GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-09-14 22:21:40 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 rev. Running: gmer.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\pgddrpoc.sys ---- System - GMER 1.0.15 ---- INT 0x52 ? 86030BF8 INT 0x62 ? 86030BF8 INT 0x82 ? 85280BF8 INT 0x92 ? 85280BF8 INT 0xB3 ? 86030BF8 ---- Kernel code sections - GMER 1.0.15 ---- ? System32\Drivers\sprj.sys The system cannot find the path specified. ! .text USBPORT.SYS!DllUnload 8CC6546F 5 Bytes JMP 860301D8 .text at3l47x9.SYS 8CD9F000 22 Bytes [26, 22, BD, 82, 10, 21, BD, ...] .text at3l47x9.SYS 8CD9F017 111 Bytes [00, 32, 57, F9, 82, 3D, 55, ...] .text at3l47x9.SYS 8CD9F087 33 Bytes [82, 37, F2, 84, 82, 56, 68, ...] .text at3l47x9.SYS 8CD9F0A9 35 Bytes [50, 86, 82, 60, 47, 86, 82, ...] .text at3l47x9.SYS 8CD9F0CE 10 Bytes [00, 00, 00, 00, 00, 00, 02, ...] .text ... ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 85C191F8 Device \FileSystem\fastfat \FatCdrom 87737500 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) Device \Driver\volmgr \Device\VolMgrControl 852821F8 Device \Driver\netbt \Device\NetBT_Tcpip_{1EBCC7A2-7284-4715-AC16-8ABB546F3327} 8767B1F8 Device \Driver\usbuhci \Device\USBPDO-0 860741F8 Device \Driver\netbt \Device\NetBT_Tcpip_{C48D4A8A-257B-4236-A859-27E2412F4DCB} 8767B1F8 Device \Driver\usbuhci \Device\USBPDO-1 860741F8 Device \Driver\usbuhci \Device\USBPDO-2 860741F8 Device \Driver\usbuhci \Device\USBPDO-3 860741F8 Device \Driver\usbehci \Device\USBPDO-4 860751F8 Device \Driver\volmgr \Device\HarddiskVolume1 852821F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume2 852821F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom0 860F8500 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 85C161F8 Device \Driver\atapi \Device\Ide\IdePort0 85C161F8 Device \Driver\atapi \Device\Ide\IdePort1 85C161F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 85C161F8 Device \Driver\volmgr \Device\HarddiskVolume3 852821F8 AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\cdrom \Device\CdRom1 860F8500 Device \Driver\netbt \Device\NetBt_Wins_Export 8767B1F8 Device \Driver\Smb \Device\NetbiosSmb 8767E1F8 Device \Driver\iScsiPrt \Device\RaidPort0 861061F8 Device \Driver\disk \Device\Harddisk0\DR0 8770C616 Device \Driver\usbuhci \Device\USBFDO-0 860741F8 Device \Driver\usbuhci \Device\USBFDO-1 860741F8 Device \Driver\PCI_PNP2405 \Device\0000006e sprj.sys Device \Driver\usbuhci \Device\USBFDO-2 860741F8 Device \Driver\usbuhci \Device\USBFDO-3 860741F8 Device \Driver\usbehci \Device\USBFDO-4 860751F8 Device \Driver\sptd \Device\2662058421 sprj.sys Device \Driver\at3l47x9 \Device\Scsi\at3l47x91Port3Path0Target0Lun0 861021F8 Device \Driver\at3l47x9 \Device\Scsi\at3l47x91 861021F8 Device \FileSystem\fastfat \Fat 87737500 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\cdfs \Cdfs 87C141F8 ---- Processes - GMER 1.0.15 ---- Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 1980 Process C:\Program Files\Internet Explorer\iexplore.exe (*** hidden *** ) 2024 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001d6069c407 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x66 0x82 0x91 0xB3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x52 0xE7 0x8E 0xCF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD4 0x58 0xC5 0x15 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001d6069c407 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x66 0x82 0x91 0xB3 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x52 0xE7 0x8E 0xCF ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD4 0x58 0xC5 0x15 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7F0C9C8A-F9A5-CE90-7427-479D15492A47} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7F0C9C8A-F9A5-CE90-7427-479D15492A47}@makeleaamacomgmpmemhoblodf 0x6A 0x61 0x6C 0x70 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7F0C9C8A-F9A5-CE90-7427-479D15492A47}@naebjgklgdjfabhjgdpllnigodpa 0x6A 0x61 0x61 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7F0C9C8A-F9A5-CE90-7427-479D15492A47}@oaacbdbopdeggpockgfdpgocnoggmk 0x6E 0x61 0x6C 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{7F0C9C8A-F9A5-CE90-7427-479D15492A47}@kakedninljimdnnkpdifah 0x64 0x62 0x64 0x70 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{C5EAEED6-06F3-1C8D-FA84-2E2C36EA8AD5} ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 Whistler@MBR code has been found <-- ROOTKIT !!! Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior ---- EOF - GMER 1.0.15 ----