F7-9757-713A83B8D977} 853D0430 Device \Driver\usbuhci \Device\USBFDO-1 855CB1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 852F3430 Device \Driver\usbehci \Device\USBFDO-2 852AC1F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 852F3430 Device \Driver\usbuhci \Device\USBFDO-3 855CB1F8 Device \Driver\usbuhci \Device\USBFDO-4 855CB1F8 Device \Driver\usbuhci \Device\USBFDO-5 855CB1F8 Device \Driver\usbuhci \Device\USBFDO-6 855CB1F8 Device \Driver\usbehci \Device\USBFDO-7 852AC1F8 Device \FileSystem\Fastfat \Fat 841BF430 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys Device \FileSystem\Cdfs \Cdfs 853AF430 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\deamon\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x27 0x36 0xA2 0x8B ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\deamon\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x27 0x36 0xA2 0x8B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore@Count 14 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore@LoadTime 429 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore@Count 12 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore@LoadTime 545 ---- Files - GMER 2.1 ---- File C:\Documents and Settings\Fabisiak\Recent\Downloads.lnk 444 bytes File C:\Documents and Settings\Fabisiak\Recent\fixlist.lnk 576 bytes File C:\Documents and Settings\Fabisiak\Ustawienia lokalne\Temp\etilqs_VO4c8K7Th7TpUtM 4 bytes File C:\Documents and Settings\Fabisiak\Ustawienia lokalne\Temp\wuredist.cab 0 bytes ---- EOF - GMER 2.1 ----