GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-01-02 13:26:19 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD200EB-75CPF0 rev.06.04G06 Running: lhmkuy4e.exe; Driver: C:\DOCUME~1\Admin\USTAWI~1\Temp\pwkiypoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\PSINProc.sys (PSINProc Filter Driver for XP32/Panda Security, S.L.) ZwTerminateProcess [0xEF27C416] Code F4232C9C ZwRequestPort Code F4232D3C ZwRequestWaitReplyPort Code F4232BFC ZwTraceEvent Code F4232C9B NtRequestPort Code F4232D3B NtRequestWaitReplyPort Code F4232BFB NtTraceEvent ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!NtTraceEvent 80545B50 5 Bytes JMP F4232C00 PAGE ntoskrnl.exe!NtRequestWaitReplyPort 80576EC6 5 Bytes JMP F4232D40 PAGE ntoskrnl.exe!NtRequestPort 805DD6A4 5 Bytes JMP F4232CA0 .text win32k.sys!EngAcquireSemaphore + 20F0 BF808314 5 Bytes JMP F4232480 .text win32k.sys!EngFreeUserMem + 5BD2 BF80EE9B 5 Bytes JMP F42323E0 .text win32k.sys!EngCopyBits + 68D BF838EE9 5 Bytes JMP F42325C0 .text win32k.sys!EngCreateBitmap + 6F4 BF83E114 5 Bytes JMP F4232700 .text win32k.sys!EngMultiByteToWideChar + 2F32 BF8A0DA2 5 Bytes JMP F42328E0 .text win32k.sys!EngAlphaBlend + 350F BF8AA477 5 Bytes JMP F4232A20 .text win32k.sys!EngMulDiv + 90FE BF8B42EE 5 Bytes JMP F4232660 .text win32k.sys!XLATEOBJ_iXlate + 3A5D BF8B9EBC 5 Bytes JMP F4232520 .text win32k.sys!EngUnicodeToMultiByteN + 1756 BF8C32CE 5 Bytes JMP F42327A0 .text win32k.sys!PATHOBJ_bCloseFigure + 19F1 BF8F9987 5 Bytes JMP F4232980 .text win32k.sys!EngCreateClip + 1A0A BF91381F 5 Bytes JMP F4232AC0 .text win32k.sys!EngCreateClip + 1F9A BF913DAF 5 Bytes JMP F4232B60 .text win32k.sys!EngCreateClip + 25E0 BF9143F5 5 Bytes JMP F4232840 ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\winlogon.exe[656] ntdll.dll!NtLockProductActivationKeys 7C90D4AE 5 Bytes JMP 10001000 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\winlogon.exe[656] USER32.dll!GetSystemMetrics 7E368F9C 5 Bytes JMP 10001018 C:\WINDOWS\system32\antiwpa.dll ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs dc_fsf.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 dcrypt.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 dcrypt.sys AttachedDevice \FileSystem\Fastfat \Fat dc_fsf.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x35 0x6E 0x32 0x39 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x16 0xCF 0x37 0x42 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x88 0xE3 0x5F 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x96 0xCA 0x6D 0xAC ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x16 0xCF 0x37 0x42 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8C 0x0B 0x64 0x4D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ ---- EOF - GMER 1.0.15 ----