GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-11-17 09:30:24 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\iaStor0 TOSHIBA_ rev.LV01 Running: 5l1isn7z.exe; Driver: C:\Users\Toshiba\AppData\Local\Temp\awldrfow.sys ---- Kernel code sections - GMER 1.0.15 ---- .text tcpip.sys!EQoSTestHook + FFFA102A 8A83D0D8 1 Byte [00] .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8AB5D000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8ABA6000, 0x510, 0x40000040] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E810000, 0x1E73A0, 0xE8000020] .rsrc C:\Windows\system32\DRIVERS\cdrom.sys entry point in ".rsrc" section [0x8F161014] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9DCE9300, 0x3B6D8, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9DD38300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\svchost.exe[1612] ntdll.dll!NtQueryInformationProcess 77904E54 5 Bytes JMP 00BDADCD .text C:\Windows\Explorer.EXE[2724] ntdll.dll!NtProtectVirtualMemory 77904D34 5 Bytes JMP 0088000A .text C:\Windows\Explorer.EXE[2724] ntdll.dll!NtWriteVirtualMemory 77905674 5 Bytes JMP 0089000A .text C:\Windows\Explorer.EXE[2724] ntdll.dll!KiUserExceptionDispatcher 77905DC8 5 Bytes JMP 0087000A .text C:\Windows\system32\svchost.exe[4556] ntdll.dll!NtProtectVirtualMemory 77904D34 5 Bytes JMP 00A3000A .text C:\Windows\system32\svchost.exe[4556] ntdll.dll!NtWriteVirtualMemory 77905674 5 Bytes JMP 00A4000A .text C:\Windows\system32\svchost.exe[4556] ntdll.dll!KiUserExceptionDispatcher 77905DC8 5 Bytes JMP 009E000A .text C:\Windows\system32\svchost.exe[4556] ole32.dll!CoCreateInstance 76259EA6 5 Bytes JMP 00F7000A .text C:\Windows\system32\svchost.exe[4556] USER32.dll!GetCursorPos 771B0B88 5 Bytes JMP 012B000A ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [737E7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7383A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [737EBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [737DF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [737E75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [737DE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73818395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [737EDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [737DFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [737DFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [737D71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7386CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7380C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [737DD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [737D6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [737D687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [737E2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Program Files\Toshiba\Bluetooth Toshiba Stack\TosBtMng.exe[3348] @ C:\Windows\system32\NETAPI32.dll [PSAPI.DLL!GetModuleBaseNameW] [779D159E] C:\Windows\system32\PSAPI.DLL (Process Status Helper/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) Device \Driver\iaStor -> DriverStartIo \Device\Ide\iaStor0 874ABAEA Device \Device\Ide\IAAStorageDevice-0 -> \??\IDE#DiskTOSHIBA_MK2552GSX_______________________LV010M__#4&13cabe52&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found ---- Services - GMER 1.0.15 ---- Service C:\Windows\system32\svchost.exe (*** hidden *** ) [AUTO] sbkitfsn <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sbkitfsn@DisplayName System Update Reg HKLM\SYSTEM\CurrentControlSet\Services\sbkitfsn@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\sbkitfsn@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sbkitfsn@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sbkitfsn@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\sbkitfsn@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\sbkitfsn@Description Umo?liwia programom dla systemu Windows tworzenie, dost?p i modyfikowanie plik?w w Internecie. Je?li ta us?uga zostanie zatrzymana, funkcje te b?d? niedost?pne. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\CurrentControlSet\Services\sbkitfsn\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\sbkitfsn\Parameters@ServiceDll C:\Windows\system32\fyxegtbu.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x57 0x62 0x93 0x38 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3A 0xCB 0x42 0xFD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE3 0x47 0xA0 0xF1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA1 0xBA 0x70 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\Services\sbkitfsn@DisplayName System Update Reg HKLM\SYSTEM\ControlSet002\Services\sbkitfsn@Type 32 Reg HKLM\SYSTEM\ControlSet002\Services\sbkitfsn@Start 2 Reg HKLM\SYSTEM\ControlSet002\Services\sbkitfsn@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet002\Services\sbkitfsn@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet002\Services\sbkitfsn@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet002\Services\sbkitfsn@Description Umo?liwia programom dla systemu Windows tworzenie, dost?p i modyfikowanie plik?w w Internecie. Je?li ta us?uga zostanie zatrzymana, funkcje te b?d? niedost?pne. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?. Reg HKLM\SYSTEM\ControlSet002\Services\sbkitfsn\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sbkitfsn\Parameters@ServiceDll C:\Windows\system32\fyxegtbu.dll Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x57 0x62 0x93 0x38 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3A 0xCB 0x42 0xFD ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xE3 0x47 0xA0 0xF1 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA1 0xBA 0x70 0xD6 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sectors 488396912 (+255): rootkit-like behavior; ---- Files - GMER 1.0.15 ---- File C:\Windows\system32\DRIVERS\cdrom.sys suspicious modification; TDL3 <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ----