GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-01-03 17:09:52 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543225L9A300 rev.FBEOC4CC Running: ue3jyq4t.exe; Driver: C:\Users\Ewelna\AppData\Local\Temp\pxldyfod.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!ZwSaveKeyEx + 13B1 828858E9 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 828A53D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? System32\Drivers\splr.sys System nie może odnaleźć określonej ścieżki. ! .text USBPORT.SYS!DllUnload 9123FCA0 5 Bytes JMP 85A634E0 .text a5f5idtk.SYS 8FE0700D 9 Bytes [C7, 81, 82, 48, EB, 81, 82, ...] .text a5f5idtk.SYS 8FE07017 51 Bytes [00, DE, 37, F3, 88, E6, 35, ...] .text a5f5idtk.SYS 8FE0704B 107 Bytes [82, 2E, 1C, A3, 82, D8, DB, ...] .text a5f5idtk.SYS 8FE070B7 10 Bytes [82, F0, 76, 8A, 82, 20, 10, ...] .text a5f5idtk.SYS 8FE070C3 8 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1568] kernel32.dll!SetUnhandledExceptionFilter 75A33162 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3060] ntdll.dll!LdrLoadDll 773DF625 5 Bytes JMP 00D213F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoDetachDevice] [88E61DDC] \SystemRoot\System32\Drivers\splr.sys IAT \SystemRoot\system32\DRIVERS\pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [88E61E30] \SystemRoot\System32\Drivers\splr.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [88E37042] \SystemRoot\System32\Drivers\splr.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [88E376D6] \SystemRoot\System32\Drivers\splr.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [88E37800] \SystemRoot\System32\Drivers\splr.sys IAT \SystemRoot\system32\DRIVERS\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [88E3713E] \SystemRoot\System32\Drivers\splr.sys IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortNotification] 00147880 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortQuerySystemTime] 78800C75 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortReadPortUchar] 06750015 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortStallExecution] C25DC033 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortWritePortUchar] 458B0008 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortWritePortUlong] 6A006A08 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 50056A24 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 005AB7E8 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortGetScatterGatherList] 0001B800 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortGetParentBusType] C25D0000 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortRequestCallback] CCCC0008 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortWritePortBufferUshort] CCCCCCCC IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortGetUnCachedExtension] CCCCCCCC IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortCompleteRequest] CCCCCCCC IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortCopyMemory] 53EC8B55 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortEtwTraceLog] 800C5D8B IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] 7500117B IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] 127B806A IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 80647500 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7500137B IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortInitialize] 157B805E IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortGetDeviceBase] 56587500 IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[ataport.SYS!AtaPortDeviceStateChange] 8008758B IAT \SystemRoot\System32\Drivers\a5f5idtk.SYS[NTOSKRNL.exe!KeTickCount] 78801875 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [742A2494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74285624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [742856E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [742A250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74298573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74294D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [742950CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [742951A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [742966D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [742982CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74298819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7429907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7429E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2188] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74294C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2264] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75425E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2264] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75425E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2264] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75425E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2264] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75425E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 848431F8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \Driver\sptd \Device\1351423312 splr.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) Device \Driver\usbuhci \Device\USBPDO-0 85B8D500 Device \Driver\usbuhci \Device\USBPDO-1 85B8D500 Device \Driver\usbuhci \Device\USBPDO-2 85B8D500 Device \Driver\NetBT \Device\NetBT_Tcpip_{2D016DEA-E9F6-49BF-83F8-CD232ECC95FB} 8591B1F8 Device \Driver\usbehci \Device\USBPDO-3 85B18500 Device \Driver\usbuhci \Device\USBPDO-4 85B8D500 Device \Driver\usbuhci \Device\USBPDO-5 85B8D500 Device \Driver\usbuhci \Device\USBPDO-6 85B8D500 Device \Driver\volmgr \Device\HarddiskVolume1 8483E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\usbehci \Device\USBPDO-7 85B18500 Device \Driver\PCI_PNP3310 \Device\00000058 splr.sys Device \Driver\volmgr \Device\HarddiskVolume2 8483E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 8588B1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 848401F8 Device \Driver\atapi \Device\Ide\IdePort0 848401F8 Device \Driver\atapi \Device\Ide\IdePort1 848401F8 Device \Driver\atapi \Device\Ide\IdePort2 848401F8 Device \Driver\atapi \Device\Ide\IdePort3 848401F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 848401F8 Device \Driver\msahci \Device\Ide\PciIde0Channel0 848411F8 Device \Driver\msahci \Device\Ide\PciIde0Channel1 848411F8 Device \Driver\msahci \Device\Ide\PciIde0Channel4 848411F8 Device \Driver\msahci \Device\Ide\PciIde0Channel5 848411F8 Device \Driver\volmgr \Device\HarddiskVolume3 8483E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom1 8588B1F8 Device \Driver\volmgr \Device\HarddiskVolume4 8483E1F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\USBSTOR \Device\00000075 858C41F8 Device \Driver\USBSTOR \Device\00000076 858C41F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8591B1F8 Device \Driver\ACPI_HAL \Device\0000004a halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbuhci \Device\USBFDO-0 85B8D500 Device \Driver\usbuhci \Device\USBFDO-1 85B8D500 Device \Driver\usbuhci \Device\USBFDO-2 85B8D500 Device \Driver\usbehci \Device\USBFDO-3 85B18500 Device \Driver\usbuhci \Device\USBFDO-4 85B8D500 Device \Driver\usbuhci \Device\USBFDO-5 85B8D500 Device \Driver\usbuhci \Device\USBFDO-6 85B8D500 Device \Driver\usbehci \Device\USBFDO-7 85B18500 Device \Driver\a5f5idtk \Device\Scsi\a5f5idtk1Port4Path0Target0Lun0 85BEF370 Device \Driver\a5f5idtk \Device\Scsi\a5f5idtk1 85BEF370 Device \Driver\NetBT \Device\NetBT_Tcpip_{225C47FD-A9DC-4948-8037-6C378B6CF0FC} 8591B1F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDA 0xE5 0x4C 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA3 0x5F 0xCB 0x83 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1F 0x2F 0xB3 0x64 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x97 0x26 0x5E 0x4E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xA3 0x5F 0xCB 0x83 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x1F 0x2F 0xB3 0x64 ... ---- EOF - GMER 1.0.15 ----