GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-02-15 15:00:32 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e Hitachi_HTS542516K9SA00 rev.BBCOC31P Running: 6fkwfmp5.exe; Driver: C:\DOCUME~1\Rafael\USTAWI~1\Temp\pxtdrpoc.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwClose [0xBA479376] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwCreateKey [0xBA47A420] SSDT d347bus.sys (PnP BIOS Extension/ ) ZwCreatePagingFile [0xB9F82A20] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwDeleteKey [0xBA47A55C] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwDeleteValueKey [0xBA47A57E] SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateKey [0xB9F832A8] SSDT d347bus.sys (PnP BIOS Extension/ ) ZwEnumerateValueKey [0xB9F8E910] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwOpenKey [0xBA47A4B4] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwOpenProcess [0xBA47A2FE] SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryKey [0xB9F832C8] SSDT d347bus.sys (PnP BIOS Extension/ ) ZwQueryValueKey [0xB9F8E866] SSDT d347bus.sys (PnP BIOS Extension/ ) ZwSetSystemPowerState [0xB9F8E0B0] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys (Security Hook/G Data Software AG) ZwSetValueKey [0xBA47A52E] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2CEC 80504558 4 Bytes JMP AB2AFF55 .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB96A0000, 0x189F82, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\winlogon.exe[1216] ntdll.dll!NtLockProductActivationKeys 7C90D4AE 5 Bytes JMP 10001000 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\winlogon.exe[1216] USER32.dll!GetSystemMetrics 7E368F9C 5 Bytes JMP 10001018 C:\WINDOWS\system32\antiwpa.dll ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisCloseAdapter] [BA3420A4] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [BA342114] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisDeregisterProtocol] [BA342368] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisRegisterProtocol] [BA34233E] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [BA34233E] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [BA342114] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [BA3420A4] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [BA342368] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [BA342368] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [BA34233E] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [BA342114] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [BA3420A4] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [BA34233E] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [BA3420A4] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [BA342114] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [BA342368] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [BA3420A4] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [BA342114] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [BA34233E] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [BA342368] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [BA34233E] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [BA342114] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [BA3420A4] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [BA34233E] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [BA342368] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [BA3420A4] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [BA342114] GDNdisIc.sys (NDIS packet redirector/G Data Software AG) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 89DDFA80 AttachedDevice \FileSystem\Ntfs \Ntfs tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \FileSystem\Ntfs \Ntfs oodisrh.sys (O&O DiskImage Snapshot/Restore Helper Driver (Win32)/O&O Software GmbH) AttachedDevice \FileSystem\Ntfs \Ntfs oodivdh.sys (O&O DiskImage Virtual Disk Helper Driver (Win32)/O&O Software GmbH) Device \Driver\Tcpip \Device\Ip GDTdiIcpt.sys (G Data Software AG) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\BTHUSB \Device\0000009f bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \Driver\Tcpip \Device\Tcp GDTdiIcpt.sys (G Data Software AG) Device \Driver\BTHUSB \Device\000000a1 bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 oodisrh.sys (O&O DiskImage Snapshot/Restore Helper Driver (Win32)/O&O Software GmbH) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 oodivdh.sys (O&O DiskImage Virtual Disk Helper Driver (Win32)/O&O Software GmbH) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 ntkrnlpa.exe (Jądro i system NT/Microsoft Corporation) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 oodivd.sys (O&O DiskImage Virtual Disk Driver (Win32)/O&O Software GmbH) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 oodisrh.sys (O&O DiskImage Snapshot/Restore Helper Driver (Win32)/O&O Software GmbH) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 oodivdh.sys (O&O DiskImage Virtual Disk Helper Driver (Win32)/O&O Software GmbH) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 ntkrnlpa.exe (Jądro i system NT/Microsoft Corporation) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 oodivd.sys (O&O DiskImage Virtual Disk Driver (Win32)/O&O Software GmbH) Device \Driver\Cdrom \Device\CdRom0 89C996D0 Device \FileSystem\Rdbss \Device\FsWrap 88E243B8 AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 tdrpm258.sys (Acronis Try&Decide Volume Filter Driver/Acronis) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 oodisrh.sys (O&O DiskImage Snapshot/Restore Helper Driver (Win32)/O&O Software GmbH) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 oodivdh.sys (O&O DiskImage Virtual Disk Helper Driver (Win32)/O&O Software GmbH) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 ntkrnlpa.exe (Jądro i system NT/Microsoft Corporation) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 oodivd.sys (O&O DiskImage Virtual Disk Driver (Win32)/O&O Software GmbH) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 89BBD368 Device \Driver\atapi \Device\Ide\IdePort0 89BBD368 Device \Driver\atapi \Device\Ide\IdePort1 89BBD368 Device \Driver\atapi \Device\Ide\IdePort2 89BBD368 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 89BBD368 Device \FileSystem\Srv \Device\LanmanServer 856106C0 Device \Driver\Tcpip \Device\Udp GDTdiIcpt.sys (G Data Software AG) Device \Driver\Tcpip \Device\RawIp GDTdiIcpt.sys (G Data Software AG) Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8915AD88 Device \Driver\Tcpip \Device\IPMULTICAST GDTdiIcpt.sys (G Data Software AG) Device \FileSystem\MRxSmb \Device\LanmanRedirector 8915AD88 Device \FileSystem\Npfs \Device\NamedPipe 89744630 Device \FileSystem\Msfs \Device\Mailslot 88E23550 Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer 890280C0 Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer 890280C0 Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer 890280C0 Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer 890280C0 Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer 890280C0 Device \FileSystem\Cdfs \Cdfs 88DED9E8 ---- Modules - GMER 1.0.15 ---- Module _________ B9EE4000-B9EFC000 (98304 bytes) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0022151f5a34 Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\d347prt\Cfg\0Jf40@khjeh 0x20 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDB 0x75 0x2D 0x26 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0022151f5a34 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDB 0x75 0x2D 0x26 ... ---- EOF - GMER 1.0.15 ----