GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-04-11 18:54:33 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 SAMSUNG_HD161HJ rev.JF100-19 149,05GB Running: 4fbl7mrz.exe; Driver: C:\DOCUME~1\Nemesis\USTAWI~1\Temp\fwrdifow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwAdjustPrivilegesToken [0xB2249414] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwClose [0xB21E58A6] SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort [0xB1FD135A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateEvent [0xB21E5E1E] SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile [0xB1FCB5F8] SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey [0xB1FEA86A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateMutant [0xB21E5D04] SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort [0xB1FD1AE6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcess [0xB224B38E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateProcessEx [0xB224B5AA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSection [0xB224C46A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSemaphore [0xB21E5F3E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateSymbolicLinkObject [0xB220C480] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwCreateThread [0xB224BA6E] SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort [0xB1FD1C1C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDebugActiveProcess [0xB224B234] SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile [0xB1FCC20E] SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey [0xB1FEC1B0] SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey [0xB1FEBACA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDeviceIoControlFile [0xB21E58EA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwDuplicateObject [0xB2249556] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateKey [0xB21F76D0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwEnumerateValueKey [0xB21F8064] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwLoadDriver [0xB22491BE] SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey [0xB1FECBBA] SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey2 [0xB1FECDC2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwMapViewOfSection [0xB220C4C0] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwNotifyChangeKey [0xB21FAE20] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenEvent [0xB21E5EB4] SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile [0xB1FCBE20] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenMutant [0xB21E5D94] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenProcess [0xB224ADDC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSection [0xB224C716] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenSemaphore [0xB21E5FD4] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwOpenThread [0xB224B7CA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwPlugPlayControl [0xB220C490] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryKey [0xB21F6510] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryMultipleValueKey [0xB21F7CD2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryObject [0xB21FB02C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueryValueKey [0xB21F7AC6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwQueueApcThread [0xB224C118] SSDT \SystemRoot\System32\vsdatant.sys ZwRenameKey [0xB1FEDB50] SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey [0xB1FED486] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyPort [0xB21FCC90] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePort [0xB21FCB1E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwReplyWaitReceivePortEx [0xB21FCBD4] SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort [0xB1FD0F28] SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey [0xB1FEE522] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwResumeThread [0xB224BE44] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKey [0xB21F6994] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveKeyEx [0xB21F6B2A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSaveMergedKeys [0xB21F6CC6] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSecureConnectPort [0xB21FC7EA] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetContextThread [0xB224BFA0] SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile [0xB1FCC5D2] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetInformationToken [0xB21E605E] SSDT \SystemRoot\System32\vsdatant.sys ZwSetSecurityObject [0xB1FEE090] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSetSystemInformation [0xB22492C8] SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey [0xB1FEB252] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendProcess [0xB224AF7C] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSuspendThread [0xB224BCEC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwSystemDebugControl [0xB21E6070] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateProcess [0xB224B0DC] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwTerminateThread [0xB224B96A] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwUnmapViewOfSection [0xB224C87E] SSDT \SystemRoot\system32\DRIVERS\klif.sys ZwWriteVirtualMemory [0xB224C5A8] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C7C 80504508 12 Bytes [E6, 1A, FD, B1, 8E, B3, 24, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2C8C 80504518 16 Bytes [6A, C4, 24, B2, 3E, 5F, 1E, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2D48 805045D4 12 Bytes [BE, 91, 24, B2, BA, CB, FE, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2EC4 80504750 20 Bytes [50, DB, FE, B1, 86, D4, FE, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2EFC 80504788 20 Bytes [44, BE, 24, B2, 94, 69, 1F, ...] .text ... .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB50B73C0, 0x706FCA, 0xE8000020] .vmp2 C:\WINDOWS\system32\drivers\acedrv11.sys entry point in ".vmp2" section [0xB0C8C69D] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB0C51000, 0xBB22, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8438300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\CheckPoint\ZAForceField\IswSvc.exe[1192] USER32.dll!DefDlgProcW + 56E 7E3742A8 5 Bytes JMP 20CC9266 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll ---- Devices - GMER 2.1 ---- Device \Driver\usbhub \Device\0000009b hcmon.sys Device \Driver\usbhub \Device\0000009c hcmon.sys Device \Driver\Tcpip \Device\Ip vsdatant.sys Device \Driver\usbhub \Device\0000009d hcmon.sys Device \Driver\usbhub \Device\0000009e hcmon.sys Device \Driver\usbhub \Device\0000009f hcmon.sys Device \Driver\usbohci \Device\USBPDO-0 hcmon.sys Device \Driver\usbohci \Device\USBPDO-1 hcmon.sys Device \Driver\usbohci \Device\USBPDO-2 hcmon.sys Device \Driver\usbehci \Device\USBPDO-3 hcmon.sys Device \Driver\usbohci \Device\USBPDO-4 hcmon.sys Device \Driver\Tcpip \Device\Tcp vsdatant.sys Device \Driver\usbohci \Device\USBPDO-5 hcmon.sys Device \Driver\prodrv06 \Device\ProDrv06 E195B6D0 Device \Driver\usbehci \Device\USBPDO-6 hcmon.sys Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 prosync1.sys Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys Device \Driver\atapi \Device\Ide\IdePort2 prosync1.sys Device \Driver\atapi \Device\Ide\IdePort3 prosync1.sys Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c prosync1.sys Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 prosync1.sys Device \Driver\usbhub \Device\USBPDO-10 hcmon.sys Device \Driver\prohlp02 \Device\ProHlp02 E153A4C8 Device \Driver\usbhub \Device\00000091 hcmon.sys Device \Driver\Tcpip \Device\Udp vsdatant.sys Device \Driver\Tcpip \Device\RawIp vsdatant.sys Device \Driver\usbohci \Device\USBFDO-0 hcmon.sys Device \Driver\usbohci \Device\USBFDO-1 hcmon.sys Device \Driver\usbehci \Device\USBFDO-2 hcmon.sys Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys Device \Driver\usbohci \Device\USBFDO-3 hcmon.sys Device \Driver\usbohci \Device\USBFDO-4 hcmon.sys Device \Driver\usbehci \Device\USBFDO-5 hcmon.sys Device \Driver\usbohci \Device\USBFDO-6 hcmon.sys Device \Driver\usbhub \Device\0000009a hcmon.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Threads - GMER 2.1 ---- Thread System [4:1820] B0A1CC10 Thread System [4:1600] B0A1CC10 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{30F5C683-74E4-4862-93A5-4E7E742D666A}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{46300566-FB4F-4A63-9A15-A9F2B5BE8B67}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{6A186E88-2DBB-4B1B-AFFF-C93553142FEC}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet003\Control\Video\{30F5C683-74E4-4862-93A5-4E7E742D666A}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet003\Control\Video\{46300566-FB4F-4A63-9A15-A9F2B5BE8B67}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet003\Control\Video\{6A186E88-2DBB-4B1B-AFFF-C93553142FEC}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x99 0xFC 0xB5 0x3D ... ---- EOF - GMER 2.1 ----