GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-10-08 09:27:29 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e SAMSUNG_HM320II rev.2AC101C4 Running: xvp8c4s2.exe; Driver: c:\windows\temp\pxtdapog.sys ---- System - GMER 1.0.15 ---- SSDT \WINDOWS\system32\ntoskrnl.exe (Jądro i system NT/Microsoft Corporation) ZwCreateKey [0x804D7FEC] SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D7FEC] ZwCreateKey [0x804D7FEC] SSDT \WINDOWS\system32\ntoskrnl.exe (Jądro i system NT/Microsoft Corporation) ZwOpenKey [0x804D7FF1] SSDT \WINDOWS\system32\ntoskrnl.exe[unknown section] [804D7FF1] ZwOpenKey [0x804D7FF1] INT 0x03 \WINDOWS\system32\ntoskrnl.exe[unknown section] 804D7FF6 ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\aksfridge.sys section is writeable [0xA8EFB000, 0x47E35, 0xE0000020] .init C:\WINDOWS\system32\DRIVERS\aksfridge.sys entry point in ".init" section [0xA8F4F224] .init C:\WINDOWS\system32\DRIVERS\aksfridge.sys unknown last code section [0xA8F4F000, 0x4000, 0xE20000E0] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA8DA2400, 0x6E6E2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA8E2C820] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA8E2C820] .protect˙˙˙˙hardlockunknown last code section [0xA8E2C600, 0x512A, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA8E2C600, 0x512A, 0xE0000020] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\Disk \Device\Harddisk1\DR3 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) Device \Driver\Disk \Device\Harddisk1\DP(1)0-0+4 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Files - GMER 1.0.15 ---- ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP92\A0263354.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP92\A0263378.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP92\A0264378.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP92\A0264388.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP92\A0265388.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP92\A0266392.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP92\A0267429.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP92\A0267438.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP92\A0268443.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP92\A0268450.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP92\A0268454.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP92\A0269453.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP92\A0269473.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP93\A0269480.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP93\A0269484.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP93\A0269490.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP93\A0270489.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP93\A0271489.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP93\A0271499.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP93\A0271506.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP93\A0272513.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP93\A0273513.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP94\A0274512.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP94\A0274594.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP94\A0274600.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP94\A0275601.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP94\A0275678.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP94\A0275764.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP94\A0275939.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP94\A0275963.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP94\A0275973.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP94\A0275982.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP94\A0276008.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP94\A0276026.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP94\A0276035.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP95\A0276045.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP95\A0276089.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP95\A0276102.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP95\A0276127.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP96\A0276159.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP96\A0276183.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP96\A0277183.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP96\A0277196.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP96\A0277268.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP96\A0277329.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP96\A0277290.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{FFA5C56D-8E47-46E0-8BA2-F799EA948BE2}\RP96\A0277341.exe:BAK 22528 bytes executable ---- EOF - GMER 1.0.15 ----