GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-07-20 13:17:19 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.14 ---- SSDT 86F81408 ZwAllocateVirtualMemory SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwConnectPort [0xB92EB040] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateFile [0xB92E7930] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateKey [0xB92F2A80] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreatePort [0xB92EB510] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcess [0xB92F1870] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateProcessEx [0xB92F1AA0] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateSection [0xB92F4FD0] SSDT 86FDD410 ZwCreateThread SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwCreateWaitablePort [0xB92EB600] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteFile [0xB92E7F20] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteKey [0xB92F36E0] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDeleteValueKey [0xB92F3440] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwDuplicateObject [0xB92F1580] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwLoadKey [0xB92F38B0] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenFile [0xB92E7D70] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenProcess [0xB92F1350] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwOpenThread [0xB92F1150] SSDT 86F81480 ZwQueueApcThread SSDT 86F81318 ZwReadVirtualMemory SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRenameKey [0xB92F4250] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwReplaceKey [0xB92F3CB0] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRequestWaitReplyPort [0xB92EAC00] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwRestoreKey [0xB92F4080] SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSecureConnectPort [0xB92EB220] SSDT 86F81570 ZwSetContextThread SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetInformationFile [0xB92E8120] SSDT 86FD81F8 ZwSetInformationKey SSDT 86FA5450 ZwSetInformationProcess SSDT 86FDF418 ZwSetInformationThread SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwSetValueKey [0xB92F3140] SSDT 86FDD488 ZwSuspendProcess SSDT 86F814F8 ZwSuspendThread SSDT \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ZwTerminateProcess [0xB92F1CD0] SSDT 86FDF490 ZwTerminateThread SSDT 86F81390 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.14 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C44 805039F8 12 Bytes [ 10, B5, 2E, B9, 70, 18, 2F, ... ] .text ntkrnlpa.exe!ZwCallbackReturn + 2E8C 80503C40 5 Bytes [ 50, 42, 2F, B9, B0 ] .text ntkrnlpa.exe!ZwCallbackReturn + 2E92 80503C46 2 Bytes [ 2F, B9 ] PAGE CLASSPNP.SYS!ClassInitialize + F4 F76794B2 4 Bytes [ 56, 97, 6C, 85 ] PAGE CLASSPNP.SYS!ClassInitialize + FF F76794BD 4 Bytes [ AC, 51, 6C, 85 ] PAGE CLASSPNP.SYS!ClassInitialize + 10A F76794C8 4 Bytes [ 68, 97, 6C, 85 ] PAGE CLASSPNP.SYS!ClassInitialize + 111 F76794CF 4 Bytes [ 5C, 97, 6C, 85 ] PAGE CLASSPNP.SYS!ClassInitialize + 118 F76794D6 4 Bytes [ 62, 97, 6C, 85 ] PAGE ... ? srescan.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.14 ---- .text C:\WINDOWS\Explorer.EXE[1744] ADVAPI32.dll!CryptDestroyKey 77DEA544 7 Bytes JMP 00FB2B93 .text C:\WINDOWS\Explorer.EXE[1744] ADVAPI32.dll!CryptDecrypt 77DEA7B1 7 Bytes JMP 00FB2B50 .text C:\WINDOWS\Explorer.EXE[1744] ADVAPI32.dll!CryptEncrypt 77DF1558 7 Bytes JMP 00FB2B14 .text C:\WINDOWS\Explorer.EXE[1744] WS2_32.dll!send 71AB428A 5 Bytes JMP 00FB2985 .text C:\WINDOWS\Explorer.EXE[1744] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 00FB2A77 .text C:\WINDOWS\Explorer.EXE[1744] WS2_32.dll!recv 71AB615A 5 Bytes JMP 00FB29BD .text C:\WINDOWS\Explorer.EXE[1744] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 00FB29F5 .text C:\WINDOWS\Explorer.EXE[1744] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 00FB2AF9 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2100] ADVAPI32.dll!CryptDestroyKey 77DEA544 7 Bytes JMP 01D52B93 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2100] ADVAPI32.dll!CryptDecrypt 77DEA7B1 7 Bytes JMP 01D52B50 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2100] ADVAPI32.dll!CryptEncrypt 77DF1558 7 Bytes JMP 01D52B14 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2100] CRYPT32.dll!CertGetCertificateChain 77A91243 5 Bytes JMP 01D53578 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2100] CRYPT32.dll!CertVerifyCertificateChainPolicy 77A99A4C 5 Bytes JMP 01D53581 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2100] WININET.dll!InternetConnectA 771C30A3 5 Bytes JMP 01D52BAE .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2100] WININET.dll!HttpOpenRequestA 771C368D 5 Bytes JMP 01D52DD1 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2100] WININET.dll!InternetCloseHandle 771C4D4C 5 Bytes JMP 01D53098 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2100] WININET.dll!HttpSendRequestA 771C60D9 5 Bytes JMP 01D52F11 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2100] WININET.dll!InternetReadFile 771C828C 5 Bytes JMP 01D53043 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2100] WININET.dll!HttpSendRequestW 77211F9C 5 Bytes JMP 01D539D8 .text C:\Program Files\Webroot\Spy Sweeper\SpySweeperUI.exe[2244] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ 8F, FF, C3, 83 ] .text C:\Program Files\Webroot\Spy Sweeper\SpySweeper.exe[2652] kernel32.dll!CreateThread + 1A 7C810651 4 Bytes [ FF, FB, C3, 83 ] .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3524] ntdll.dll!KiUserExceptionDispatcher + 9 7C90EAF5 5 Bytes JMP 00016190 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3524] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 000168D0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3524] kernel32.dll!VirtualProtect 7C801AD0 5 Bytes JMP 00017130 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3524] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 000168D0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3524] kernel32.dll!VirtualAlloc 7C809A51 5 Bytes JMP 000170E0 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE .text C:\Program Files\Webroot\Spy Sweeper\SSU.EXE[3524] kernel32.dll!VirtualFree 7C809AE4 5 Bytes JMP 00017110 C:\Program Files\Webroot\Spy Sweeper\SSU.EXE .text C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE[3584] ADVAPI32.DLL!CryptDestroyKey 77DEA544 7 Bytes JMP 028B2B93 .text C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE[3584] ADVAPI32.DLL!CryptDecrypt 77DEA7B1 7 Bytes JMP 028B2B50 .text C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE[3584] ADVAPI32.DLL!CryptEncrypt 77DF1558 7 Bytes JMP 028B2B14 .text C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE[3584] WS2_32.dll!send 71AB428A 5 Bytes JMP 028B2985 .text C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE[3584] WS2_32.dll!WSARecv 71AB4318 5 Bytes JMP 028B2A77 .text C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE[3584] WS2_32.dll!recv 71AB615A 5 Bytes JMP 028B29BD .text C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE[3584] WS2_32.dll!WSASend 71AB6233 5 Bytes JMP 028B29F5 .text C:\PROGRA~1\MICROS~4\Office10\OUTLOOK.EXE[3584] WS2_32.dll!closesocket 71AB9639 5 Bytes JMP 028B2AF9 ---- Kernel IAT/EAT - GMER 1.0.14 ---- IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] 86F811A8 IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] 86F812A0 IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [B92EFCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [B92F01C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [B92F0320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [B92EFE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [B92EFE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [B92EFCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [B92F01C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [B92F0320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [B92EFCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [B92F0320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [B92F01C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [B92EFE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [B92F0320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [B92F01C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [B92EFCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [B92EFE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [B92EFCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [B92F01C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [B92F0320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [B92EFCA0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [B92EFE10] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [B92F0320] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [B92F01C0] \SystemRoot\System32\vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) ---- Devices - GMER 1.0.14 ---- AttachedDevice \FileSystem\Ntfs \Ntfs SSFS0BB9.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com)) Device \Driver\Tcpip \Device\Ip vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) Device \Driver\Tcpip \Device\Ip 863D4B50 Device \Driver\Tcpip \Device\Ip 865837B0 Device \Driver\Tcpip \Device\Ip 85DD29B0 Device \Driver\Tcpip \Device\Ip 85FE80A8 Device \Driver\Tcpip \Device\Ip 8604D208 Device \Driver\Tcpip \Device\Ip 85E4A2B0 Device \Driver\Tcpip \Device\Ip 86495100 Device \Driver\Tcpip \Device\Tcp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) Device \Driver\Tcpip \Device\Tcp 863D4B50 Device \Driver\Tcpip \Device\Tcp 865837B0 Device \Driver\Tcpip \Device\Tcp 85DD29B0 Device \Driver\Tcpip \Device\Tcp 85FE80A8 Device \Driver\Tcpip \Device\Tcp 8604D208 Device \Driver\Tcpip \Device\Tcp 85E4A2B0 Device \Driver\Tcpip \Device\Tcp 86495100 Device \Driver\Cdrom \Device\CdRom0 856C9756 Device \Driver\Tcpip \Device\Udp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) Device \Driver\Tcpip \Device\Udp 863D4B50 Device \Driver\Tcpip \Device\Udp 865837B0 Device \Driver\Tcpip \Device\Udp 85DD29B0 Device \Driver\Tcpip \Device\Udp 85FE80A8 Device \Driver\Tcpip \Device\Udp 8604D208 Device \Driver\Tcpip \Device\Udp 85E4A2B0 Device \Driver\Tcpip \Device\Udp 86495100 Device \Driver\Disk \Device\Harddisk0\DR0 856C9756 Device \Driver\Tcpip \Device\RawIp vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) Device \Driver\Tcpip \Device\RawIp 863D4B50 Device \Driver\Tcpip \Device\RawIp 865837B0 Device \Driver\Tcpip \Device\RawIp 85DD29B0 Device \Driver\Tcpip \Device\RawIp 85FE80A8 Device \Driver\Tcpip \Device\RawIp 8604D208 Device \Driver\Tcpip \Device\RawIp 85E4A2B0 Device \Driver\Tcpip \Device\RawIp 86495100 Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (TrueVector Device Driver/Zone Labs, LLC) Device \Driver\Tcpip \Device\IPMULTICAST 863D4B50 Device \Driver\Tcpip \Device\IPMULTICAST 865837B0 Device \Driver\Tcpip \Device\IPMULTICAST 85DD29B0 Device \Driver\Tcpip \Device\IPMULTICAST 85FE80A8 Device \Driver\Tcpip \Device\IPMULTICAST 8604D208 Device \Driver\Tcpip \Device\IPMULTICAST 85E4A2B0 Device \Driver\Tcpip \Device\IPMULTICAST 86495100 Device \FileSystem\Fastfat \Fat B17BAC8A AttachedDevice \FileSystem\Fastfat \Fat SSFS0BB9.SYS (Spy Sweeper FileSystem Filter Driver/Webroot Software Inc (www.webroot.com)) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) ---- Threads - GMER 1.0.14 ---- Thread 4:724 857088D0 Thread 4:728 856F5BE0 Thread 4:732 8573DDF0 Thread 4:736 856D6110 Thread 4:492 857088D0 Thread 4:496 856F5BE0 Thread 4:500 8573DDF0 Thread 4:504 856D6110 ---- Disk sectors - GMER 1.0.14 ---- Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior; MBR rootkit code detected <-- ROOTKIT !!! Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 11: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 32: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 33: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 57: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 60: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 61: rootkit-like behavior; malicious code @ sector 0x12a050fc size 0x1fd Disk \Device\Harddisk0\DR0 sector 62: rootkit-like behavior; copy of MBR ---- EOF - GMER 1.0.14 ----