Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Register a free account to unlock additional features at BleepingComputer.com

Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Latest News: Winamp 5.8 Media Player Released in All Its Nostalgic Glory

Featured Deal: Get The Pay What You Want: AWS Cloud Development Bundle Deal

Rootkit Repeal spdo.sys / spwd.sys HOOKED do I wipe?

Started by zillabunny , Jan 22 2010 01:21 AM

Please log in to reply

1 reply to this topic

#1 zillabunny

Members
18 posts
OFFLINE

Local time:03:41 PM

Posted 22 January 2010 - 01:21 AM

Rootkit Repeal spdo.sys hooked
after reboot spwd.sys HOOKED do I wipe?

AVG malware both run clean
Posted Image

here is the log lots of strange win32k.sys in shadowSSDT not sure if it's related

ROOTREPEAL (c) AD, 2007-2009
==================================================
Scan Start Time:			2010/01/22 01:12
Program Version:		Version 1.3.2.0
Windows Version:		Windows XP SP3
==================================================

Drivers
-------------------
Name: asddsafsd.sys
Image Path: C:\WINDOWS\system32\drivers\asddsafsd.sys
Address: 0xA4D42000	Size: 49152	File Visible: No	Signed: -
Status: -

Name: dump_atapi.sys
Image Path: C:\WINDOWS\System32\Drivers\dump_atapi.sys
Address: 0xA8508000	Size: 98304	File Visible: No	Signed: -
Status: -

Name: dump_WMILIB.SYS
Image Path: C:\WINDOWS\System32\Drivers\dump_WMILIB.SYS
Address: 0xBA614000	Size: 8192	File Visible: No	Signed: -
Status: -

Name: PCI_PNP3886
Image Path: \Driver\PCI_PNP3886
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Name: sptd
Image Path: \Driver\sptd
Address: 0x00000000	Size: 0	File Visible: No	Signed: -
Status: -

Name: spwb.sys
Image Path: spwb.sys
Address: 0xB9EA6000	Size: 1052672	File Visible: No	Signed: -
Status: -

Hidden/Locked Files
-------------------
Path: C:\Documents and Settings\zb\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρϴϱЄϱЃϵϳЅ 
Status: Locked to the Windows API!

Path: C:\Documents and Settings\zb\Application Data\SecuROM\UserData\ЃϵϳЅЂϿϽϯІχϯπρЂϻϵЉЃϵϳЅ 
Status: Locked to the Windows API!

SSDT
-------------------
#: 041	Function Name: NtCreateKey
Status: Hooked by "spwb.sys" at address 0xb9ea70e0

#: 071	Function Name: NtEnumerateKey
Status: Hooked by "spwb.sys" at address 0xb9ec5da4

#: 073	Function Name: NtEnumerateValueKey
Status: Hooked by "spwb.sys" at address 0xb9ec6132

#: 119	Function Name: NtOpenKey
Status: Hooked by "spwb.sys" at address 0xb9ea70c0

#: 160	Function Name: NtQueryKey
Status: Hooked by "spwb.sys" at address 0xb9ec620a

#: 177	Function Name: NtQueryValueKey
Status: Hooked by "spwb.sys" at address 0xb9ec608a

#: 247	Function Name: NtSetValueKey
Status: Hooked by "spwb.sys" at address 0xb9ec629c

Stealth Objects
-------------------
Object: Hidden Code [Driver: Ntfs, IRP_MJ_CREATE]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLOSE]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_READ]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_WRITE]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_EA]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_EA]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Ntfs, IRP_MJ_PNP]
Process: System	Address: 0x8a5611f8	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CREATE]
Process: System	Address: 0x8a1e5500	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_CLOSE]
Process: System	Address: 0x8a1e5500	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_READ]
Process: System	Address: 0x8a1e5500	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_WRITE]
Process: System	Address: 0x8a1e5500	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a1e5500	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a1e5500	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a1e5500	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a1e5500	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_POWER]
Process: System	Address: 0x8a1e5500	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a1e5500	Address: 121

Object: Hidden Code [Driver: Cdrom, IRP_MJ_PNP]
Process: System	Address: 0x8a1e5500	Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CREATE]
Process: System	Address: 0x8a5631f8	Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_CLOSE]
Process: System	Address: 0x8a5631f8	Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_READ]
Process: System	Address: 0x8a5631f8	Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_WRITE]
Process: System	Address: 0x8a5631f8	Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a5631f8	Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a5631f8	Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a5631f8	Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a5631f8	Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_POWER]
Process: System	Address: 0x8a5631f8	Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a5631f8	Address: 121

Object: Hidden Code [Driver: dmio, IRP_MJ_PNP]
Process: System	Address: 0x8a5631f8	Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CREATE]
Process: System	Address: 0x8a22f500	Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_CLOSE]
Process: System	Address: 0x8a22f500	Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a22f500	Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a22f500	Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_POWER]
Process: System	Address: 0x8a22f500	Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a22f500	Address: 121

Object: Hidden Code [Driver: usbohci, IRP_MJ_PNP]
Process: System	Address: 0x8a22f500	Address: 121

Object: Hidden Code [Driver: a81270k3ࠅఖ扏济ACPI#Authent, IRP_MJ_CREATE]
Process: System	Address: 0x8a1a7500	Address: 121

Object: Hidden Code [Driver: a81270k3ࠅఖ扏济ACPI#Authent, IRP_MJ_CLOSE]
Process: System	Address: 0x8a1a7500	Address: 121

Object: Hidden Code [Driver: a81270k3ࠅఖ扏济ACPI#Authent, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a1a7500	Address: 121

Object: Hidden Code [Driver: a81270k3ࠅఖ扏济ACPI#Authent, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a1a7500	Address: 121

Object: Hidden Code [Driver: a81270k3ࠅఖ扏济ACPI#Authent, IRP_MJ_POWER]
Process: System	Address: 0x8a1a7500	Address: 121

Object: Hidden Code [Driver: a81270k3ࠅఖ扏济ACPI#Authent, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a1a7500	Address: 121

Object: Hidden Code [Driver: a81270k3ࠅఖ扏济ACPI#Authent, IRP_MJ_PNP]
Process: System	Address: 0x8a1a7500	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CREATE]
Process: System	Address: 0x8a5d71f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_READ]
Process: System	Address: 0x8a5d71f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_WRITE]
Process: System	Address: 0x8a5d71f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a5d71f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a5d71f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a5d71f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a5d71f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a5d71f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_POWER]
Process: System	Address: 0x8a5d71f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a5d71f8	Address: 121

Object: Hidden Code [Driver: Ftdisk, IRP_MJ_PNP]
Process: System	Address: 0x8a5d71f8	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CREATE]
Process: System	Address: 0x8a198500	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLOSE]
Process: System	Address: 0x8a198500	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a198500	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a198500	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a198500	Address: 121

Object: Hidden Code [Driver: NetBT, IRP_MJ_PNP]
Process: System	Address: 0x8a198500	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CREATE]
Process: System	Address: 0x8a1dc500	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_CLOSE]
Process: System	Address: 0x8a1dc500	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a1dc500	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a1dc500	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_POWER]
Process: System	Address: 0x8a1dc500	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a1dc500	Address: 121

Object: Hidden Code [Driver: usbehci, IRP_MJ_PNP]
Process: System	Address: 0x8a1dc500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_NAMED_PIPE]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLOSE]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_READ]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_WRITE]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_EA]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_EA]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FLUSH_BUFFERS]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_VOLUME_INFORMATION]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_INTERNAL_DEVICE_CONTROL]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_CREATE_MAILSLOT]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_SECURITY]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_SECURITY]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_POWER]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SYSTEM_CONTROL]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_DEVICE_CHANGE]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_QUERY_QUOTA]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_SET_QUOTA]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: MRxSmb, IRP_MJ_PNP]
Process: System	Address: 0x8a248500	Address: 121

Object: Hidden Code [Driver: CdfsЅ౨瑎晦܂Èੈ, IRP_MJ_CREATE]
Process: System	Address: 0x8a204500	Address: 121

Object: Hidden Code [Driver: CdfsЅ౨瑎晦܂Èੈ, IRP_MJ_CLOSE]
Process: System	Address: 0x8a204500	Address: 121

Object: Hidden Code [Driver: CdfsЅ౨瑎晦܂Èੈ, IRP_MJ_READ]
Process: System	Address: 0x8a204500	Address: 121

Object: Hidden Code [Driver: CdfsЅ౨瑎晦܂Èੈ, IRP_MJ_QUERY_INFORMATION]
Process: System	Address: 0x8a204500	Address: 121

Object: Hidden Code [Driver: CdfsЅ౨瑎晦܂Èੈ, IRP_MJ_SET_INFORMATION]
Process: System	Address: 0x8a204500	Address: 121

Object: Hidden Code [Driver: CdfsЅ౨瑎晦܂Èੈ, IRP_MJ_QUERY_VOLUME_INFORMATION]
Process: System	Address: 0x8a204500	Address: 121

Object: Hidden Code [Driver: CdfsЅ౨瑎晦܂Èੈ, IRP_MJ_DIRECTORY_CONTROL]
Process: System	Address: 0x8a204500	Address: 121

Object: Hidden Code [Driver: CdfsЅ౨瑎晦܂Èੈ, IRP_MJ_FILE_SYSTEM_CONTROL]
Process: System	Address: 0x8a204500	Address: 121

Object: Hidden Code [Driver: CdfsЅ౨瑎晦܂Èੈ, IRP_MJ_DEVICE_CONTROL]
Process: System	Address: 0x8a204500	Address: 121

Object: Hidden Code [Driver: CdfsЅ౨瑎晦܂Èੈ, IRP_MJ_SHUTDOWN]
Process: System	Address: 0x8a204500	Address: 121

Object: Hidden Code [Driver: CdfsЅ౨瑎晦܂Èੈ, IRP_MJ_LOCK_CONTROL]
Process: System	Address: 0x8a204500	Address: 121

Object: Hidden Code [Driver: CdfsЅ౨瑎晦܂Èੈ, IRP_MJ_CLEANUP]
Process: System	Address: 0x8a204500	Address: 121

Object: Hidden Code [Driver: CdfsЅ౨瑎晦܂Èੈ, IRP_MJ_PNP]
Process: System	Address: 0x8a204500	Address: 121

==EOF==