Here is the GMER log file from the XP system:
Code:GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-27 03:45:25 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD80 rev.04.0 Running: tz4dxvp7.exe; Driver: C:\DOKUME~1\Admin\LOKALE~1\Temp\fgtdapog.sys ---- System - GMER 1.0.15 ---- SSDT BA7FEE24 ZwClose SSDT BA7FEDDE ZwCreateKey SSDT BA7FEE2E ZwCreateSection SSDT BA7FEDD4 ZwCreateThread SSDT BA7FEDE3 ZwDeleteKey SSDT BA7FEDED ZwDeleteValueKey SSDT BA7FEE1F ZwDuplicateObject SSDT speq.sys ZwEnumerateKey [0xB9EC6CA2] SSDT speq.sys ZwEnumerateValueKey [0xB9EC7030] SSDT BA7FEDF2 ZwLoadKey SSDT speq.sys ZwOpenKey [0xB9EA80C0] SSDT BA7FEDC0 ZwOpenProcess SSDT BA7FEDC5 ZwOpenThread SSDT speq.sys ZwQueryKey [0xB9EC7108] SSDT BA7FEE47 ZwQueryValueKey SSDT BA7FEDFC ZwReplaceKey SSDT BA7FEE38 ZwRequestWaitReplyPort SSDT BA7FEDF7 ZwRestoreKey SSDT BA7FEE33 ZwSetContextThread SSDT BA7FEE3D ZwSetSecurityObject SSDT BA7FEDE8 ZwSetValueKey SSDT BA7FEE42 ZwSystemDebugControl SSDT BA7FEDCF ZwTerminateProcess INT 0x63 ? 8AF93BF8 INT 0x83 ? 8A493BF8 INT 0xA4 ? 8A493BF8 INT 0xB4 ? 8A493BF8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504870 4 Bytes CALL 930AC862 \SystemRoot\system32\drivers\RtkHDAud.sys (Realtek(r) High Definition Audio Function Driver/Realtek Semiconductor Corp.) ? rkdwphc.sys Das System kann die angegebene Datei nicht finden. ! ? speq.sys Das System kann die angegebene Datei nicht finden. ! .text USBPORT.SYS!DllUnload B82BF8AC 5 Bytes JMP 8A4931D8 .text aiywevw7.SYS B823A386 35 Bytes [00, 00, 00, 00, 00, 00, 20, ...] .text aiywevw7.SYS B823A3AA 24 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text aiywevw7.SYS B823A3C4 3 Bytes [00, 70, 02] {ADD [EAX+0x2], DH} .text aiywevw7.SYS B823A3C9 1 Byte [2E] .text aiywevw7.SYS B823A3C9 11 Bytes [2E, 00, 00, 00, 5A, 02, 00, ...] .text ... .text C:\WINDOWS\system32\drivers\ACEDRV07.sys section is writeable [0x8DF8E000, 0x328BA, 0xE8000020] .pklstb C:\WINDOWS\system32\drivers\ACEDRV07.sys entry point in ".pklstb" section [0x8DFD2000] .relo2 C:\WINDOWS\system32\drivers\ACEDRV07.sys unknown last section [0x8DFEE000, 0x8E, 0x42000040] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [B9EB9048] speq.sys IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!KfAcquireSpinLock] C0840CEC IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!READ_PORT_UCHAR] 053C0D74 IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!KeGetCurrentIrql] 57B80974 IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!KfRaiseIrql] 8B000000 IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!KfLowerIrql] 56C35DE5 IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!HalGetInterruptVector] 8D08758B IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!HalTranslateBusAddress] 8D51FC4D IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!KeStallExecutionProcessor] 8D52FD55 IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!KfReleaseSpinLock] 8D51FE4D IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!READ_PORT_BUFFER_USHORT] 8D52FF55 IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!READ_PORT_USHORT] 8D51F84D IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!WRITE_PORT_BUFFER_USHORT] 5052F455 IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[HAL.dll!WRITE_PORT_UCHAR] EACAE856 IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[WMILIB.SYS!WmiSystemControl] 0FC08520 IAT \SystemRoot\System32\Drivers\aiywevw7.SYS[WMILIB.SYS!WmiCompleteRequest] 0001B185 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Programme\Cisco Systems\VPN Client\cvpnd.exe[260] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [00F52BC8] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC) IAT C:\Programme\Cisco Systems\VPN Client\cvpnd.exe[260] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!UnhandledExceptionFilter] [00F52CE9] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC) IAT C:\Programme\Cisco Systems\VPN Client\cvpnd.exe[260] @ C:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!TerminateProcess] [00F52CB8] C:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC) IAT C:\WINDOWS\system32\services.exe[944] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] [10004780] C:\WINDOWS\SuRunExt.dll (Shell extension for SuRun/http://kay-bruns.de) IAT C:\WINDOWS\system32\services.exe[944] @ C:\WINDOWS\system32\USERENV.dll [ADVAPI32.dll!CreateProcessAsUserW] [10004780] C:\WINDOWS\SuRunExt.dll (Shell extension for SuRun/http://kay-bruns.de) IAT C:\WINDOWS\system32\services.exe[944] @ C:\WINDOWS\system32\SHELL32.dll [ADVAPI32.dll!CreateProcessAsUserW] [10004780] C:\WINDOWS\SuRunExt.dll (Shell extension for SuRun/http://kay-bruns.de) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8AF921F8 Device \FileSystem\Fastfat \FatCdrom 89C2B500 AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\usbehci \Device\USBPDO-0 8A4661F8 Device \Driver\usbuhci \Device\USBPDO-1 8A494500 Device \Driver\usbuhci \Device\USBPDO-2 8A494500 Device \Driver\usbuhci \Device\USBPDO-3 8A494500 Device \Driver\usbuhci \Device\USBPDO-4 8A494500 Device \Driver\NetBT \Device\NetBT_Tcpip_{DB3E04D1-8DE6-4C50-BB55-69359C5007EC} 8947E1F8 Device \Driver\sptd \Device\2299846978 speq.sys Device \Driver\Ftdisk \Device\HarddiskVolume1 8B0041F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys (Hotbackup helper driver/Paragon Software Group) Device \Driver\PCI_PNP1978 \Device\00000064 speq.sys Device \Driver\Ftdisk \Device\HarddiskVolume2 8B0041F8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys (Hotbackup helper driver/Paragon Software Group) Device \Driver\Cdrom \Device\CdRom0 89FE11F8 Device \Driver\iaStor \Device\Ide\iaStor0 [B9DAD580] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [B9DAD580] iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 8947E1F8 Device \Driver\NetBT \Device\NetbiosSmb 8947E1F8 Device \Driver\usbuhci \Device\USBFDO-0 8A494500 Device \Driver\usbuhci \Device\USBFDO-1 8A494500 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 894631F8 Device \Driver\usbuhci \Device\USBFDO-2 8A494500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 894631F8 Device \Driver\usbuhci \Device\USBFDO-3 8A494500 Device \Driver\usbehci \Device\USBFDO-4 8A4661F8 Device \Driver\Ftdisk \Device\FtControl 8B0041F8 Device \Driver\aiywevw7 \Device\Scsi\aiywevw71 8A4011F8 Device \Driver\aiywevw7 \Device\Scsi\aiywevw71Port1Path0Target0Lun0 8A4011F8 Device \FileSystem\Fastfat \Fat 89C2B500 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 89E37500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0009dd508fcb Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a2b7 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a2b7@00234507d7b2 0x62 0x9E 0x6E 0x90 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a2b7@6c0e0dc8b9f2 0xCC 0x3F 0x33 0x6D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310@6c0e0dc8b9f2 0x08 0xC3 0x82 0x05 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f81000830 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001f81000830@6c0e0dc8b9f2 0xD5 0xD3 0x93 0x61 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8D 0xDC 0xAD 0x25 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x73 0x83 0x43 0x0A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5D 0xF0 0xBE 0x2E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x12 0xFD 0x00 0xCC ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0009dd508fcb (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a2b7 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a2b7@00234507d7b2 0x62 0x9E 0x6E 0x90 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a2b7@6c0e0dc8b9f2 0xCC 0x3F 0x33 0x6D ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a310@6c0e0dc8b9f2 0x08 0xC3 0x82 0x05 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001f81000830 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001f81000830@6c0e0dc8b9f2 0xD5 0xD3 0x93 0x61 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Programme\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x8D 0xDC 0xAD 0x25 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x73 0x83 0x43 0x0A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x5D 0xF0 0xBE 0x2E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf41@khjeh 0x12 0xFD 0x00 0xCC ... Reg HKLM\SOFTWARE\Classes\CLSID\{B6A930A0-A4F5-43A5-9B4E-6189A6C2B9E8}@y!s!\24!r!s!`!\30!y!\24!\24!t!\30!c!y!s!d! 19583823 ---- Files - GMER 1.0.15 ---- File C:\Dokumente und Einstellungen\Konto\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\HFXJENE8\www.iheartradio.com.\CCBRadioStationFavorites_008.sol 1285 bytes File C:\Dokumente und Einstellungen\Konto\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\HFXJENE8\www.iheartradio.com.\s_br.sol 35 bytes File C:\Dokumente und Einstellungen\Konto\Anwendungsdaten\Macromedia\Flash Player\#SharedObjects\HFXJENE8\www.island985.com.\s_br.sol 35 bytes File C:\Dokumente und Einstellungen\Konto\Anwendungsdaten\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.iheartradio.com.\settings.sol 90 bytes File C:\Dokumente und Einstellungen\Konto\Anwendungsdaten\Macromedia\Flash Player\macromedia.com\support\flashplayer\sys\#www.island985.com.\settings.sol 88 bytes
