GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-15 13:34:28 Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3 SAMSUNG_HD502HJ rev.1AJ10001 Running: w9mbqexq.exe; Driver: C:\DOCUME~1\Pawelek\LOCALS~1\Temp\awryypod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xAFD05610] SSDT sptd.sys ZwCreateKey [0xB7EDCB3A] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xAFD05C10] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xAFD05730] SSDT sptd.sys ZwEnumerateKey [0xB7EDCC7E] SSDT sptd.sys ZwEnumerateValueKey [0xB7EDCFF6] SSDT sptd.sys ZwOpenKey [0xB7EDCA18] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xAFD054B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xAFD05570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xAFD056D0] SSDT sptd.sys ZwQueryKey [0xB7EDD0C0] SSDT sptd.sys ZwQueryValueKey [0xB7EDCF58] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xAFD05790] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xAFD05690] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xAFD05650] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xAFD057D0] SSDT sptd.sys ZwSetValueKey [0xB7EDD148] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xAFD05510] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xAFD05590] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateProcess [0xAFD054D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xAFD055D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xAFD05750] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2F29 80503B29 7 Bytes [55, D0, AF, 90, 55, D0, AF] {PUSH EBP; SHR BYTE [EDI-0x502faa70], 0x1} ? fvtavvu.sys The system cannot find the file specified. ! ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process. ? C:\WINDOWS\System32\Drivers\SPTD5565.SYS The process cannot access the file because it is being used by another process. .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB303B380, 0x8D6CD5, 0xE8000020] .text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 B22724D0 16 Bytes [EA, 05, 10, 8A, 3B, F9, BD, ...] .text dtscsi.sys!A0DB34FC6FE35D429A28ADDE5467D4D7 + 11 B22724E1 31 Bytes [10, 27, B2, 7F, 0D, E2, 9A, ...] ? C:\WINDOWS\System32\Drivers\dtscsi.sys The process cannot access the file because it is being used by another process. ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1512] kernel32.dll!SetUnhandledExceptionFilter 7C810386 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[2576] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 01255B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4004] USER32.dll!GetWindowInfo 77D4F122 5 Bytes JMP 10450924 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4004] USER32.dll!TrackPopupMenu 77D94F16 5 Bytes JMP 10450ECF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B7ED8A32] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B7ED8B6E] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B7ED8AF6] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B7ED96CC] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B7ED95A2] sptd.sys IAT \SystemRoot\System32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B7EFAC82] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8AC82EB0 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) Device \Driver\dmio \Device\DmControl\DmIoDaemon 8AC83808 Device \Driver\dmio \Device\DmControl\DmConfig 8AC83808 Device \Driver\dmio \Device\DmControl\DmPnP 8AC83808 Device \Driver\dmio \Device\DmControl\DmInfo 8AC83808 Device \Driver\00000064 \Device\00000047 sptd.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) Device \Driver\NetBT \Device\NetBT_Tcpip_{62DAC2B9-E133-4F77-AF96-6543613C2EF3} 8AB1F4C8 Device \Driver\Ftdisk \Device\HarddiskVolume1 8AC83A40 Device \Driver\NetBT \Device\NetBT_Tcpip_{5AA40888-B166-4314-B48E-8A3802C3FDB6} 8AB1F4C8 Device \Driver\Ftdisk \Device\HarddiskVolume2 8AC83A40 Device \Driver\Cdrom \Device\CdRom0 8A982430 Device \FileSystem\Rdbss \Device\FsWrap 8A931AD0 Device \Driver\atapi \Device\Ide\IdePort0 [B7E2E2F0] atapi.sys[unknown section] {MOV EAX, 0x8ac834f0; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb7eed442; RET } Device \Driver\atapi \Device\Ide\IdePort1 [B7E2E2F0] atapi.sys[unknown section] {MOV EAX, 0x8ac834f0; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb7eed442; RET } Device \Driver\atapi \Device\Ide\IdePort2 [B7E2E2F0] atapi.sys[unknown section] {MOV EAX, 0x8ac834f0; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb7eed442; RET } Device \Driver\atapi \Device\Ide\IdePort3 [B7E2E2F0] atapi.sys[unknown section] {MOV EAX, 0x8ac834f0; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb7eed442; RET } Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-3 [B7E2E2F0] atapi.sys[unknown section] {MOV EAX, 0x8ac834f0; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb7eed442; RET } Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-10 [B7E2E2F0] atapi.sys[unknown section] {MOV EAX, 0x8ac834f0; XCHG [ESP], EAX; PUSH EAX; PUSH 0xb7eed442; RET } Device \Driver\Cdrom \Device\CdRom1 8A982430 Device \Driver\NetBT \Device\NetBt_Wins_Export 8AB1F4C8 Device \Driver\Disk \Device\Harddisk0\DR0 8AC83398 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8AA8A3D0 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8AA8A3D0 Device \FileSystem\Npfs \Device\NamedPipe 8A9F6EB0 Device \Driver\Ftdisk \Device\FtControl 8AC83A40 Device \FileSystem\Msfs \Device\Mailslot 8A848D50 Device \Driver\dtscsi \Device\Scsi\dtscsi1Port4Path0Target0Lun0 8AB14670 Device \Driver\dtscsi \Device\Scsi\dtscsi1 8AB14670 Device \FileSystem\Cdfs \Cdfs 8A7EDCC8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s0 -329329670 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1607570483 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -1775577565 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x32 0x5A 0x62 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x56 0x92 0xCB 0xC1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x27 0x83 0xBA 0x0A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x32 0x5A 0x62 0x0D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x56 0x92 0xCB 0xC1 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x27 0x83 0xBA 0x0A ... ---- EOF - GMER 1.0.15 ----