GMER 1.0.15.15627 - http://www.gmer.net Rootkit scan 2011-05-12 14:34:11 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-10 ST3400620AS rev.3.AAE Running: coyyng3p.exe; Driver: C:\DOCUME~1\j_ryza\USTAWI~1\Temp\pwtdypob.sys ---- System - GMER 1.0.15 ---- SSDT 89BEDC90 ZwAssignProcessToJobObject SSDT \SystemRoot\System32\drivers\820554f3.sys ZwCreateEvent [0xAC5C612D] SSDT \SystemRoot\System32\drivers\820554f3.sys ZwCreateKey [0xAC5C4205] SSDT 89BEE200 ZwDebugActiveProcess SSDT 89BEE2F0 ZwDuplicateObject SSDT \SystemRoot\System32\drivers\820554f3.sys ZwOpenKey [0xAC5C42C5] SSDT 89BED590 ZwOpenProcess SSDT 89BED800 ZwOpenThread SSDT 89BEDFD0 ZwProtectVirtualMemory SSDT 89BEE0E0 ZwQueueApcThread SSDT 89BEDEC0 ZwSetContextThread SSDT 89BEDD90 ZwSetInformationThread SSDT 89BEADA0 ZwSetSecurityObject SSDT 89BEDB90 ZwSuspendProcess SSDT 89BEDA80 ZwSuspendThread SSDT 89BED6E0 ZwTerminateProcess SSDT 89BEDA50 ZwTerminateThread SSDT 89BEE6D0 ZwWriteVirtualMemory INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) A9ECB16D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) A9ECAFC2 ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\System32\drivers\820554f3.sys Nie można odnaleźć określonego pliku. .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA9B8C400, 0x82482, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA9C2C420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA9C2C420] .protect˙˙˙˙hardlockunknown last code section [0xA9C2C200, 0x5105, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA9C2C200, 0x5105, 0xE0000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[424] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 00] .text C:\WINDOWS\system32\nhsrvice.exe[640] kernel32.dll!ExitProcess 7C81CDEA 5 Bytes JMP 00439FF9 C:\WINDOWS\system32\nhsrvice.exe (NetHASP License Manager Service/Aladdin Knowledge Systems) .text C:\Program Files\Internet Explorer\iexplore.exe[1632] USER32.dll!DialogBoxParamW 7E37555F 5 Bytes JMP 4452F341 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1632] USER32.dll!DialogBoxIndirectParamW 7E382032 5 Bytes JMP 446C178F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1632] USER32.dll!MessageBoxIndirectA 7E38A04A 5 Bytes JMP 446C1710 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1632] USER32.dll!DialogBoxParamA 7E38B10C 5 Bytes JMP 446C1754 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1632] USER32.dll!MessageBoxExW 7E3A05D8 5 Bytes JMP 446C169C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1632] USER32.dll!MessageBoxExA 7E3A05FC 5 Bytes JMP 446C16D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1632] USER32.dll!DialogBoxIndirectParamA 7E3A6B50 5 Bytes JMP 446C17CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1632] USER32.dll!MessageBoxIndirectW 7E3B62AB 5 Bytes JMP 445516B6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 820554f3.sys AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp 820554f3.sys Device \Driver\epfwtdir \Device\EpfwRedirector 820554f3.sys AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET) ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\System32\drivers\820554f3.sys (*** hidden *** ) [SYSTEM] 820554f3 <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\820554f3@ImagePath \SystemRoot\System32\drivers\820554f3.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\820554f3@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\820554f3@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\820554f3@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\820554f3@F96ZK6nPB Z3Jpemltdm96aW0ubmFtZQ== Reg HKLM\SYSTEM\ControlSet002\Services\820554f3@ImagePath \SystemRoot\System32\drivers\820554f3.sys Reg HKLM\SYSTEM\ControlSet002\Services\820554f3@Type 1 Reg HKLM\SYSTEM\ControlSet002\Services\820554f3@Start 1 Reg HKLM\SYSTEM\ControlSet002\Services\820554f3@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\Services\820554f3@F96ZK6nPB Z3Jpemltdm96aW0ubmFtZQ== ---- EOF - GMER 1.0.15 ----