GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-02-23 19:04:06 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\ahcix861Port2Path0Target0Lun0 Seagate_ rev.CC35 Running: ehrpd627.exe; Driver: C:\DOCUME~1\deus\USTAWI~1\Temp\axldrpoc.sys ---- System - GMER 1.0.15 ---- SSDT 88F56C90 ZwAssignProcessToJobObject SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwCreateKey [0xB812887E] SSDT 88F57200 ZwDebugActiveProcess SSDT 88F572F0 ZwDuplicateObject SSDT 88F56590 ZwOpenProcess SSDT 88F56800 ZwOpenThread SSDT 88F56FD0 ZwProtectVirtualMemory SSDT 88F570E0 ZwQueueApcThread SSDT 88F56EC0 ZwSetContextThread SSDT 88F56D90 ZwSetInformationThread SSDT 88F53DA0 ZwSetSecurityObject SSDT Lbd.sys (Boot Driver/Lavasoft AB) ZwSetValueKey [0xB8128BFE] SSDT 88F56B90 ZwSuspendProcess SSDT 88F56A80 ZwSuspendThread SSDT 88F566E0 ZwTerminateProcess SSDT 88F56A50 ZwTerminateThread SSDT 88F576D0 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB3352000, 0x2C28EE, 0xE8000020] init C:\WINDOWS\system32\drivers\p17xfilt.sys entry point in "init" section [0xB2FE23C0] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1216] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3856] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \FileSystem\Ntfs \Ntfs Sahara.sys (SafeGuard PortProtector Driver/Utimaco Safeware AG) AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 Sahara.sys (SafeGuard PortProtector Driver/Utimaco Safeware AG) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 Sahara.sys (SafeGuard PortProtector Driver/Utimaco Safeware AG) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpm251.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 Sahara.sys (SafeGuard PortProtector Driver/Utimaco Safeware AG) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 snapman.sys (Acronis Snapshot API/Acronis) AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) Device \Driver\ahcix86 \Device\Scsi\ahcix861Port2Path0Target0Lun0 Sidney.sys (SafeGuard PortProtector Driver/Utimaco Safeware AG) Device \Driver\ahcix86 \Device\Scsi\ahcix861 Sidney.sys (SafeGuard PortProtector Driver/Utimaco Safeware AG) Device \Driver\ahcix86 \Device\Scsi\ahcix861Port2Path0TargetaLun0 Sidney.sys (SafeGuard PortProtector Driver/Utimaco Safeware AG) Device \Driver\ahcix86 \Device\Scsi\ahcix861Port2Path0Target1Lun0 Sidney.sys (SafeGuard PortProtector Driver/Utimaco Safeware AG) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001583b82740 Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001583b82740 (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 ---- EOF - GMER 1.0.15 ----