GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2007-12-21 00:52:19 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-60A23T0 rev.02.01A02 298,09GB Running: 9ylfu6o6.exe; Driver: C:\Users\ARAMEJ~1\AppData\Local\Temp\pwlirpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackComplete + 1421 828838F5 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 828A3912 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x88B2DB2E] ? C:\Windows\System32\Drivers\a6hfhfqk.SYS suspicious PE modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[1944] SHELL32.dll!SHFormatDrive + A53 75BD49E8 8 Bytes [80, 11, 31, 69, C0, 11, 31, ...] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 847A01E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{E7A81199-F178-45BE-AFC9-402577ECEE41} 8574E1E8 Device \Driver\PCI_PNP8640 \Device\00000050 sptd.sys Device \Driver\usbohci \Device\USBPDO-0 858561E8 Device \Driver\usbohci \Device\USBPDO-1 858561E8 Device \Driver\usbohci \Device\USBPDO-2 858561E8 Device \Driver\usbohci \Device\USBPDO-3 858561E8 Device \Driver\usbohci \Device\USBPDO-4 858561E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{0C6884CE-47C7-4FB8-9EB8-E1EC922A563A} 8574E1E8 Device \Driver\cdrom \Device\CdRom0 857B71E8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8479E1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-3 8479E1E8 Device \Driver\atapi \Device\Ide\IdePort0 8479E1E8 Device \Driver\atapi \Device\Ide\IdePort1 8479E1E8 Device \Driver\atapi \Device\Ide\IdePort2 8479E1E8 Device \Driver\atapi \Device\Ide\IdePort3 8479E1E8 Device \Driver\cdrom \Device\CdRom1 857B71E8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8574E1E8 Device \Driver\USBSTOR \Device\0000006a 857861E8 Device \Driver\USBSTOR \Device\0000006b 857861E8 Device \Driver\usbohci \Device\USBFDO-0 858561E8 Device \Driver\BTHUSB \Device\0000006c bthport.sys Device \Driver\usbohci \Device\USBFDO-1 858561E8 Device \Driver\BTHUSB \Device\0000006e bthport.sys Device \Driver\usbohci \Device\USBFDO-2 858561E8 Device \Driver\usbohci \Device\USBFDO-3 858561E8 Device \Driver\usbohci \Device\USBFDO-4 858561E8 Device \Driver\usbehci \Device\USBFDO-5 858571E8 Device \Driver\NetBT \Device\NetBT_Tcpip_{937879C4-134C-4F1D-AE74-5EEBED85A401} 8574E1E8 Device \Driver\a6hfhfqk \Device\Scsi\a6hfhfqk1 858AA1E8 Device \Driver\a6hfhfqk \Device\Scsi\a6hfhfqk1Port4Path0Target0Lun0 858AA1E8 Device \FileSystem\cdfs \Cdfs 863A8430 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x8479e1e8]<< 8479e1e8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x854ce7d0] 854ce7d0 Trace 3 CLASSPNP.SYS[8925759e] -> nt!IofCallDriver -> [0x8555c918] 8555c918 Trace 5 ACPI.sys[88b5a3b2] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x854d5030] 854d5030 Trace \Driver\atapi[0x850b8328] -> IRP_MJ_CREATE -> 0x8479e1e8 8479e1e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001d604c86a6 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0x80 0x3C 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF0 0xFA 0x60 0x14 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x6B 0x63 0x36 0xFF ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{0C6884CE-47C7-4FB8-9EB8-E1EC922A563A}@LeaseObtainedTime 1198191649 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{0C6884CE-47C7-4FB8-9EB8-E1EC922A563A}@T1 1198234849 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{0C6884CE-47C7-4FB8-9EB8-E1EC922A563A}@T2 1198267249 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{0C6884CE-47C7-4FB8-9EB8-E1EC922A563A}@LeaseTerminatesTime 1198278049 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001d604c86a6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0x80 0x3C 0x47 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xF0 0xFA 0x60 0x14 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xC9 0x88 0x76 0xB0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe 0xC8 0x27 0x79 0x42 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe 0xCE 0xDA 0xA8 0x4A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0x10 0x6B 0x74 0x52 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe 0x10 0x21 0xCA 0x21 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 0x44 0xEF 0x01 0xD5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Wooden Seal\bin\utilWoodenSeal.exe 0x53 0xDB 0xFE 0xB9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\SwiftSearch_1.10.0.25\Update\SwiftSearchAutoUpdateClient.exe 0x3C 0x52 0xFC 0xB6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0x4B 0x1E 0xA7 0xB1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsd365.exe 0x82 0xC1 0x69 0xBE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\nsp8644.tmp\dlmgn.exe 0xA3 0x85 0x0E 0x43 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsdF565.exe 0xAD 0x07 0x0D 0xF2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\nse7FD5.tmp\dlmgn.exe 0x02 0x9E 0x4C 0x76 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\nsv9ADC.tmp\dlmgn.exe 0xF9 0x74 0xC7 0xA7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\avg7B52.exe 0x92 0x0B 0xD6 0x8A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Aramejskie PsP\AppData\Local\Temp\f9626892-7a78-3199-abd2-97bbce96297b\adv_154.exe 0xE7 0x78 0xB6 0x93 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsd38B6.exe 0xFB 0x23 0x6F 0xAA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\nsm7715.tmp\dlmgn.exe 0x81 0xB0 0x97 0x4C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\nsh7492.tmp\dlmgn.exe 0xD1 0xFB 0x88 0x79 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsdB8FB.exe 0x74 0x9F 0x3E 0x68 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsdB014.exe 0x30 0x51 0x03 0xCC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\nsfC146.tmp\dlmgn.exe 0xEE 0x34 0x21 0x77 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsd4A51.exe 0xBD 0xA8 0xB2 0xB3 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\ARAMEJ~1\AppData\Local\Temp\fsdF98C.exe 0x77 0x51 0xED 0x80 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Aramejskie PsP\Desktop\farbar\FRST.exe 0x7B 0x36 0x2A 0x85 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Aramejskie PsP\Downloads\9ylfu6o6.exe 0xA1 0x99 0x3F 0x2F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@F01F674C 34 ---- EOF - GMER 2.1 ----