GMER 1.0.15.15641 -
http://www.gmer.netRootkit scan 2012-06-18 21:18:50
Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9250315AS rev.0002SDM1
Running: gmer.exe; Driver: C:\DOCUME~1\CAROLY~1\LOCALS~1\Temp\kxtdapog.sys
---- System - GMER 1.0.15 ----
SSDT sptd.sys ZwCreateKey [0xB9ECFA50]
SSDT sptd.sys ZwEnumerateKey [0xB9F03FFE]
SSDT sptd.sys ZwEnumerateValueKey [0xB9F0438C]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0xA65C5004]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0xA65C50D4]
SSDT sptd.sys ZwOpenKey [0xB9ECFA30]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA65C4D76]
SSDT sptd.sys ZwQueryKey [0xB9F04464]
SSDT sptd.sys ZwQueryValueKey [0xB9F042E4]
SSDT sptd.sys ZwSetValueKey [0xB9F044F6]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA65C4E1E]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA65C4EBA]
SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA65C4F56]
INT 0x63 ? 8AE10CC8
INT 0x63 ? 8AE10CC8
INT 0x63 ? 8AE10CC8
INT 0x63 ? 8AE10CC8
INT 0x63 ? 8ABFBCC8
INT 0x63 ? 8ABFBCC8
INT 0x63 ? 8AE10CC8
INT 0x94 ? 8ABFBCC8
INT 0xA4 ? 8ABFBCC8
INT 0xB4 ? 8ABFBCC8
---- Kernel code sections - GMER 1.0.15 ----
.text ntkrnlpa.exe!ZwCallbackReturn + 2DAC 80504648 2 Bytes [76, 4D] {JBE 0x4f}
.text sptd.sys B9E95000 4 Bytes [A6, BB, 6E, 80]
.text sptd.sys B9E95005 27 Bytes [69, 6E, 80, 30, 68, 6E, 80, ...]
.text sptd.sys B9E95024 4 Bytes [74, 7F, E8, B9]
.text sptd.sys B9E9502C 88 Bytes [B4, 1A, 5E, 80, 76, 86, 5E, ...]
.text sptd.sys B9E95085 156 Bytes [57, 53, 80, 44, A2, 4F, 80, ...]
.text ...
.sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB9F8CD38]
? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process.
.text USBPORT.SYS!DllUnload B8CC18AC 5 Bytes JMP 8ABFB1D8
.text a1qr7h9i.SYS B8A95306 50 Bytes [00, 00, 00, 48, 03, 00, F0, ...]
.text a1qr7h9i.SYS B8A95339 23 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a1qr7h9i.SYS B8A95351 87 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text a1qr7h9i.SYS B8A953A9 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL}
.text a1qr7h9i.SYS B8A953B4 12 Bytes [40, 00, 00, C8, 50, 41, 47, ...] {INC EAX; ADD [EAX], AL; ENTER 0x4150, 0x47; INC EBP; ADD [EAX], AL; ADD [EAX], AL}
.text ...
init C:\WINDOWS\system32\drivers\monfilt.sys entry point in "init" section [0xA84D8280]
---- Kernel IAT/EAT - GMER 1.0.15 ----
IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [B9E96574] sptd.sys
IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [B9E960C0] sptd.sys
IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [B9E96FE0] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [B9E960C0] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [B9E96362] sptd.sys
IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [B9E962A4] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [B9E971BC] sptd.sys
IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [B9E96FE0] sptd.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EAB312] sptd.sys
IAT \SystemRoot\System32\Drivers\a1qr7h9i.SYS[HAL.dll!KeGetCurrentIrql] 5E0001F4
IAT \SystemRoot\System32\Drivers\a1qr7h9i.SYS[HAL.dll!KfAcquireSpinLock] C2C95B5F
IAT \SystemRoot\System32\Drivers\a1qr7h9i.SYS[HAL.dll!KfReleaseSpinLock] 5F380008
IAT \SystemRoot\System32\Drivers\a1qr7h9i.SYS[HAL.dll!KfRaiseIrql] 56227411
IAT \SystemRoot\System32\Drivers\a1qr7h9i.SYS[HAL.dll!KfLowerIrql] A9763A68
IAT \SystemRoot\System32\Drivers\a1qr7h9i.SYS[USBD.SYS!USBD_CreateConfigurationRequestEx] F7C31352
---- Devices - GMER 1.0.15 ----
Device \FileSystem\Ntfs \Ntfs 8AE0F1F8
AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. )
AttachedDevice \FileSystem\Ntfs \Ntfs AsDsm.sys (Data Security Manager Driver/ASUSTek Computer Inc)
AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-0 8ABFA1F8
Device \Driver\usbehci \Device\USBPDO-1 8ABD81F8
Device \Driver\usbuhci \Device\USBPDO-2 8ABFA1F8
Device \Driver\usbuhci \Device\USBPDO-3 8ABFA1F8
Device \Driver\usbuhci \Device\USBPDO-4 8ABFA1F8
AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBPDO-5 8ABFA1F8
Device \Driver\usbehci \Device\USBPDO-6 8ABD81F8
Device \Driver\usbuhci \Device\USBPDO-7 8ABFA1F8
Device \Driver\Cdrom \Device\CdRom0 8AB303A0
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort1 [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort2 [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort3 [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9DE9B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\Cdrom \Device\CdRom1 8AB303A0
Device \Driver\NetBT \Device\NetBt_Wins_Export 8A5031F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{E9444515-56BF-446C-8E1D-97E9ED9B937B} 8A5031F8
Device \Driver\NetBT \Device\NetbiosSmb 8A5031F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{9C8FE2C6-5E15-43BE-B1A7-20162ABF33FA} 8A5031F8
AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\PCI_PNP8472 \Device\0000005d sptd.sys
Device \Driver\PCI_PNP8472 \Device\0000005d sptd.sys
AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.)
Device \Driver\usbuhci \Device\USBFDO-0 8ABFA1F8
Device \Driver\usbuhci \Device\USBFDO-1 8ABFA1F8
Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 896AF1F8
Device \Driver\usbuhci \Device\USBFDO-2 8ABFA1F8
Device \FileSystem\MRxSmb \Device\LanmanRedirector 896AF1F8
Device \Driver\usbehci \Device\USBFDO-3 8ABD81F8
Device \Driver\NetBT \Device\NetBT_Tcpip_{6C1DE315-5661-4764-8FB9-ED7F722BD42A} 8A5031F8
Device \Driver\usbuhci \Device\USBFDO-4 8ABFA1F8
Device \Driver\usbuhci \Device\USBFDO-5 8ABFA1F8
Device \Driver\usbuhci \Device\USBFDO-6 8ABFA1F8
Device \Driver\usbehci \Device\USBFDO-7 8ABD81F8
Device \Driver\a1qr7h9i \Device\Scsi\a1qr7h9i1Port4Path0Target0Lun0 8AAFD1F8
Device \Driver\a1qr7h9i \Device\Scsi\a1qr7h9i1 8AAFD1F8
Device \FileSystem\Cdfs \Cdfs 8A5311F8
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB9 0x78 0x43 0xDE ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0E 0xF9 0xCB 0x1B ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x63 0x2A 0xFD 0x58 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB9 0x78 0x43 0xDE ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0E 0xF9 0xCB 0x1B ...
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x63 0x2A 0xFD 0x58 ...
---- Files - GMER 1.0.15 ----
File C:\ADSM_PData_0150 0 bytes
File C:\ADSM_PData_0150\DB 0 bytes
File C:\ADSM_PData_0150\DB\SI.db 624 bytes
File C:\ADSM_PData_0150\DB\UL.db 16 bytes
File C:\ADSM_PData_0150\DB\VL.db 16 bytes
File C:\ADSM_PData_0150\DB\WAL.db 2048 bytes
File C:\ADSM_PData_0150\DragWait.exe 315392 bytes executable
File C:\ADSM_PData_0150\_avt 512 bytes
---- EOF - GMER 1.0.15 ----