GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2010-05-10 02:08:12 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- SSDT sptd.sys ZwCreateKey [0xB9EC00D0] SSDT sptd.sys ZwEnumerateKey [0xB9EC5E2C] SSDT sptd.sys ZwEnumerateValueKey [0xB9EC61BA] SSDT sptd.sys ZwOpenKey [0xB9EC00B0] SSDT sptd.sys ZwQueryKey [0xB9EC6292] SSDT sptd.sys ZwQueryValueKey [0xB9EC6112] SSDT sptd.sys ZwSetValueKey [0xB9EC6324] ---- Kernel code sections - GMER 1.0.14 ---- ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process. .text USBPORT.SYS!DllUnload B92CE8AC 5 Bytes JMP 89BC1780 ? System32\Drivers\azn80h7a.SYS The system cannot find the path specified. ! ---- User code sections - GMER 1.0.14 ---- .text C:\WINDOWS\Explorer.EXE[860] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00B6000A .text C:\WINDOWS\Explorer.EXE[860] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A .text C:\WINDOWS\Explorer.EXE[860] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00B5000C .text C:\WINDOWS\System32\svchost.exe[1512] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A .text C:\WINDOWS\System32\svchost.exe[1512] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A .text C:\WINDOWS\System32\svchost.exe[1512] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C .text C:\WINDOWS\System32\svchost.exe[1512] USER32.dll!GetCursorPos 7E42974E 5 Bytes JMP 0087000A .text C:\WINDOWS\System32\svchost.exe[1512] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 0086000A ---- Kernel IAT/EAT - GMER 1.0.14 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9EC0AD4] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9EC0C1A] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9EC0B9C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9EC1748] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9EC161E] sptd.sys ---- Devices - GMER 1.0.14 ---- Device \FileSystem\Ntfs \Ntfs 89DDB1E8 Device \FileSystem\Fastfat \FatCdrom 88AE77A0 Device \Driver\PCI_NTPNP6042 \Device\00000040 sptd.sys Device \Driver\usbuhci \Device\USBPDO-0 89BB4558 Device \Driver\usbuhci \Device\USBPDO-1 89BB4558 Device \Driver\usbuhci \Device\USBPDO-2 89BB4558 Device \Driver\usbehci \Device\USBPDO-3 89BB07A0 Device \Driver\usbuhci \Device\USBPDO-4 89BB4558 Device \Driver\usbuhci \Device\USBPDO-5 89BB4558 Device \Driver\usbuhci \Device\USBPDO-6 89BB4558 Device \Driver\Ftdisk \Device\HarddiskVolume1 89DDD1E8 Device \Driver\usbehci \Device\USBPDO-7 89BB07A0 Device \Driver\Ftdisk \Device\HarddiskVolume2 89DDD1E8 Device \Driver\Cdrom \Device\CdRom0 89B237A0 Device \Driver\Cdrom \Device\CdRom1 89B237A0 Device \Driver\NetBT \Device\NetBT_Tcpip_{1E868FAB-8291-4BF5-9322-0563D84BEA3E} 899F87A0 Device \Driver\Cdrom \Device\CdRom2 89B237A0 Device \Driver\Cdrom \Device\CdRom3 89B237A0 Device \Driver\NetBT \Device\NetBt_Wins_Export 899F87A0 Device \Driver\NetBT \Device\NetbiosSmb 899F87A0 Device \Driver\USBSTOR \Device\00000079 88AEF7A0 Device \Driver\NetBT \Device\NetBT_Tcpip_{12A3712E-CE2F-4FD5-B6E4-8C162A2F494D} 899F87A0 Device \Driver\usbuhci \Device\USBFDO-0 89BB4558 Device \Driver\usbuhci \Device\USBFDO-1 89BB4558 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 899F67A0 Device \Driver\usbuhci \Device\USBFDO-2 89BB4558 Device \FileSystem\MRxSmb \Device\LanmanRedirector 899F67A0 Device \Driver\USBSTOR \Device\0000007c 88AEF7A0 Device \Driver\usbehci \Device\USBFDO-3 89BB07A0 Device \Driver\usbuhci \Device\USBFDO-4 89BB4558 Device \Driver\Ftdisk \Device\FtControl 89DDD1E8 Device \Driver\usbuhci \Device\USBFDO-5 89BB4558 Device \Driver\usbuhci \Device\USBFDO-6 89BB4558 Device \Driver\usbehci \Device\USBFDO-7 89BB07A0 Device \Driver\azn80h7a \Device\Scsi\azn80h7a1 89A5A3D8 Device \Driver\JRAID \Device\Scsi\JRAID1 89DDC1E8 Device \FileSystem\Fastfat \Fat 88AE77A0 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 899DD7A0 ---- Registry - GMER 1.0.14 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA2 0x0D 0x1B 0x05 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6C 0xB8 0x58 0xAE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1C 0x5B 0xFC 0x78 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xA2 0x0D 0x1B 0x05 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x6C 0xB8 0x58 0xAE ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x1C 0x5B 0xFC 0x78 ... ---- EOF - GMER 1.0.14 ----