GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-19 03:32:33 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-10 ST3500410AS rev.CC34 Running: g56k53x5.exe; Driver: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\ugldrpod.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\windows\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8F80000, 0x238E77, 0xE8000020] .text ipsec.sys AC7C0300 438 Bytes [90, 90, 90, 90, 90, 90, 90, ...] .text ipsec.sys AC7C04B7 253 Bytes [BF, 00, 00, 00, 8B, CF, 2B, ...] .text ipsec.sys AC7C05B5 553 Bytes [10, 8B, CF, 0F, 82, 87, 00, ...] .text ipsec.sys AC7C07DF 44 Bytes [3D, E5, FB, 7C, AC, 00, 0F, ...] .text ipsec.sys AC7C080C 107 Bytes [D8, 0F, 86, C2, 00, 00, 00, ...] .text ... .INIT C:\windows\system32\DRIVERS\ipsec.sys entry point in ".INIT" section [0xAC7CE822] ? C:\windows\system32\DRIVERS\ipsec.sys suspicious PE modification ---- User code sections - GMER 1.0.15 ---- .text C:\windows\Explorer.EXE[568] SHELL32.dll!SHFileOperationW 7CA70A18 5 Bytes JMP 00C01102 C:\Program Files\Unlocker\UnlockerHook.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[3820] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00] ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\ipsec.sys[HAL.dll!KeGetCurrentIrql] C08501C1 ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort4 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort5 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-10 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) BA288000-BA297000 (61440 bytes) ---- Threads - GMER 1.0.15 ---- Thread System [4:436] 89CFE540 Thread System [4:440] 89CFE540 Thread services.exe [860:1888] 00F6EE96 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x70 0x48 0x29 0x38 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0x75 0x7D 0x25 0x7E ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x07 0x73 0x26 0xF0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x59 0xEE 0xE0 0x6D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x59 0xEE 0xE0 0x6D ... ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera\Opera\widgets\029212228881888587061262714864\cache\activity.opr 0 bytes File C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera\Opera\widgets\095662199627340788021262714864\cache\activity.opr 0 bytes File C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera\Opera\widgets\447882524598566388331262714864\cache\activity.opr 0 bytes File C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera\Opera\widgets\587465555343826886281262714864\cache\activity.opr 0 bytes File C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera\Opera\widgets\678892885019664989751262714864\cache\activity.opr 0 bytes File C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera\Opera\widgets\722344576644045187471262714864\cache\activity.opr 0 bytes File C:\Documents and Settings\Administrator\Local Settings\Application Data\Opera\Opera\widgets\818102166360761288961262714864\cache\activity.opr 0 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089 0 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089\@ 2048 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089\L 0 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089\L\jevidmwo 75264 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089\loader.tlb 2632 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089\U 0 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089\U\@00000001 45968 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089\U\@000000c0 2560 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089\U\@000000cb 3072 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089\U\@000000cf 1536 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089\U\@80000000 73728 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089\U\@800000c0 43008 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089\U\@800000cb 25600 bytes File C:\WINDOWS\$NtUninstallKB48361$\4134516089\U\@800000cf 31232 bytes File C:\WINDOWS\$NtUninstallKB48361$\736561576 0 bytes ---- EOF - GMER 1.0.15 ----