GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-01-29 14:45:07 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD502IJ rev.1AA01113 Running: s9rrekun.exe; Driver: C:\Users\Kacprut\AppData\Local\Temp\pfrdrpoc.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwAddBootEntry [0x8E22D7B6] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwAlpcConnectPort [0x8E22DD18] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwAlpcSendWaitReceivePort [0x8E230056] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwConnectPort [0x8E22EAD0] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwCreateFile [0x8E22FBA0] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwCreateSection [0x8E22E76E] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwCreateThread [0x8E22CB1C] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwDeleteBootEntry [0x8E22D822] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwDeleteFile [0x8E22FA28] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwDeviceIoControlFile [0x8E22CBCC] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwDuplicateObject [0x8E22D5B2] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwFsControlFile [0x8E22DF5C] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwImpersonateClientOfPort [0x8E22DF22] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwImpersonateThread [0x8E22DEE0] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwLoadDriver [0x8E22E3FC] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwMapViewOfSection [0x8E22E2F4] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwModifyBootEntry [0x8E22D7EC] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwOpenFile [0x8E22FCD8] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwOpenProcess [0x8E22E8FA] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwOpenSection [0x8E22E4D2] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwOpenThread [0x8E22E9CC] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwProtectVirtualMemory [0x8E22E596] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwQueueApcThread [0x8E22D172] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwReplaceKey [0x8E22D952] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwRequestWaitReplyPort [0x8E22FF82] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwRestoreKey [0x8E22D890] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwSecureConnectPort [0x8E22EBA4] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwSetBootOptions [0x8E22D858] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwSetContextThread [0x8E22D216] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwSetInformationFile [0x8E22E004] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwSetSystemInformation [0x8E22D03C] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwShutdownSystem [0x8E22D76E] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwSystemDebugControl [0x8E22D28A] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwTerminateProcess [0x8E239D90] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwTerminateThread [0x8E239DB3] SSDT \??\C:\Program Files\SpyShelter Premium\SpyShelter.sys ZwWriteVirtualMemory [0x8E22FA8C] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C7A599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C9EF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 214 82CA6724 4 Bytes [B6, D7, 22, 8E] .text ntkrnlpa.exe!RtlSidHashLookup + 248 82CA6758 4 Bytes [18, DD, 22, 8E] .text ntkrnlpa.exe!RtlSidHashLookup + 28C 82CA679C 4 Bytes [56, 00, 23, 8E] .text ntkrnlpa.exe!RtlSidHashLookup + 2DC 82CA67EC 4 Bytes JMP DF6C8E22 .text ntkrnlpa.exe!RtlSidHashLookup + 2F8 82CA6808 4 Bytes [A0, FB, 22, 8E] .text ... .reloc C:\Windows\SYSTEM32\drivers\diskpt.sys section is executable [0x8393A400, 0x157C8, 0xE0000060] .Shltr3 C:\Program Files\SpyShelter Premium\SpyShelter.sys entry point in ".Shltr3" section [0x8E270A82] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1540] kernel32.dll!SetUnhandledExceptionFilter 75B03162 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3420] ntdll.dll!LdrLoadDll 76F9F625 5 Bytes JMP 002E13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [73C22494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [73C05624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [73C056E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [73C2250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73C18573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [73C14D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [73C150CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [73C151A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73C166D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73C182CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73C18819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73C1907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73C1E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2476] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [73C14C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4064] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74FB5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4064] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74FB5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4064] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74FB5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4064] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74FB5E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs diskpt.sys (Shadow Defender Filter Driver/SHADOWDEFENDER.COM) Device \Driver\ACPI_HAL \Device\00000052 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 diskpt.sys (Shadow Defender Filter Driver/SHADOWDEFENDER.COM) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 diskpt.sys (Shadow Defender Filter Driver/SHADOWDEFENDER.COM) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 diskpt.sys (Shadow Defender Filter Driver/SHADOWDEFENDER.COM) AttachedDevice \FileSystem\fastfat \Fat diskpt.sys (Shadow Defender Filter Driver/SHADOWDEFENDER.COM) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OOCC7.00.00.01PROSTATION B716C79659AD14D32B54ADBE29FC44E9ED98F85EE122852A66A4F9C46799FA50779E6559D96E39921EA026C4AB0DB7D1EEDDE62678318D56CFD10AD93461899F1987D6D226F70BBF6D660A7BB53CB652789BA8B08793F2EF6B86AA456A304044583CF29D13E5CF29519C194E2783FCD7607380591D3706A44BABC272E58D234EA48EE354EAFCE1DD369BE02AD87CD993B1E604FEBEB12AE6358D0D51F8A84B92A1352B996CA02FB43D24487F95E5317E285E9B05E4B9D76FA55C1753675166A8A6481C9149DC39C539D687C41C23F84FB6A4085179AC1D3948AC4573EA7CB6ECBFC5DEFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B98089DB7CE019D40AA5CBA7FD869164D6794A2D97226D213B55517DBB39565C8CE6E65F73C98E47FFD0850106AB319002B5CFB618214F95465C34D78B5BC501D4217729953D64B69DAADF4FE9CCF155B64A1E2669ACB859A4EE887EC09E3E11AF73DAFB7D03CA92EEFD7FB7916DBF66CC9F7D0344AE3E9E4FE37445C61102AA6DD3CA9460380F28E94A6265DDB64B3F23CE2563472DFBD12FDB985E097D6805C45C177295A725E83818DB77D988D04637C3B88C616D859B238CD5205A6E5020ADF512EB86B736AB8D3D2F99D1A8B65E632AE82BEDAF7DC0CFA25B5C92F7E8C33C8C0E9416FF7D ---- EOF - GMER 1.0.15 ----