GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-06 18:17:52 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 Running: llk5fnc9.exe; Driver: C:\Users\sandoz\AppData\Local\Temp\uwldypob.sys ---- System - GMER 1.0.15 ---- INT 0x52 ? 87FC5F00 INT 0x72 ? 87FC5F00 INT 0x82 ? 87FC5F00 INT 0xA2 ? 87FC5F00 INT 0xA2 ? 87FC5F00 INT 0xB2 ? 86187CB8 INT 0xB2 ? 87FC5F00 INT 0xB2 ? 87FC5F00 INT 0xB2 ? 87FC5F00 INT 0xB2 ? 86187CB8 ---- Kernel code sections - GMER 1.0.15 ---- .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x807A2089] .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8FC0E340, 0x3FC377, 0xE8000020] .text USBPORT.SYS!DllUnload 903AD41B 5 Bytes JMP 87FC5410 ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8068FF12] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [80690232] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8068F730] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [806900F0] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8068F856] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8068F914] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A3EA6] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8618B1E8 AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys (Windows Update Monitor Driver/Lenovo) Device \Driver\netbt \Device\NetBT_Tcpip_{44C77159-5609-4109-A3C8-22241BCA364F} 91D641E8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) Device \Driver\usbuhci \Device\USBPDO-0 8873B430 Device \Driver\usbuhci \Device\USBPDO-1 8873B430 Device \Driver\usbuhci \Device\USBPDO-2 8873B430 Device \Driver\usbehci \Device\USBPDO-3 8869A1E8 Device \Driver\usbuhci \Device\USBPDO-4 8873B430 Device \Driver\usbuhci \Device\USBPDO-5 8873B430 Device \Driver\netbt \Device\NetBT_Tcpip_{FDF699A4-863B-4818-ADF3-23F6AFB06BB4} 91D641E8 Device \Driver\usbuhci \Device\USBPDO-6 8873B430 Device \Driver\usbehci \Device\USBPDO-7 8869A1E8 Device \Driver\cdrom \Device\CdRom0 88698430 Device \Driver\iaStor \Device\Ide\iaStor0 [832BB720] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [832BB720] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [832BB720] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\netbt \Device\NetBt_Wins_Export 91D641E8 Device \Driver\Smb \Device\NetbiosSmb 913D31E8 Device \Driver\iScsiPrt \Device\RaidPort0 8887E1E8 Device \Driver\usbuhci \Device\USBFDO-0 8873B430 Device \Driver\usbuhci \Device\USBFDO-1 8873B430 Device \Driver\usbuhci \Device\USBFDO-2 8873B430 Device \Driver\usbehci \Device\USBFDO-3 8869A1E8 Device \Driver\usbuhci \Device\USBFDO-4 8873B430 Device \Driver\netbt \Device\NetBT_Tcpip_{EF81BFA7-77E2-4DE6-A219-52988AEC7CD1} 91D641E8 Device \Driver\usbuhci \Device\USBFDO-5 8873B430 Device \Driver\usbuhci \Device\USBFDO-6 8873B430 Device \Driver\usbehci \Device\USBFDO-7 8869A1E8 Device \FileSystem\cdfs \Cdfs 81BC31E8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c6076d89f08 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c6076d89f08@0021ab3cc642 0x29 0x22 0x40 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0xEB 0x10 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x08 0x9F 0xF4 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x94 0x8C 0x67 0xC9 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0c6076d89f08 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0c6076d89f08@0021ab3cc642 0x29 0x22 0x40 0x50 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x07 0xEB 0x10 0x47 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x08 0x9F 0xF4 0x1C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x94 0x8C 0x67 0xC9 ... ---- EOF - GMER 1.0.15 ----