A forum for reverse engineering, OS internals and malware analysis 

Forum for announcements and questions about tools and software.
 #1042  by B-boy/StyLe/
 Sat May 08, 2010 10:04 pm
Hello,

One friend can't run Rootrepeal.

I'll attach a picture of this error.

Here is the Gmer log (look like TDL3 or it's because Daemon Tools ) ?
GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-05-08 00:33:51
Windows 6.0.6002 Service Pack 2
Running: Tool.exe.exe; Driver: C:\Users\Makro\AppData\Local\Temp\pxtcakow.sys


---- System - GMER 1.0.15 ----

SSDT 92FF6068 ZwAlertResumeThread
SSDT 92DFD118 ZwAlertThread
SSDT 93B7BB60 ZwAllocateVirtualMemory
SSDT 914450B0 ZwAlpcConnectPort
SSDT 931F62C8 ZwAssignProcessToJobObject
SSDT 93BB45B0 ZwCreateMutant
SSDT 93BB9F80 ZwCreateSymbolicLinkObject
SSDT 93B7C948 ZwCreateThread
SSDT 931ECF90 ZwDebugActiveProcess
SSDT 93B7C4B8 ZwDuplicateObject
SSDT 93B7B680 ZwFreeVirtualMemory
SSDT 92BF3068 ZwImpersonateAnonymousToken
SSDT 92FFC108 ZwImpersonateThread
SSDT 91446B88 ZwLoadDriver
SSDT 93B7B5A8 ZwMapViewOfSection
SSDT 92BF8138 ZwOpenEvent
SSDT 93B7C9E8 ZwOpenProcess
SSDT 92A5C120 ZwOpenProcessToken
SSDT 92DF9518 ZwOpenSection
SSDT 93B7C588 ZwOpenThread
SSDT 93BB8A78 ZwProtectVirtualMemory
SSDT 92DF9068 ZwResumeThread
SSDT 92DF6120 ZwSetContextThread
SSDT 93B7BE78 ZwSetInformationProcess
SSDT 931EBCA8 ZwSetSystemInformation
SSDT 92BF61B0 ZwSuspendProcess
SSDT 92DFA120 ZwSuspendThread
SSDT 915FB120 ZwTerminateProcess
SSDT 92DFB108 ZwTerminateThread
SSDT 92BFD118 ZwUnmapViewOfSection
SSDT 93B7B8D0 ZwWriteVirtualMemory
SSDT 93BB8238 ZwCreateThreadEx

INT 0x51 ? 89816F00
INT 0x52 ? 89816F00
INT 0x62 ? 8768ABF8
INT 0x72 ? 8768ABF8
INT 0x92 ? 8801EBF8
INT 0x92 ? 89816F00
INT 0x92 ? 8801EBF8
INT 0xA2 ? 89816F00
INT 0xB3 ? 89816F00

---- Kernel code sections - GMER 1.0.15 ----

.text ntkrnlpa.exe!KeSetEvent + 11D 852EB880 8 Bytes [68, 60, FF, 92, 18, D1, DF, ...] {PUSH 0x1892ff60; RCR EDI, 0x1; XCHG EDX, EAX}
.text ntkrnlpa.exe!KeSetEvent + 131 852EB894 4 Bytes [60, BB, B7, 93]
.text ntkrnlpa.exe!KeSetEvent + 13D 852EB8A0 4 Bytes [B0, 50, 44, 91] {MOV AL, 0x50; INC ESP; XCHG ECX, EAX}
.text ntkrnlpa.exe!KeSetEvent + 191 852EB8F4 4 Bytes [C8, 62, 1F, 93] {ENTER 0x1f62, 0x93}
.text ntkrnlpa.exe!KeSetEvent + 1F5 852EB958 4 Bytes [B0, 45, BB, 93]
.text ...
? System32\Drivers\spvp.sys Het systeem kan het opgegeven pad niet vinden. !
.text USBPORT.SYS!DllUnload 90BC641B 5 Bytes JMP 898164E0
.text acgkvzpd.SYS 9010E000 22 Bytes [82, 33, 21, 85, 6C, 32, 21, ...]
.text acgkvzpd.SYS 9010E017 80 Bytes [00, 32, B7, F9, 8A, 3D, B5, ...]
.text acgkvzpd.SYS 9010E068 24 Bytes [4D, DA, 27, 85, 00, 4F, 28, ...]
.text acgkvzpd.SYS 9010E081 53 Bytes [4A, 28, 85, 98, 5E, 2E, 85, ...]
.text acgkvzpd.SYS 9010E0B7 22 Bytes [00, 00, 00, 00, 00, 00, 00, ...]
.text ...

---- Kernel IAT/EAT - GMER 1.0.15 ----

IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8AE926D2] \SystemRoot\System32\Drivers\spvp.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8AE92040] \SystemRoot\System32\Drivers\spvp.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8AE927FC] \SystemRoot\System32\Drivers\spvp.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8AE920BE] \SystemRoot\System32\Drivers\spvp.sys
IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8AE9213C] \SystemRoot\System32\Drivers\spvp.sys
IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8AEA2048] \SystemRoot\System32\Drivers\spvp.sys
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortNotification] F73BFF33
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortWritePortUchar] B85F0B75
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortWritePortUlong] FFFFFFFE
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortGetPhysicalAddress] 08C25D5E
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortConvertPhysicalAddressToUlong] 5D8B5300
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortGetScatterGatherList] 74DF3B0C
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortReadPortUchar] 01FB8311
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortStallExecution] 5F5B0C74
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortGetParentBusType] FFFFFEB8
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortRequestCallback] C25D5EFF
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortWritePortBufferUshort] 7E390008
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortGetUnCachedExtension] C7077524
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortCompleteRequest] C1642446
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortMoveMemory] 7E399011
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortCompleteAllActiveRequests] C7077528
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortReleaseRequestSenseIrb] C1902846
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortBuildRequestSenseIrb] 468B9011
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortReadPortUshort] 244E8B2C
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortReadPortBufferUshort] 7468016A
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortInitialize] 500000FA
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortGetDeviceBase] C73BD1FF
IAT \SystemRoot\System32\Drivers\acgkvzpd.SYS[ataport.SYS!AtaPortDeviceStateChange] 5F5B0C75

---- Devices - GMER 1.0.15 ----

Device \FileSystem\Ntfs \Ntfs 880211F8
Device \Driver\volmgr \Device\VolMgrControl 8801C1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{BA55B2B6-B27B-41DD-8D11-B2ACF3CA5B96} 914511F8
Device \Driver\usbuhci \Device\USBPDO-0 877211F8
Device \Driver\usbuhci \Device\USBPDO-1 877211F8
Device \Driver\usbehci \Device\USBPDO-2 8771F1F8
Device \Driver\usbuhci \Device\USBPDO-3 877211F8
Device \Driver\usbuhci \Device\USBPDO-4 877211F8

AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\PCI_PNP5076 \Device\00000056 spvp.sys
Device \Driver\usbuhci \Device\USBPDO-5 877211F8
Device \Driver\usbehci \Device\USBPDO-6 8771F1F8
Device \Driver\volmgr \Device\HarddiskVolume1 8801C1F8
Device \Driver\volmgr \Device\HarddiskVolume2 8801C1F8
Device \Driver\netbt \Device\NetBT_Tcpip_{1BB8512B-6E95-418F-A66E-E3CA7617CB6B} 914511F8
Device \Driver\cdrom \Device\CdRom0 8992E1F8
Device \Driver\volmgr \Device\HarddiskVolume3 8801C1F8
Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 8801F1F8
Device \Driver\iaStor \Device\Ide\iaStor0 [8B153D30] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\atapi \Device\Ide\IdePort0 8801F1F8
Device \Driver\atapi \Device\Ide\IdePort1 8801F1F8
Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8B153D30] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX}
Device \Driver\netbt \Device\NetBt_Wins_Export 914511F8
Device \Driver\Smb \Device\NetbiosSmb 914771F8
Device \Driver\iScsiPrt \Device\RaidPort0 8992C1F8

AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)
AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation)

Device \Driver\usbuhci \Device\USBFDO-0 877211F8
Device \Driver\usbuhci \Device\USBFDO-1 877211F8
Device \Driver\usbehci \Device\USBFDO-2 8771F1F8
Device \Driver\usbuhci \Device\USBFDO-3 877211F8
Device \Driver\usbuhci \Device\USBFDO-4 877211F8
Device \Driver\usbuhci \Device\USBFDO-5 877211F8
Device \Driver\sptd \Device\1455627088 spvp.sys
Device \Driver\usbehci \Device\USBFDO-6 8771F1F8
Device \Driver\acgkvzpd \Device\Scsi\acgkvzpd1 899691F8
Device \FileSystem\cdfs \Cdfs ABE781F8

---- Registry - GMER 1.0.15 ----

Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 -1718817394
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 -33898185
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE9 0x62 0xCB 0x4E ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x48 0x7D 0x90 0xB1 ...
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40
Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x85 0x82 0x13 0x71 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE9 0x62 0xCB 0x4E ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x48 0x7D 0x90 0xB1 ...
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x85 0x82 0x13 0x71 ...

---- EOF - GMER 1.0.15 ----
The error occur on Windows Vista...The user was updated to SP2, so i'll request a new scan (after Daemon tools is removed) to see if anything has changed.

Regards,
G.
Attachments
rootrepeal error.jpg
rootrepeal error.jpg (91.28 KiB) Viewed 539 times
 #1051  by EP_X0FF
 Mon May 10, 2010 3:09 am
Hello,

probably you have additional security software installed.
Take a hint: before scanning system with antirootkit you need to filter out all legit kernel mode hooking soft - like sptd, antiviruses, firewalls etc, because they are actually acting like rootkits and antirootkit logs will be huge and not very useful.

In this case I believe all these caused by legit software, however you should try to scan with different antirootkits, if you still aware about TDL3.

Regards.
 #1057  by B-boy/StyLe/
 Mon May 10, 2010 10:14 pm
Hello EP_XOFF,

Thank you for your reply. :)
probably you have additional security software installed.
This isn't my PC, but yes the user has Norton Internet Security and some leftovers from Avira (who was
removed as well).
Take a hint: before scanning system with antirootkit you need to filter out all legit kernel mode hooking soft - like sptd, antiviruses, firewalls etc, because they are actually acting like rootkits and antirootkit logs will be huge and not very useful.
Yep, I know that. That's why I said:
Here is the Gmer log (look like TDL3 or it's because Daemon Tools ) ?
and
The user was updated to SP2, so i'll request a new scan (after Daemon tools is removed) to see if anything has changed.
Usually I use Defogger to disable CD Emulator Software (Daemon Tools, Alcohol, etc) that can interfere with rootkit scans, but I forgot to do this this time...

Anyway nothing suspicious was found on the Combofix log (thanks sUBs for confirming that). :)

I'll keep you posted if RootRepeal keep crashing, when the user is back online again. ;)


Regards,
G.