GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-12-02 18:37:48 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HITACHI_ rev.BBFZ Running: ehvtkxuz.exe; Driver: C:\Users\Basia\AppData\Local\Temp\kgrdqpob.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x88377620] ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!KeInsertQueue + 811 820AAE58 4 Bytes [20, 76, 37, 88] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0xAD706400, 0x87EE2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAD7AA620] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAD7AA620] .protect˙˙˙˙hardlockunknown last code section [0xAD7AA400, 0x5126, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0xAD7AA400, 0x5126, 0xE0000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[2148] kernel32.dll!SetUnhandledExceptionFilter 77526E2D 4 Bytes [C2, 04, 00, 00] ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat eamon.sys (Amon monitor/ESET) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2e27baa Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2e27baa@00265d52ea5d 0x51 0xCF 0x13 0x2F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2e27baa@001fe1e67ca5 0x50 0x54 0x0E 0xA2 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2e27baa@001583121928 0xFB 0x41 0xF1 0xE0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2e27baa@001ea3e3afc4 0x10 0xD9 0xF6 0x75 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2e27baa@101dc0ce9b82 0x1B 0xA6 0x98 0x27 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2e27baa (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2e27baa@00265d52ea5d 0x51 0xCF 0x13 0x2F ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2e27baa@001fe1e67ca5 0x50 0x54 0x0E 0xA2 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2e27baa@001583121928 0xFB 0x41 0xF1 0xE0 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2e27baa@001ea3e3afc4 0x10 0xD9 0xF6 0x75 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2e27baa@101dc0ce9b82 0x1B 0xA6 0x98 0x27 ... ---- Files - GMER 1.0.15 ---- File C:\RRbackups\C 0 bytes File C:\RRbackups\common 0 bytes File C:\RRbackups\common\backups.dat 8192 bytes File C:\RRbackups\common\bmgrmode.dat 29 bytes File C:\RRbackups\common\css.dat 8192 bytes File C:\RRbackups\common\hints.dat 8192 bytes File C:\RRbackups\common\mnd.dat 8192 bytes File C:\RRbackups\common\regcerts.dat 8192 bytes File C:\RRbackups\common\restore.log 110 bytes File C:\RRbackups\common\rr.log 174246 bytes File C:\RRbackups\common\rr_bcdenum.dat 4941 bytes File C:\RRbackups\common\SAM 262144 bytes File C:\RRbackups\common\seccache.dat 8192 bytes File C:\RRbackups\common\secpolicy.dat 24576 bytes File C:\RRbackups\common\settings.dat 32768 bytes File C:\RRbackups\common\system.dat 12288 bytes File C:\RRbackups\common\tvtcmn.dat 8192 bytes File C:\RRbackups\common\tvtns.bin 23 bytes File C:\RRbackups\common\usersids.dat 14560 bytes File C:\RRbackups\Documents and Settings 0 bytes File C:\RRbackups\Documents and Settings\Administrator 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Lenovo 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Lenovo\Client Security Solution 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Lenovo\Client Security Solution\hibernation.dat 4 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1067765355-367813283-2874104705-500 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1067765355-367813283-2874104705-500\d499eb81-9f5d-4358-9a35-57f79220dffe 388 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\Protect\S-1-5-21-1067765355-367813283-2874104705-500\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\Administrator\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\Basia 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Lenovo 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Lenovo\Client Security Solution 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Lenovo\Client Security Solution\encobject.dat 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Lenovo\Client Security Solution\hibernation.dat 4 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2597820627-2760950646-3236408800-1003 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2597820627-2760950646-3236408800-1003\5550e7cb640347345a345c63aa7a6848_97d3c3c4-3f2a-458b-b777-abcecf73b872 59 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2597820627-2760950646-3236408800-1003\5a3d4abaf5f925cfc422c689267dc6b1_97d3c3c4-3f2a-458b-b777-abcecf73b872 46 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2597820627-2760950646-3236408800-1003\5e406688cf7a0914768c82727c716b7f_97d3c3c4-3f2a-458b-b777-abcecf73b872 1311 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2597820627-2760950646-3236408800-1003\6b29ae44e85efac3c72ff4d1865d73f1_97d3c3c4-3f2a-458b-b777-abcecf73b872 53 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2597820627-2760950646-3236408800-1003\83aa4cc77f591dfc2374580bbd95f6ba_97d3c3c4-3f2a-458b-b777-abcecf73b872 45 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2597820627-2760950646-3236408800-1003\8f71098770f72c7a67cd8f1151619865_97d3c3c4-3f2a-458b-b777-abcecf73b872 54 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2597820627-2760950646-3236408800-1003\8f96978fc46d9f00d8780351026924d7_97d3c3c4-3f2a-458b-b777-abcecf73b872 59 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2597820627-2760950646-3236408800-1003\a077ead69703e3bf1fd373a3c9376faa_97d3c3c4-3f2a-458b-b777-abcecf73b872 77 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Protect\S-1-5-21-1067765355-367813283-2874104705-500 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Protect\S-1-5-21-1067765355-367813283-2874104705-500\d499eb81-9f5d-4358-9a35-57f79220dffe 388 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Protect\S-1-5-21-1067765355-367813283-2874104705-500\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Protect\S-1-5-21-2597820627-2760950646-3236408800-1003 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Protect\S-1-5-21-2597820627-2760950646-3236408800-1003\3f5d7593-fd1b-4c0e-84c6-2c7456c816d6 388 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Protect\S-1-5-21-2597820627-2760950646-3236408800-1003\6d98b8e4-c5b7-4ea8-918e-0a5a7654f1c5 388 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Protect\S-1-5-21-2597820627-2760950646-3236408800-1003\8ef3c2aa-9093-4a8b-acbd-b3dc2d462081 388 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Protect\S-1-5-21-2597820627-2760950646-3236408800-1003\d0a29be6-d280-4893-8edb-44af56268462 388 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Protect\S-1-5-21-2597820627-2760950646-3236408800-1003\e32668c7-878b-4c0d-8fc3-6ea6c1f73eaa 388 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Protect\S-1-5-21-2597820627-2760950646-3236408800-1003\f9003b9c-2a98-45f0-921f-4eb9b941483c 388 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\Protect\S-1-5-21-2597820627-2760950646-3236408800-1003\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates\FF0C049A156B6ED7E4CA6D21E5BBCF23EF5AC3B0 989 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\SystemCertificates\My\Keys 0 bytes File C:\RRbackups\Documents and Settings\Basia\AppData\Roaming\Microsoft\SystemCertificates\My\Keys\29A790B93A1DBB3A25ABF288673EB417893CC2C5 152 bytes File C:\RRbackups\Documents and Settings\Default 0 bytes File C:\RRbackups\Documents and Settings\Default\AppData 0 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming 0 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\S-1-5-21-1067765355-367813283-2874104705-500 0 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\S-1-5-21-1067765355-367813283-2874104705-500\d499eb81-9f5d-4358-9a35-57f79220dffe 388 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\Protect\S-1-5-21-1067765355-367813283-2874104705-500\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\Default\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\Default User 0 bytes File C:\RRbackups\Documents and Settings\Default User\AppData 0 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming 0 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Crypto 0 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect 0 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\CREDHIST 24 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\S-1-5-21-1067765355-367813283-2874104705-500 0 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\S-1-5-21-1067765355-367813283-2874104705-500\d499eb81-9f5d-4358-9a35-57f79220dffe 388 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\Protect\S-1-5-21-1067765355-367813283-2874104705-500\Preferred 24 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates 0 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My 0 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My\Certificates 0 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My\CRLs 0 bytes File C:\RRbackups\Documents and Settings\Default User\AppData\Roaming\Microsoft\SystemCertificates\My\CTLs 0 bytes File C:\RRbackups\Documents and Settings\Kasia 0 bytes File C:\RRbackups\Documents and Settings\Kasia\AppData 0 bytes File C:\RRbackups\Documents and Settings\Kasia\AppData\Roaming 0 bytes File C:\RRbackups\Documents and Settings\Kasia\AppData\Roaming\Lenovo 0 bytes File C:\RRbackups\Documents and Settings\Kasia\AppData\Roaming\Microsoft 0 bytes File C:\RRbackups\Documents and Settings\Kasia\AppData\Roaming\Microsoft\Crypto 0 bytes File C:\RRbackups\ProgramData 0 bytes File C:\RRbackups\ProgramData\Lenovo 0 bytes File C:\RRbackups\ProgramData\Lenovo\Client Security Solution 0 bytes File C:\RRbackups\ProgramData\Lenovo\Client Security Solution\cspContainer.dat 332 bytes File C:\RRbackups\ProgramData\Lenovo\Client Security Solution\PreloadInstall.ini 26 bytes File C:\RRbackups\ProgramData\Microsoft 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\MachineKeys\a077ead69703e3bf1fd373a3c9376faa_97d3c3c4-3f2a-458b-b777-abcecf73b872 77 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18 0 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\065fddd71ade062109ceab25bb0d9f5d_97d3c3c4-3f2a-458b-b777-abcecf73b872 49 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\6d14e4b1d8ca773bab785d1be032546e_97d3c3c4-3f2a-458b-b777-abcecf73b872 47 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\8f71098770f72c7a67cd8f1151619865_97d3c3c4-3f2a-458b-b777-abcecf73b872 54 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\c7d9473626fbe9cf01d6fe030ded61e6_97d3c3c4-3f2a-458b-b777-abcecf73b872 2541 bytes File C:\RRbackups\ProgramData\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_97d3c3c4-3f2a-458b-b777-abcecf73b872 899 bytes ---- EOF - GMER 1.0.15 ----