GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-06-28 12:29:52 Windows 5.1.2600 Service Pack 3 Running: fbckvcyd.exe; Driver: C:\DOCUME~1\PanMis\LOCALS~1\Temp\pgtdqpow.sys ---- Kernel code sections - GMER 1.0.15 ---- .sfrelocÿÿÿÿsfsync04unknown last section [0xB9F67000, 0xBB6, 0x40000040] C:\WINDOWS\system32\drivers\sfsync04.sys unknown last section [0xB9F67000, 0xBB6, 0x40000040] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8F13000, 0x1894F8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA97A2300, 0x3AE88, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA448300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[624] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[624] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[624] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[624] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[624] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[624] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[624] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[624] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[624] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1284] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] USER32.dll!DialogBoxParamW 7E4247AB 5 Bytes JMP 3E2154C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] USER32.dll!SetWindowsHookExW 7E42820F 5 Bytes JMP 3E2E9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] USER32.dll!CallNextHookEx 7E42B3C6 5 Bytes JMP 3E2DD0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] USER32.dll!CreateWindowExW 7E42D0A3 5 Bytes JMP 3E2EDB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] USER32.dll!UnhookWindowsHookEx 7E42D5F3 5 Bytes JMP 3E25467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] USER32.dll!DialogBoxIndirectParamW 7E432072 5 Bytes JMP 3E3E480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] USER32.dll!MessageBoxIndirectA 7E43A082 5 Bytes JMP 3E3E4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] USER32.dll!DialogBoxParamA 7E43B144 5 Bytes JMP 3E3E47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] USER32.dll!MessageBoxExW 7E450838 5 Bytes JMP 3E3E4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] USER32.dll!MessageBoxExA 7E45085C 5 Bytes JMP 3E3E4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] USER32.dll!DialogBoxIndirectParamA 7E456D7D 5 Bytes JMP 3E3E4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] USER32.dll!MessageBoxIndirectW 7E4664D5 5 Bytes JMP 3E3E46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] ole32.dll!CoCreateInstance 7750057E 5 Bytes JMP 3E2EDB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2996] ole32.dll!OleLoadFromStream 77529C85 5 Bytes JMP 3E3E4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Internet Explorer\iexplore.exe[1284] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) IAT C:\Program Files\Internet Explorer\iexplore.exe[2996] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\atapi \Device\Ide\IdePort0 sfsync04.sys (SF FrontLine Synchronization Driver/Protection Technology (StarForce)) Device \Driver\atapi \Device\Ide\IdePort1 sfsync04.sys (SF FrontLine Synchronization Driver/Protection Technology (StarForce)) Device \Driver\atapi \Device\Ide\IdePort2 sfsync04.sys (SF FrontLine Synchronization Driver/Protection Technology (StarForce)) Device \Driver\atapi \Device\Ide\IdePort3 sfsync04.sys (SF FrontLine Synchronization Driver/Protection Technology (StarForce)) Device \Driver\atapi \Device\Ide\IdePort4 sfsync04.sys (SF FrontLine Synchronization Driver/Protection Technology (StarForce)) Device \Driver\atapi \Device\Ide\IdePort5 sfsync04.sys (SF FrontLine Synchronization Driver/Protection Technology (StarForce)) Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-10 sfsync04.sys (SF FrontLine Synchronization Driver/Protection Technology (StarForce)) Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-5 sfsync04.sys (SF FrontLine Synchronization Driver/Protection Technology (StarForce)) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE0 0xE4 0xFB 0x82 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x28 0x7F 0xE4 0xB0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC0 0x2A 0xA5 0x16 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x3D 0x48 0x7A 0x29 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xB0 0x8B 0x50 0x8C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE6 0x21 0xD1 0x85 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x28 0x7F 0xE4 0xB0 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC0 0x2A 0xA5 0x16 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x3D 0x48 0x7A 0x29 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0x09 0xE6 0xF9 0xDF ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE0 0xE4 0xFB 0x82 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x28 0x7F 0xE4 0xB0 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xC0 0x2A 0xA5 0x16 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x3D 0x48 0x7A 0x29 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xB0 0x8B 0x50 0x8C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{578572FB-A2EE-D4AA-0641-8ACFB7B88D55} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{578572FB-A2EE-D4AA-0641-8ACFB7B88D55}@aa 0x6A 0x61 0x66 0x6E ... ---- EOF - GMER 1.0.15 ----