GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-04 10:27:21 Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e SAMSUNG_SP2514N rev.VF100-50 232,88GB Running: 2qmhwcmr.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\afedyfoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwAssignProcessToJobObject [0xB083A4B0] SSDT sptd.sys ZwCreateKey [0xF75039E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0xB083A7F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDebugActiveProcess [0xB083AAB0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDuplicateObject [0xB083A5D0] SSDT sptd.sys ZwEnumerateKey [0xF75380EE] SSDT sptd.sys ZwEnumerateValueKey [0xF753847C] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0xB083A8B0] SSDT sptd.sys ZwOpenKey [0xF75039C0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenProcess [0xB083A350] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenThread [0xB083A410] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwProtectVirtualMemory [0xB083A570] SSDT sptd.sys ZwQueryKey [0xF7538554] SSDT sptd.sys ZwQueryValueKey [0xF75383D4] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwQueueApcThread [0xB083A630] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetContextThread [0xB083A530] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetInformationThread [0xB083A4F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSecurityObject [0xB083A670] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0xB083A870] SSDT sptd.sys ZwSetValueKey [0xF75385E6] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendProcess [0xB083A3B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendThread [0xB083A430] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0xB083A830] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateProcess [0xB083A370] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateThread [0xB083A470] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwWriteVirtualMemory [0xB083A5F0] INT 0x62 ? 8A70CCB8 INT 0x63 ? 8A66DF00 INT 0x73 ? 8A66DF00 INT 0x82 ? 8A70CCB8 INT 0x83 ? 8A6E1CB8 INT 0xB4 ? 8A66DF00 ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + 440 804E2AAC 12 Bytes [B0, A3, 83, B0, 30, A4, 83, ...] .text sptd.sys F74C7000 32 Bytes [98, 12, 6F, 80, 20, 17, 6F, ...] .text sptd.sys F74C7024 4 Bytes [74, 9F, 4B, F7] .text sptd.sys F74C702C 424 Bytes [3E, 9C, 5C, 80, A7, 92, 4D, ...] .text sptd.sys F74C71E4 4 Bytes [A1, A9, EB, 4C] .text sptd.sys F74C71EC 1 Byte [02] .text ... .sptd2 C:\WINXP\system32\drivers\sptd.sys entry point in ".sptd2" section [0xF75A10AD] ? C:\WINXP\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process. .text C:\WINXP\system32\DRIVERS\nv4_mini.sys section is writeable [0xB2EA5360, 0x1DE5ED, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1452] kernel32.dll!SetUnhandledExceptionFilter 7C844935 4 Bytes [C2, 04, 00, 00] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINXP\Explorer.EXE[436] @ C:\WINXP\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CB77774] C:\WINXP\system32\ShimEng.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8A70A1E8 AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys Device \Driver\usbohci \Device\USBPDO-0 8A66C1E8 Device \Driver\usbohci \Device\USBPDO-1 8A66C1E8 Device \Driver\usbehci \Device\USBPDO-2 8A3431E8 Device \Driver\PCI_PNP9078 \Device\00000055 sptd.sys Device \Driver\PCI_PNP9078 \Device\00000055 sptd.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{E8BCA2C8-EB93-42BC-8D7C-A94B70D48EF3} 89AD51E8 Device \Driver\Cdrom \Device\CdRom0 8A45E430 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F7978B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 89AD51E8 Device \Driver\NetBT \Device\NetbiosSmb 89AD51E8 Device \Driver\usbohci \Device\USBFDO-0 8A66C1E8 Device \Driver\usbohci \Device\USBFDO-1 8A66C1E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89C911E8 Device \Driver\usbehci \Device\USBFDO-2 8A3431E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89C911E8 Device \Driver\iteraid \Device\Scsi\iteraid1 8A70B1E8 Device \Driver\iteraid \Device\Scsi\iteraid1Port2Path0Target0Lun0 8A70B1E8 Device \Driver\az6df2mp \Device\Scsi\az6df2mp1 8A404430 Device \FileSystem\Cdfs \Cdfs 8A36F430 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x4A 0x3F 0x64 0x2A ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE3 0x42 0x50 0xAC ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xFC 0xA3 0xD6 0xFE ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x89 0x2B 0xE3 0x35 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE3 0x42 0x50 0xAC ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x28 0xD9 0x47 0xBA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x65 0x04 0xEF 0x5F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE3 0x42 0x50 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4D 0x29 0xBB 0x37 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x65 0x04 0xEF 0x5F ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE3 0x42 0x50 0xAC ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x4D 0x29 0xBB 0x37 ... ---- EOF - GMER 2.1 ----