GMER 1.0.15.15640 - http://www.gmer.net Rootkit scan 2011-06-01 12:47:50 Windows 5.1.2600 Dodatek Service Pack 2 Running: GMER.exe; Driver: C:\DOCUME~1\ferg\USTAWI~1\Temp\pxtdqpow.sys ---- System - GMER 1.0.15 ---- INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F136E16D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F136DFC2 ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xF1104400, 0x87EE2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF11A8620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF11A8620] .protect˙˙˙˙hardlockunknown last code section [0xF11A8400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xF11A8400, 0x5126, 0xE0000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[1104] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 016DADCD .text C:\WINDOWS\System32\svchost.exe[1104] NETAPI32.dll!NetpwPathCanonicalize 6FF4A259 5 Bytes JMP 016DAD64 .text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes JMP 0060ADCD ---- Devices - GMER 1.0.15 ---- Device Ntfs.sys (NT File System Driver/Microsoft Corporation) Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] rgybgf <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\rgybgf@DisplayName Image Driver Reg HKLM\SYSTEM\CurrentControlSet\Services\rgybgf@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\rgybgf@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\rgybgf@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\rgybgf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\rgybgf@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\rgybgf@Description Przechowuje informacje o zabezpieczeniach dla kont u?ytkownik?w lokalnych. Reg HKLM\SYSTEM\CurrentControlSet\Services\rgybgf\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\rgybgf\Parameters@ServiceDll C:\WINDOWS\system32\xrjsx.dll Reg HKLM\SYSTEM\ControlSet003\Services\rgybgf@DisplayName Image Driver Reg HKLM\SYSTEM\ControlSet003\Services\rgybgf@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\rgybgf@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\rgybgf@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\rgybgf@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\rgybgf@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\rgybgf@Description Przechowuje informacje o zabezpieczeniach dla kont u?ytkownik?w lokalnych. Reg HKLM\SYSTEM\ControlSet003\Services\rgybgf\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\rgybgf\Parameters@ServiceDll C:\WINDOWS\system32\xrjsx.dll ---- EOF - GMER 1.0.15 ----