GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-08-27 16:51:40 Windows 6.1.7600 Running: 788ou457.exe; Driver: C:\Users\Tomecek\AppData\Local\Temp\pwddrfow.sys ---- System - GMER 1.0.15 ---- INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C32AF8 INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C32104 INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C323F4 INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1B2D8 INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C1A898 INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C321DC INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C32958 INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C326F8 INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C32F2C INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C331A8 Code 99633BFC ZwTraceEvent Code 99633BFB NtTraceEvent ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!NtTraceEvent 8283AE34 5 Bytes JMP 99633C00 .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 8284B599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8286FF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 2 82A7D135 5 Bytes JMP 99633DE0 PAGE ntkrnlpa.exe!NtRequestWaitReplyPort + 2 82A7EB5D 5 Bytes JMP 99633D40 PAGE ntkrnlpa.exe!NtRequestPort + 2 82A92DC3 5 Bytes JMP 99633CA0 .text peauth.sys 960A0C9D 28 Bytes [04, 3E, 2A, 4A, 9F, 2B, B8, ...] .text peauth.sys 960A0CC1 28 Bytes [04, 3E, 2A, 4A, 9F, 2B, B8, ...] PAGE peauth.sys 960A6B9B 72 Bytes [60, ED, 5D, E0, 35, 5E, E4, ...] PAGE peauth.sys 960A6BEC 99 Bytes [EE, 05, 9E, CC, 6E, 52, A1, ...] PAGE peauth.sys 960A6C53 8 Bytes [79, DF, 39, F8, DC, 7C, 80, ...] {JNS 0xffffffffffffffe1; CMP EAX, EDI; FDIVR QWORD [EAX+EAX*4-0xe]} PAGE ... .text C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl section is writeable [0x9616B000, 0x2892, 0xE8000020] .vmp2 C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0x9618E050] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\Explorer.EXE[580] ws2_32.dll!getsockname 7592315C 6 Bytes JMP 02A10000 .text C:\Windows\Explorer.EXE[580] ws2_32.dll!closesocket 75923BED 6 Bytes JMP 02AA0000 .text C:\Windows\Explorer.EXE[580] ws2_32.dll!connect 759248BE 6 Bytes JMP 02A90000 .text C:\Windows\Explorer.EXE[580] ws2_32.dll!WSAConnect 7592BB9B 6 Bytes JMP 02A80000 .text C:\Windows\Explorer.EXE[580] ws2_32.dll!WSAStartup 7592C0FB 6 Bytes JMP 02A30000 .text C:\Windows\Explorer.EXE[580] ws2_32.dll!getpeername 7592C355 6 Bytes JMP 02A20000 .text C:\Program Files\Sandboxie\SbieCtrl.exe[1460] ws2_32.dll!getsockname 7592315C 6 Bytes JMP 00C50000 .text C:\Program Files\Sandboxie\SbieCtrl.exe[1460] ws2_32.dll!closesocket 75923BED 6 Bytes JMP 00CA0000 .text C:\Program Files\Sandboxie\SbieCtrl.exe[1460] ws2_32.dll!connect 759248BE 6 Bytes JMP 00C90000 .text C:\Program Files\Sandboxie\SbieCtrl.exe[1460] ws2_32.dll!WSAConnect 7592BB9B 6 Bytes JMP 00C80000 .text C:\Program Files\Sandboxie\SbieCtrl.exe[1460] ws2_32.dll!WSAStartup 7592C0FB 6 Bytes JMP 00C70000 .text C:\Program Files\Sandboxie\SbieCtrl.exe[1460] ws2_32.dll!getpeername 7592C355 6 Bytes JMP 00C60000 .text C:\Program Files\Opera\opera.exe[1920] WS2_32.dll!getsockname 7592315C 6 Bytes JMP 00270000 .text C:\Program Files\Opera\opera.exe[1920] WS2_32.dll!closesocket 75923BED 6 Bytes JMP 00540000 .text C:\Program Files\Opera\opera.exe[1920] WS2_32.dll!connect 759248BE 6 Bytes JMP 004F0000 .text C:\Program Files\Opera\opera.exe[1920] WS2_32.dll!WSAConnect 7592BB9B 6 Bytes JMP 004E0000 .text C:\Program Files\Opera\opera.exe[1920] WS2_32.dll!WSAStartup 7592C0FB 6 Bytes JMP 004D0000 .text C:\Program Files\Opera\opera.exe[1920] WS2_32.dll!getpeername 7592C355 6 Bytes JMP 00280000 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\msiexec.exe[1712] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [750E5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\msiexec.exe[1712] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [750E5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\msiexec.exe[1712] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [750E5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\msiexec.exe[1712] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [750E5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\msiexec.exe[1712] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [750E5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000040 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----