GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-11-19 14:41:58 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\00000059 ST3160813AS rev.CC2H Running: 9i9rh3qn.exe; Driver: C:\DOCUME~1\gnf\USTAWI~1\Temp\ufldipow.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB9BAE380, 0x2468FD, 0xE8000020] .text ipsec.sys B61A8000 216 Bytes [B6, FF, B5, 04, FF, FF, FF, ...] .text ipsec.sys B61A80DA 7 Bytes [5C, 00, 52, 00, 65, 00, 67] .text ipsec.sys B61A80E2 77 Bytes [69, 00, 73, 00, 74, 00, 72, ...] .text ipsec.sys B61A8131 10 Bytes [00, 65, 00, 72, 00, 76, 00, ...] .text ipsec.sys B61A813C 1 Byte [65] .text ... ? C:\WINDOWS\system32\DRIVERS\ipsec.sys suspicious PE modification ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\Explorer.EXE[4240] SHELL32.dll!StrStrW 7C9CEE90 8 Bytes [E0, 10, 60, 19, 00, 11, 60, ...] {LOOPNZ 0x12; PUSHA ; SBB [EAX], EAX; ADC [EAX+0x19], ESP} ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\ipsec.sys[HAL.dll!KfLowerIrql] C9851475 IAT \SystemRoot\system32\DRIVERS\ipsec.sys[HAL.dll!KeGetCurrentIrql] 8B662D74 IAT \SystemRoot\system32\DRIVERS\ipsec.sys[HAL.dll!KfRaiseIrql] 0B660241 ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) BAA68000-BAA76000 (57344 bytes) ---- Threads - GMER 1.0.15 ---- Thread System [4:344] BAA6F540 Thread System [4:348] BAA6F540 Thread services.exe [600:1036] 00E5EE96 ---- Services - GMER 1.0.15 ---- Service \\.\globalroot\SystemRoot\system32\svchost.exe (*** hidden *** ) [AUTO] EACSys <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SvcHost@netsvcs ????ac????????????????J???????????????????????????r?????? ?????????????????????????????????????????n????????????????????????????IExplore????? ??????????????????????????????????????c???????????????????????WWW_OpenURL?????????????????opennew?????? ???????/??????????????????????t????????d????t?????????"C:\Program Files\Internet Explorer\IEXPLORE.EXE" -nohome???????? ???????/?????????????????????????????????n????????????????IExplore????????? ???????/??????????????????????????????c???????????????????????????WWW_OpenURL?????????????????????opennew?????????????????????&Open???? ???????/??????????????????????j????????d????j?????????"C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1??????????????????????????r?????? ???????/?????????????????????????????????n????????????????IExplore????????? ???????/??????????????????????*???????c?????*?????????WWW_OpenURLNewWindow????????????????????&Open???? ???????[??????????????????????j????????d????j?????????"C:\Program Files\Internet Explorer\IEXPLORE.EXE" %1??????????????????? ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\$NtUninstallKB37451$\1281197233 0 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424 0 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424\@ 2048 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424\L 0 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424\L\innmapaw 75264 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424\loader.tlb 2632 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424\U 0 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424\U\@00000001 45968 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424\U\@000000c0 2560 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424\U\@000000cb 704 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424\U\@000000cf 1536 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424\U\@80000000 73728 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424\U\@800000c0 43008 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424\U\@800000cb 25600 bytes File C:\WINDOWS\$NtUninstallKB37451$\3795095424\U\@800000cf 31232 bytes ---- EOF - GMER 1.0.15 ----