GMER 1.0.15.14972 - http://www.gmer.net Rootkit scan 2009-07-23 16:46:16 Windows 5.1.2600 Service Pack 2 ---- System - GMER 1.0.15 ---- SSDT sptd.sys ZwEnumerateKey [0xF8451D1C] SSDT sptd.sys ZwEnumerateValueKey [0xF84520BC] SSDT sptd.sys ZwQueryKey [0xF8452194] SSDT sptd.sys ZwQueryValueKey [0xF8452014] SSDT sptd.sys ZwSetValueKey [0xF8452226] SSDT \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x804D70D9] SSDT \WINDOWS\system32\TUKERNEL.EXE[unknown section] [804D70D9] ZwCreateKey [0x804D70D9] SSDT \WINDOWS\system32\TUKERNEL.EXE (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x804D70DE] SSDT \WINDOWS\system32\TUKERNEL.EXE[unknown section] [804D70DE] ZwOpenKey [0x804D70DE] INT 0x03 \WINDOWS\system32\TUKERNEL.EXE[unknown section] 804D70E3 ---- Kernel code sections - GMER 1.0.15 ---- .text TUKERNEL.EXE!_abnormal_termination + F3 804E2DC4 3 Bytes [D9, 70, 4D] {FNSTENV [EAX+0x4d]} .text TUKERNEL.EXE!_abnormal_termination + 22B 804E2EFC 3 Bytes [DE, 70, 4D] {FIDIV WORD [EAX+0x4d]} ? C:\WINDOWS\system32\drivers\sptd.sys The process cannot access the file because it is being used by another process. .text USBPORT.SYS!DllUnload F7B5362C 5 Bytes JMP 81EA0970 ? System32\Drivers\axj13y0k.SYS The system cannot find the path specified. ! ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F844DAB6] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F844DBEE] sptd.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F844DB76] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F844E71C] sptd.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F844E5F2] sptd.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F84727AE] sptd.sys ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8236F1D8 AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset ) Device \FileSystem\Fastfat \FatCdrom 82005990 Device \FileSystem\Udfs \UdfsCdRom 81FED990 Device \FileSystem\Udfs \UdfsDisk 81FED990 AttachedDevice \Driver\Tcpip \Device\Ip nltdi.sys (NetLimiter Driver/Locktime Software) Device \Driver\usbuhci \Device\USBPDO-0 81FA4700 Device \Driver\00000058 \Device\00000051 sptd.sys Device \Driver\dmio \Device\DmControl\DmIoDaemon 823711D8 Device \Driver\dmio \Device\DmControl\DmConfig 823711D8 Device \Driver\dmio \Device\DmControl\DmPnP 823711D8 Device \Driver\dmio \Device\DmControl\DmInfo 823711D8 Device \Driver\usbuhci \Device\USBPDO-1 81FA4700 Device \Driver\usbuhci \Device\USBPDO-2 81FA4700 Device \Driver\usbehci \Device\USBPDO-3 81ECB990 AttachedDevice \Driver\Tcpip \Device\Tcp nltdi.sys (NetLimiter Driver/Locktime Software) Device \Driver\Ftdisk \Device\HarddiskVolume1 823D91D8 Device \Driver\Ftdisk \Device\HarddiskVolume2 823D91D8 Device \Driver\Cdrom \Device\CdRom0 81E7F990 Device \Driver\aksusb \Device\00000072 AKSCLASS.SYS (Aladdin Class Driver/Aladdin Knowledge Systems Ltd.) Device \Driver\Ftdisk \Device\HarddiskVolume3 823D91D8 Device \Driver\Cdrom \Device\CdRom1 81E7F990 Device \Driver\atapi \Device\Ide\IdePort0 823D81D8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 823D81D8 Device \Driver\atapi \Device\Ide\IdePort1 823D81D8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c 823D81D8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 823D81D8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 823D81D8 Device \Driver\Ftdisk \Device\HarddiskVolume4 823D91D8 Device \Driver\Cdrom \Device\CdRom2 81E7F990 Device \Driver\Ftdisk \Device\HarddiskVolume5 823D91D8 Device \Driver\Cdrom \Device\CdRom3 81E7F990 Device \Driver\Ftdisk \Device\HarddiskVolume6 823D91D8 Device \Driver\NetBT \Device\NetBt_Wins_Export 81FE2470 Device \Driver\NetBT \Device\NetbiosSmb 81FE2470 AttachedDevice \Driver\Tcpip \Device\Udp nltdi.sys (NetLimiter Driver/Locktime Software) Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) AttachedDevice \Driver\Tcpip \Device\RawIp nltdi.sys (NetLimiter Driver/Locktime Software) Device \Driver\Disk \Device\Harddisk1\DR1 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) Device \Driver\NetBT \Device\NetBT_Tcpip_{E97A595D-D3FC-4623-865B-BAF5FD426830} 81FE2470 Device \Driver\usbuhci \Device\USBFDO-0 81FA4700 Device \Driver\Disk \Device\Harddisk2\DR2 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) Device \Driver\usbuhci \Device\USBFDO-1 81FA4700 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 81FDE990 Device \Driver\usbuhci \Device\USBFDO-2 81FA4700 Device \FileSystem\MRxSmb \Device\LanmanRedirector 81FDE990 Device \Driver\usbehci \Device\USBFDO-3 81ECB990 Device \Driver\Ftdisk \Device\FtControl 823D91D8 Device \Driver\axj13y0k \Device\Scsi\axj13y0k1Port2Path0Target0Lun0 81FBD990 Device \Driver\axj13y0k \Device\Scsi\axj13y0k1Port2Path0Target2Lun0 81FBD990 Device \Driver\axj13y0k \Device\Scsi\axj13y0k1 81FBD990 Device \Driver\axj13y0k \Device\Scsi\axj13y0k1Port2Path0Target1Lun0 81FBD990 Device \FileSystem\Fastfat \Fat 82005990 AttachedDevice \FileSystem\Fastfat \Fat amon.sys (Amon monitor/Eset ) Device \FileSystem\Cdfs \Cdfs 81EE8990 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 1135014506 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 925480301 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x41 0xB7 0xE6 0x56 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x13 0x2E 0xD3 0x41 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6D 0xD4 0x06 0x77 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xBC 0xE2 0xD3 0x49 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x3B 0xD1 0x83 0x05 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x41 0xB7 0xE6 0x56 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x13 0x2E 0xD3 0x41 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6D 0xD4 0x06 0x77 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0xBC 0xE2 0xD3 0x49 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf42@khjeh 0x3B 0xD1 0x83 0x05 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION 843FD6CF288368296FC6B6FAC006D22581B25D45350EE2DF6B3A5C4C2AFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808BA7FD869164D6794C038D530D6EB3452033CA4D54560BE9E2E3E3479AD56DC1F8E9E7FF4BECD5293F85355CD8CA245E4959CB059C7ADEC1DC27376FEFCFC77AABC8184053013C5BA9D2E186B3B387199243778E3046128AFD858F845049C5102720E4AA1199806CB16561B60AA37DD29E3138872A0AA04C2D2EEDC8924AC209F5D5CA3EAB7428D74FD9C864E98086A0DF9DB7EC8769C65C303DAD6D0748AEE831EAA7B460053AE6360779818F57A4BCA82DF0F6B92AE0526B2E22F603EF51C3249594E5B1AF48ACE43802568E5C08AE58B1201A5383CF2E09CF3C0C40214DBB368EDAD1660B6996E19F4122C417004679809AE85DB068F6D711D7E4C71EBB312798F3F27E288A800CD385815158369DEA08109DC272D90CBD413E90BF2EA005EEB8C3B02E44057C3BECE0717225A3FDC0FD71241F63B80FCDF2D9CD621626D2C25D56F5F5F96977DBD63C0EC5C36DC774211E18D5D993C899D67434CC9047F12FE7F3DBAFBA9B2F51244BB12EC3EF0C78D52A3E02199F67A0FE29CCA6F6B0D2C46C39AD49B7AC47A7462C1C8307BFAEBB8E7961B39EC345F2661FE73CA92C11A3B7D1