GMER 1.0.15.15640 - http://www.gmer.net Rootkit scan 2011-06-17 08:27:59 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\iaStor0 TOSHIBA_ rev.LB01 Running: qdl1t8xb.exe; Driver: C:\Users\STACHU\AppData\Local\Temp\uxliqpog.sys ---- System - GMER 1.0.15 ---- INT 0x52 ? 87345BF8 INT 0x72 ? 87345BF8 INT 0x82 ? 87345BF8 INT 0x92 ? 8507DBF8 INT 0xA2 ? 85A0CBF8 INT 0xB2 ? 87345BF8 INT 0xB2 ? 87345BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? System32\Drivers\spqt.sys The system cannot find the path specified. ! .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x88F56000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x88F9F000, 0x510, 0x40000040] .text USBPORT.SYS!DllUnload 8D12C41B 5 Bytes JMP 873451D8 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[1296] USER32.dll!EnableWindow 7645CD8B 5 Bytes JMP 6EB798BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1296] USER32.dll!DialogBoxParamW 764810B0 5 Bytes JMP 6EAD15E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1296] USER32.dll!DialogBoxIndirectParamW 76482EF5 5 Bytes JMP 6ECC5E86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1296] USER32.dll!DialogBoxParamA 76498152 5 Bytes JMP 6ECC5E21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1296] USER32.dll!DialogBoxIndirectParamA 7649847D 5 Bytes JMP 6ECC5EEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1296] USER32.dll!MessageBoxIndirectA 764AD4D9 5 Bytes JMP 6ECC5DA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1296] USER32.dll!MessageBoxIndirectW 764AD5D3 5 Bytes JMP 6ECC5D2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1296] USER32.dll!MessageBoxExA 764AD639 5 Bytes JMP 6ECC5CCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1296] USER32.dll!MessageBoxExW 764AD65D 5 Bytes JMP 6ECC5C67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1296] WININET.dll!HttpAddRequestHeadersA 769D1B9C 5 Bytes JMP 008B6A90 .text C:\Program Files\Internet Explorer\iexplore.exe[1296] WININET.dll!HttpAddRequestHeadersW 76A1F7A8 5 Bytes JMP 008B6C90 .text C:\Program Files\Internet Explorer\iexplore.exe[1296] WS2_32.dll!closesocket 7699330C 5 Bytes JMP 00AE000A .text C:\Program Files\Internet Explorer\iexplore.exe[1296] WS2_32.dll!recv 7699343A 5 Bytes JMP 00AC000A .text C:\Program Files\Internet Explorer\iexplore.exe[1296] WS2_32.dll!connect 769940D9 5 Bytes JMP 00AD000A .text C:\Program Files\Internet Explorer\iexplore.exe[1296] WS2_32.dll!getaddrinfo 7699418A 5 Bytes JMP 0183000A .text C:\Program Files\Internet Explorer\iexplore.exe[1296] WS2_32.dll!send 7699659B 5 Bytes JMP 0181000A .text C:\Program Files\Internet Explorer\iexplore.exe[1296] WS2_32.dll!gethostbyname 769A62D4 5 Bytes JMP 0182000A .text C:\Program Files\Internet Explorer\iexplore.exe[2100] kernel32.dll!CreateThread 76C2C90E 5 Bytes JMP 6EB371CB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!SetWindowsHookExW 764587AD 5 Bytes JMP 6EB7204C C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!CallNextHookEx 76458E3B 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!CallNextHookEx 76458E3B 5 Bytes JMP 6EB97A3F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!UnhookWindowsHookEx 764598DB 5 Bytes JMP 6EBBE9F8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!EnableWindow 7645CD8B 5 Bytes JMP 6EB798BC C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!DefWindowProcA 7645DB88 7 Bytes JMP 6EB393F5 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!CreateWindowExA 7645DC2A 2 Bytes JMP 6EB43223 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!CreateWindowExA + 3 7645DC2D 2 Bytes [6E, F8] {OUTSB ; CLC } .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!CreateWindowExW 76461305 5 Bytes JMP 6EB9FE1F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!DefWindowProcW 764703B4 7 Bytes JMP 6EB97AA2 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!DialogBoxParamW 764810B0 5 Bytes JMP 6EAD15E3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!DialogBoxIndirectParamW 76482EF5 5 Bytes JMP 6ECC5E86 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!DialogBoxParamA 76498152 5 Bytes JMP 6ECC5E21 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!DialogBoxIndirectParamA 7649847D 5 Bytes JMP 6ECC5EEB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!MessageBoxIndirectA 764AD4D9 5 Bytes JMP 6ECC5DA8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!MessageBoxIndirectW 764AD5D3 5 Bytes JMP 6ECC5D2F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!MessageBoxExA 764AD639 5 Bytes JMP 6ECC5CCB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] USER32.dll!MessageBoxExW 764AD65D 5 Bytes JMP 6ECC5C67 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] ole32.dll!OleLoadFromStream 76861E80 5 Bytes JMP 6ECC666E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2100] WININET.dll!HttpAddRequestHeadersA 769D1B9C 5 Bytes JMP 02306A90 .text C:\Program Files\Internet Explorer\iexplore.exe[2100] WININET.dll!HttpAddRequestHeadersW 76A1F7A8 5 Bytes JMP 02306C90 .text C:\Program Files\Internet Explorer\iexplore.exe[2100] WS2_32.dll!closesocket 7699330C 5 Bytes JMP 01BF000A .text C:\Program Files\Internet Explorer\iexplore.exe[2100] WS2_32.dll!recv 7699343A 5 Bytes JMP 009B000A .text C:\Program Files\Internet Explorer\iexplore.exe[2100] WS2_32.dll!connect 769940D9 5 Bytes JMP 009C000A .text C:\Program Files\Internet Explorer\iexplore.exe[2100] WS2_32.dll!getaddrinfo 7699418A 5 Bytes JMP 0248000A .text C:\Program Files\Internet Explorer\iexplore.exe[2100] WS2_32.dll!send 7699659B 5 Bytes JMP 0232000A .text C:\Program Files\Internet Explorer\iexplore.exe[2100] WS2_32.dll!gethostbyname 769A62D4 5 Bytes JMP 0233000A ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806966D2] \SystemRoot\System32\Drivers\spqt.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80696040] \SystemRoot\System32\Drivers\spqt.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [806967FC] \SystemRoot\System32\Drivers\spqt.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806960BE] \SystemRoot\System32\Drivers\spqt.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069613C] \SystemRoot\System32\Drivers\spqt.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A6048] \SystemRoot\System32\Drivers\spqt.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 85A0F1F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) Device \Driver\volmgr \Device\VolMgrControl 85A0A1F8 Device \Driver\usbuhci \Device\USBPDO-0 874231F8 Device \Driver\usbuhci \Device\USBPDO-1 874231F8 Device \Driver\usbehci \Device\USBPDO-2 874261F8 Device \Driver\usbuhci \Device\USBPDO-3 874231F8 Device \Driver\usbuhci \Device\USBPDO-4 874231F8 Device \Driver\usbuhci \Device\USBPDO-5 874231F8 Device \Driver\usbehci \Device\USBPDO-6 874261F8 Device \Driver\volmgr \Device\HarddiskVolume1 85A0A1F8 Device \Driver\volmgr \Device\HarddiskVolume2 85A0A1F8 Device \Driver\cdrom \Device\CdRom0 874AD1F8 Device \Driver\volmgr \Device\HarddiskVolume3 85A0A1F8 Device \Driver\netbt \Device\NetBT_Tcpip_{851A2ACE-CE04-47D7-BA65-B4B4EF2114B6} 87702500 Device \Driver\netbt \Device\NetBt_Wins_Export 87702500 Device \Driver\Smb \Device\NetbiosSmb 877C21F8 Device \Driver\iScsiPrt \Device\RaidPort0 873DE500 Device \Driver\usbuhci \Device\USBFDO-0 874231F8 Device \Driver\usbuhci \Device\USBFDO-1 874231F8 Device \Driver\usbehci \Device\USBFDO-2 874261F8 Device \Driver\netbt \Device\NetBT_Tcpip_{16714085-A6E4-4E3B-87FB-41CDB15024B4} 87702500 Device \Driver\usbuhci \Device\USBFDO-3 874231F8 Device \Driver\usbuhci \Device\USBFDO-4 874231F8 Device \Driver\usbuhci \Device\USBFDO-5 874231F8 Device \Driver\usbehci \Device\USBFDO-6 874261F8 Device \FileSystem\cdfs \Cdfs 97B051F8 ---- Threads - GMER 1.0.15 ---- Thread System [4:304] 8719DE7A Thread System [4:308] 871A0008 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2E 0x2C 0xB9 0x27 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA9 0x12 0x5E 0xDD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2E 0x2C 0xB9 0x27 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA9 0x12 0x5E 0xDD ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x2E 0x2C 0xB9 0x27 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA9 0x12 0x5E 0xDD ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 MBR read error Disk \Device\Harddisk0\DR0 MBR BIOS signature not found 0 ---- EOF - GMER 1.0.15 ----