GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-11-13 20:48:52 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHV2040BH rev.00000025 Running: 8mndrr6y.exe; Driver: C:\DOCUME~1\kasia\USTAWI~1\Temp\pxtdqpoc.sys ---- System - GMER 1.0.15 ---- INT 0x62 ? 82FE2CB8 INT 0x82 ? 82FE2CB8 INT 0x94 ? 82E28CB8 INT 0xA4 ? 82E28CB8 ---- Kernel code sections - GMER 1.0.15 ---- .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF86BEB2E] .text USBPORT.SYS!DllUnload F65D08AC 5 Bytes JMP 82E281C8 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchFilter.exe[2200] kernel32.dll!SetErrorMode 7C80ACAF 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchFilter.exe[2200] USER32.dll!MessageBoxA 7E3A07EA 1 Byte [CC] {INT 3 } .text C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\WindowsSearchIndexer.exe[2924] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 646A05B2 C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-gb\bin\mssrch.dll (Windows Desktop Search executable/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F85CA232] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F85C9730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F85C9F12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F85C9730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F85C9914] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F85C9856] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F85CA0F0] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F85C9F12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\System32\drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82FE52F8 IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 82E282F8 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F85DDEB0] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 82FE11E8 AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\usbuhci \Device\USBPDO-0 82A511E8 Device \Driver\usbuhci \Device\USBPDO-1 82A511E8 Device \Driver\usbehci \Device\USBPDO-2 82E1C1E8 Device \Driver\prodrv06 \Device\ProDrv06 E197AC30 Device \Driver\NetBT \Device\NetBT_Tcpip_{66BCF129-A94D-419B-BD42-4AEA71F7126F} 82BED430 Device \Driver\Cdrom \Device\CdRom0 82E0F1E8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F853BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort0 [F853BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 [F853BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F853BB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\NetBT \Device\NetBT_Tcpip_{E0CE0F34-F4AA-41B3-9EDE-0D722C660AFC} 82BED430 Device \Driver\prohlp02 \Device\ProHlp02 E16CCAA8 Device \Driver\NetBT \Device\NetBt_Wins_Export 82BED430 Device \Driver\NetBT \Device\NetbiosSmb 82BED430 Device \Driver\usbuhci \Device\USBFDO-0 82A511E8 Device \Driver\usbuhci \Device\USBFDO-1 82A511E8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82E4A430 Device \Driver\usbehci \Device\USBFDO-2 82E1C1E8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 82E4A430 Device \FileSystem\Cdfs \Cdfs 82C32430 Device \FileSystem\Cdfs \Cdfs tfsnifs.sys (Drive Letter Access Component/Sonic Solutions) ---- Files - GMER 1.0.15 ---- ADS C:\WINDOWS\system32\svchost.exe:ext.exe 46080 bytes executable <-- ROOTKIT !!! ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\svchost.exe:ext.exe [AUTO] FCI <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ----