GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-05-15 17:19:00 Windows 5.2.3790 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e WDC_WD1600JS-60NCB1 rev.10.02E02 Running: ns9efh40.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\fxrdypob.sys ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Exchsrvr\bin\store.exe[4500] kernel32.dll!TerminateProcess 7C802014 5 Bytes JMP 005F2DBE C:\Program Files\Exchsrvr\bin\store.exe (Microsoft MDB Store/Microsoft Corporation) .text C:\Program Files\Exchsrvr\bin\store.exe[4500] kernel32.dll!ExitProcess 7C8268F9 5 Bytes JMP 005F2D8F C:\Program Files\Exchsrvr\bin\store.exe (Microsoft MDB Store/Microsoft Corporation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Exchsrvr\bin\exmgmt.exe[3568] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] C:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation) IAT C:\Program Files\Exchsrvr\bin\exmgmt.exe[3568] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] C:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation) IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3808] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] C:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation) IAT C:\WINDOWS\system32\wbem\wmiprvse.exe[3808] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] C:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation) IAT C:\Program Files\Exchsrvr\bin\mad.exe[3928] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] C:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation) IAT C:\Program Files\Exchsrvr\bin\mad.exe[3928] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] C:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation) IAT C:\Program Files\Exchsrvr\bin\store.exe[4500] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleBaseNameW] [4B761B7E] C:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation) IAT C:\Program Files\Exchsrvr\bin\store.exe[4500] @ C:\WINDOWS\system32\iphlpapi.dll [PSAPI.DLL!GetModuleFileNameExW] [4B761AC7] C:\Program Files\Exchsrvr\bin\PSAPI.DLL (Process Status Helper/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs sis.sys (Single-Instance Store File System Filter Driver/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat Dfs.sys (Distributed File System Filter Driver/Microsoft Corporation) ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\System32\sbscrexe.exe (*** hidden *** ) [AUTO] SBCore <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Type 16 Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ErrorControl 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ImagePath %SystemRoot%\System32\sbscrexe.exe Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@DisplayName SBCore Service Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore@Description ?wiadczy podstawowe us?ugi serwera. Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security Reg HKLM\SYSTEM\CurrentControlSet\Services\SBCore\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@Type 16 Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@ErrorControl 3 Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@ImagePath %SystemRoot%\System32\sbscrexe.exe Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@DisplayName SBCore Service Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\SBCore@Description ?wiadczy podstawowe us?ugi serwera. Reg HKLM\SYSTEM\ControlSet003\Services\SBCore\Security (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\SBCore\Security@Security 0x01 0x00 0x14 0x80 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Reliability@LastAliveUptime 701862