MBAM log:
Malwarebytes' Anti-Malware 1.46
www.malwarebytes.org
Database version: 4339
Windows 6.1.7600
Internet Explorer 8.0.7600.16385
7/22/2010 9:54:23 PM
mbam-log-2010-07-22 (21-54-23).txt
Scan type: Full scan (C:\|)
Objects scanned: 222313
Time elapsed: 32 minute(s), 30 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)
GMER log:
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-07-22 21:16:58
Windows 6.1.7600
Running: gmer.exe; Driver: C:\Users\W7\AppData\Local\Temp\pwldapog.sys
---- System - GMER 1.0.15 ----
INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C30AF8
INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C30104
INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C303F4
INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C192D8
INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C18898
INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C301DC
INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C30958
INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C306F8
INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C30F2C
INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C311A8
---- Kernel code sections - GMER 1.0.15 ----
.text ntoskrnl.exe!ZwSaveKeyEx + 13B1 82C828E9 1 Byte [06]
.text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82CA23D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
? System32\Drivers\spoh.sys The system cannot find the path specified. !
.text USBPORT.SYS!DllUnload 93E45CA0 5 Bytes JMP 856A24E0
.text peauth.sys 82366C9D 28 Bytes [55, 6C, DE, B5, 2A, 56, 42, ...]
.text peauth.sys 82366CC1 28 Bytes [55, 6C, DE, B5, 2A, 56, 42, ...]
PAGE peauth.sys 8236CE20 101 Bytes [8B, DC, 4B, B5, 67, 29, D6, ...]
PAGE peauth.sys 8236D02C 102 Bytes [D6, 0E, 48, C9, 93, 7C, 93, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 4F90 AA8DB000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 50B3 AA8DB123 629 Bytes [65, 8D, AA, FE, 05, 34, 65, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 5329 AA8DB399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 538F AA8DB3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...]
PAGE spsys.sys!?SPRevision@@3PADA + 543B AA8DB4AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...]
PAGE ...
---- User code sections - GMER 1.0.15 ----
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtProtectVirtualMemory 77995360 5 Bytes JMP 0033000A
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!NtWriteVirtualMemory 77995EE0 5 Bytes JMP 0034000A
.text C:\Windows\system32\svchost.exe[1328] ntdll.dll!KiUserExceptionDispatcher 77996448 5 Bytes JMP 0032000A
.text C:\Windows\system32\svchost.exe[1328] ole32.dll!CoCreateInstance 774357FC 5 Bytes JMP 003A000A
.text C:\Windows\Explorer.EXE[2836] ntdll.dll!NtProtectVirtualMemory 77995360 5 Bytes JMP 0045000A
.text C:\Windows\Explorer.EXE[2836] ntdll.dll!NtWriteVirtualMemory 77995EE0 5 Bytes JMP 0046000A
.text C:\Windows\Explorer.EXE[2836] ntdll.dll!KiUserExceptionDispatcher 77996448 5 Bytes JMP 0040000A
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 856711F8
Device \Driver\volmgr \Device\VolMgrControl 8566D1F8
Device \Driver\ACPI_HAL \Device\00000050 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)
Device \Driver\usbuhci \Device\USBPDO-0 86890500
Device \Driver\usbuhci \Device\USBPDO-1 86890500
Device \Driver\usbehci \Device\USBPDO-2 8639D500
Device \Driver\usbuhci \Device\USBPDO-3 86890500
Device \Driver\usbuhci \Device\USBPDO-4 86890500
AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-5 86890500
Device \Driver\usbehci \Device\USBPDO-6 8639D500
Device \Driver\volmgr \Device\HarddiskVolume1 8566D1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\volmgr \Device\HarddiskVolume2 8566D1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\cdrom \Device\CdRom0 865EA1F8
Device \Driver\volmgr \Device\HarddiskVolume3 8566D1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\atapi \Device\Ide\IdePort0 8566F1F8
Device \Driver\atapi \Device\Ide\IdePort1 8566F1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-2 8566F1F8
Device \Driver\volmgr \Device\HarddiskVolume4 8566D1F8
AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
Device \Driver\NetBT \Device\NetBT_Tcpip_{4E803786-72D8-4A0C-B4D7-5E0405742AF7} 866211F8
Device \Driver\NetBT \Device\NetBt_Wins_Export 866211F8
AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\NetBT \Device\NetBT_Tcpip_{2893C2D8-B98C-4C08-9C40-6CC9B341C708} 866211F8
AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 86890500
Device \Driver\USBSTOR \Device\0000006d 86874500
Device \Driver\usbuhci \Device\USBFDO-1 86890500
Device \Driver\USBSTOR \Device\0000006e 86874500
Device \Driver\usbehci \Device\USBFDO-2 8639D500
Device \Driver\usbuhci \Device\USBFDO-3 86890500
Device \Driver\usbuhci \Device\USBFDO-4 86890500
Device \Driver\usbuhci \Device\USBFDO-5 86890500
Device \Driver\usbehci \Device\USBFDO-6 8639D500
Device -> \Driver\atapi \Device\Harddisk0\DR0 863DCEC5
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0A 0xF7 0x2C 0x3B ...
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0
Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x0A 0xF7 0x2C 0x3B ...
---- Files - GMER 1.0.15 ----
File C:\Windows\system32\drivers\atapi.sys suspicious modification
---- EOF - GMER 1.0.15 ----
Attached Files
Edited by PippytheGreat, 22 July 2010 - 08:04 PM.