GMER 1.0.15.15315 - http://www.gmer.net Rootkit scan 2010-10-15 14:15:12 Windows 6.1.7600 Running: 3gnoik0e.exe; Driver: C:\Users\Tomecek\AppData\Local\Temp\pwddrfow.sys ---- System - GMER 1.0.15 ---- SSDT 85D16B70 ZwAlertResumeThread SSDT 85D16C50 ZwAlertThread SSDT 85D07BE8 ZwAllocateVirtualMemory SSDT 85CB9E58 ZwAlpcConnectPort SSDT 85D13310 ZwAssignProcessToJobObject SSDT 85D138B8 ZwCreateMutant SSDT 85D19770 ZwCreateSymbolicLinkObject SSDT 85D2F1F0 ZwCreateThread SSDT 85D19860 ZwCreateThreadEx SSDT 85D133F0 ZwDebugActiveProcess SSDT 85D07DB8 ZwDuplicateObject SSDT 85D19F60 ZwFreeVirtualMemory SSDT 85D139A8 ZwImpersonateAnonymousToken SSDT 85D13A88 ZwImpersonateThread SSDT 85CB90B0 ZwLoadDriver SSDT 85D19E60 ZwMapViewOfSection SSDT 85D137D8 ZwOpenEvent SSDT 85D17128 ZwOpenProcess SSDT 85D07CD8 ZwOpenProcessToken SSDT 85D13618 ZwOpenSection SSDT 85D17038 ZwOpenThread SSDT 85D19940 ZwProtectVirtualMemory SSDT 85D16D30 ZwResumeThread SSDT 85D16FD0 ZwSetContextThread SSDT 85D19C90 ZwSetInformationProcess SSDT 85D134D0 ZwSetSystemInformation SSDT 85D136F8 ZwSuspendProcess SSDT 85D16E10 ZwSuspendThread SSDT 85D2F2F0 ZwTerminateProcess SSDT 85D16EF0 ZwTerminateThread SSDT 85D19D80 ZwUnmapViewOfSection SSDT 85D07AF8 ZwWriteVirtualMemory Code 91CFEBFC ZwTraceEvent Code 91CFEBFB NtTraceEvent ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!NtTraceEvent 82A82E34 5 Bytes JMP 91CFEC00 .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82A93599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB7F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 224 82ABF734 8 Bytes [70, 6B, D1, 85, 50, 6C, D1, ...] {JO 0x6d; ROL DWORD [EBP-0x7a2e93b0], 0x1} .text ntkrnlpa.exe!RtlSidHashLookup + 23C 82ABF74C 4 Bytes CALL 0931C7CC .text ntkrnlpa.exe!RtlSidHashLookup + 248 82ABF758 4 Bytes [58, 9E, CB, 85] .text ntkrnlpa.exe!RtlSidHashLookup + 29C 82ABF7AC 4 Bytes [10, 33, D1, 85] .text ntkrnlpa.exe!RtlSidHashLookup + 318 82ABF828 4 Bytes [B8, 38, D1, 85] .text ... .text C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl section is writeable [0x9F33E000, 0x2892, 0xE8000020] .vmp2 C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0x9F361050] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\system32\taskhost.exe[108] ws2_32.dll!getsockname 76B0315C 6 Bytes JMP 005C0000 .text C:\Windows\system32\taskhost.exe[108] ws2_32.dll!closesocket 76B03BED 6 Bytes JMP 00610000 .text C:\Windows\system32\taskhost.exe[108] ws2_32.dll!connect 76B048BE 6 Bytes JMP 00600000 .text C:\Windows\system32\taskhost.exe[108] ws2_32.dll!WSAConnect 76B0BB9B 6 Bytes JMP 005F0000 .text C:\Windows\system32\taskhost.exe[108] ws2_32.dll!WSAStartup 76B0C0FB 6 Bytes JMP 005E0000 .text C:\Windows\system32\taskhost.exe[108] ws2_32.dll!getpeername 76B0C355 6 Bytes JMP 005D0000 .text C:\Program Files\Opera\opera.exe[1732] WS2_32.dll!getsockname 76B0315C 6 Bytes JMP 004F0000 .text C:\Program Files\Opera\opera.exe[1732] WS2_32.dll!closesocket 76B03BED 6 Bytes JMP 00540000 .text C:\Program Files\Opera\opera.exe[1732] WS2_32.dll!connect 76B048BE 6 Bytes JMP 00530000 .text C:\Program Files\Opera\opera.exe[1732] WS2_32.dll!WSAConnect 76B0BB9B 6 Bytes JMP 00520000 .text C:\Program Files\Opera\opera.exe[1732] WS2_32.dll!WSAStartup 76B0C0FB 6 Bytes JMP 00510000 .text C:\Program Files\Opera\opera.exe[1732] WS2_32.dll!getpeername 76B0C355 6 Bytes JMP 00500000 .text C:\Windows\system32\Dwm.exe[1980] ws2_32.dll!getsockname 76B0315C 6 Bytes JMP 004C0000 .text C:\Windows\system32\Dwm.exe[1980] ws2_32.dll!closesocket 76B03BED 6 Bytes JMP 00510000 .text C:\Windows\system32\Dwm.exe[1980] ws2_32.dll!connect 76B048BE 6 Bytes JMP 00500000 .text C:\Windows\system32\Dwm.exe[1980] ws2_32.dll!WSAConnect 76B0BB9B 6 Bytes JMP 004F0000 .text C:\Windows\system32\Dwm.exe[1980] ws2_32.dll!WSAStartup 76B0C0FB 6 Bytes JMP 004E0000 .text C:\Windows\system32\Dwm.exe[1980] ws2_32.dll!getpeername 76B0C355 6 Bytes JMP 004D0000 .text C:\Windows\Explorer.EXE[2016] ws2_32.dll!getsockname 76B0315C 6 Bytes JMP 02390000 .text C:\Windows\Explorer.EXE[2016] ws2_32.dll!closesocket 76B03BED 6 Bytes JMP 023E0000 .text C:\Windows\Explorer.EXE[2016] ws2_32.dll!connect 76B048BE 6 Bytes JMP 023D0000 .text C:\Windows\Explorer.EXE[2016] ws2_32.dll!WSAConnect 76B0BB9B 6 Bytes JMP 023C0000 .text C:\Windows\Explorer.EXE[2016] ws2_32.dll!WSAStartup 76B0C0FB 6 Bytes JMP 023B0000 .text C:\Windows\Explorer.EXE[2016] ws2_32.dll!getpeername 76B0C355 6 Bytes JMP 023A0000 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2324] WS2_32.dll!getsockname 76B0315C 6 Bytes JMP 023A0000 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2324] WS2_32.dll!closesocket 76B03BED 6 Bytes JMP 023F0000 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2324] WS2_32.dll!connect 76B048BE 6 Bytes JMP 023E0000 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2324] WS2_32.dll!WSAConnect 76B0BB9B 6 Bytes JMP 023D0000 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2324] WS2_32.dll!WSAStartup 76B0C0FB 6 Bytes JMP 023C0000 .text C:\Program Files\cFosSpeed\cfosspeed.exe[2324] WS2_32.dll!getpeername 76B0C355 6 Bytes JMP 023B0000 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000005d halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x71 0x3B 0xE2 0xC5 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x88 0x73 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x06 0x02 0x10 0x5E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x71 0x3B 0xE2 0xC5 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x88 0x73 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x06 0x02 0x10 0x5E ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D773CB3E-3DEC-B78F-4698-BDE5A0CD9005} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D773CB3E-3DEC-B78F-4698-BDE5A0CD9005}@abfcpgjfkagppmdiinmgpgepfaeladcdjc 0x70 0x61 0x6C 0x63 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D773CB3E-3DEC-B78F-4698-BDE5A0CD9005}@maecmgipaggpbkahoifjckaiim 0x6F 0x61 0x66 0x69 ... ---- Files - GMER 1.0.15 ---- File C:\Users\Tomecek\AppData\Local\Opera\Opera\cache\sesn\opr052NR.tmp 0 bytes ---- EOF - GMER 1.0.15 ----