GMER 1.0.15.15640 - http://www.gmer.net
Rootkit scan 2011-06-01 12:36:51
Windows 5.1.2600 Dodatek Service Pack 3 
Running: GMER.exe; Driver: C:\DOCUME~1\ewa\USTAWI~1\Temp\pxtdqpog.sys


---- System - GMER 1.0.15 ----

INT 0x06                                                                                                                              \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems)  F7A6116D
INT 0x0E                                                                                                                              \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems)  F7A60FC2

---- Kernel code sections - GMER 1.0.15 ----

.text                                                                                                                                 C:\WINDOWS\system32\drivers\hardlock.sys                                                                         section is writeable [0xF2B09400, 0x87EE2, 0xE8000020]
.protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF2BAD620]  C:\WINDOWS\system32\drivers\hardlock.sys                                                                         entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF2BAD620]
.protect˙˙˙˙hardlockunknown last code section [0xF2BAD400, 0x5126, 0xE0000020]                                                        C:\WINDOWS\system32\drivers\hardlock.sys                                                                         unknown last code section [0xF2BAD400, 0x5126, 0xE0000020]

---- User code sections - GMER 1.0.15 ----

.text                                                                                                                                 C:\WINDOWS\System32\svchost.exe[856] ntdll.dll!NtQueryInformationProcess                                         7C90D7FE 5 Bytes  JMP 0337ADCD 
.text                                                                                                                                 C:\WINDOWS\System32\svchost.exe[856] NETAPI32.dll!NetpwPathCanonicalize                                          6FF4A3A9 5 Bytes  JMP 0337AD64 
.text                                                                                                                                 C:\WINDOWS\system32\svchost.exe[900] ntdll.dll!NtQueryInformationProcess                                         7C90D7FE 5 Bytes  JMP 0076ADCD 

---- Services - GMER 1.0.15 ----

Service                                                                                                                               C:\WINDOWS\system32\svchost.exe (*** hidden *** )                                                                [AUTO] tbvtaae                                                                                                                                                                                                                                                                                                            <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg                                                                                                                                   HKLM\SYSTEM\CurrentControlSet\Services\tbvtaae@DisplayName                                                       Shell Monitor
Reg                                                                                                                                   HKLM\SYSTEM\CurrentControlSet\Services\tbvtaae@Type                                                              32
Reg                                                                                                                                   HKLM\SYSTEM\CurrentControlSet\Services\tbvtaae@Start                                                             2
Reg                                                                                                                                   HKLM\SYSTEM\CurrentControlSet\Services\tbvtaae@ErrorControl                                                      0
Reg                                                                                                                                   HKLM\SYSTEM\CurrentControlSet\Services\tbvtaae@ImagePath                                                         %SystemRoot%\system32\svchost.exe -k netsvcs
Reg                                                                                                                                   HKLM\SYSTEM\CurrentControlSet\Services\tbvtaae@ObjectName                                                        LocalSystem
Reg                                                                                                                                   HKLM\SYSTEM\CurrentControlSet\Services\tbvtaae@Description                                                       Rozpoznaje i buforuje nazwy systemu Domain Name System (DNS). Je?li ta us?uga zostanie zatrzymana, ten komputer nie b?dzie m?g? rozpoznawa? nazw DNS ani lokalizowa? kontroler?w domen w us?udze Active Directory. Je?li ta us?uga zostanie wy??czona, wszelkie us?ugi jawnie od niej zale?ne przestan? si? uruchamia?.
Reg                                                                                                                                   HKLM\SYSTEM\CurrentControlSet\Services\tbvtaae\Parameters                                                        
Reg                                                                                                                                   HKLM\SYSTEM\CurrentControlSet\Services\tbvtaae\Parameters@ServiceDll                                             C:\WINDOWS\system32\lnfbwvu.dll

---- EOF - GMER 1.0.15 ----