GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-06-13 07:57:56 Windows 5.1.2600 Dodatek Service Pack 3 Running: l8y18bx8.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\kwlcikob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xB9F0859A] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xB9F085DE] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteKey [0xB9F083B0] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteValueKey [0xB9F08428] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0xB9F0895C] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xB9F0880A] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xB9F0867C] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xB9F08550] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetValueKey [0xB9F084B6] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0xB9F08AEE] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0xB9F08712] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0xB9F08754] ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\SafeBoot.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .rsrc C:\WINDOWS\system32\DRIVERS\ipsec.sys entry point in ".rsrc" section [0xAFC50614] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 009B000A .text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00BA000A .text C:\WINDOWS\Explorer.EXE[588] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 009A000C .text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 008D000A .text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 008E000A .text C:\WINDOWS\System32\svchost.exe[1344] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0077000C .text C:\WINDOWS\System32\svchost.exe[1344] ole32.dll!CoCreateInstance 774F057E 5 Bytes JMP 00EA000A .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[1788] USER32.dll!SetScrollInfo 7E369056 5 Bytes JMP 00F3E144 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[1788] USER32.dll!GetScrollInfo 7E37DFE2 5 Bytes JMP 00F3E0C0 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[1788] USER32.dll!ShowScrollBar 7E37F2F2 5 Bytes JMP 00F3E1C8 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[1788] USER32.dll!GetScrollPos 7E37F704 5 Bytes JMP 00F3E0EC C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[1788] USER32.dll!SetScrollPos 7E37F750 5 Bytes JMP 00F3E170 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[1788] USER32.dll!GetScrollRange 7E37F787 5 Bytes JMP 00F3E118 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[1788] USER32.dll!SetScrollRange 7E37F99B 5 Bytes JMP 00F3E19C C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[1788] USER32.dll!EnableScrollBar 7E3B8005 5 Bytes JMP 00F3E094 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\WINDOWS\system32\wuauclt.exe[2328] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 003F000A .text C:\WINDOWS\system32\wuauclt.exe[2328] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 008B000A .text C:\WINDOWS\system32\wuauclt.exe[2328] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 003E000C ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F5A93928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F5A93928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F5A93928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F5A93928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F5A93928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F5A93928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F5A93928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs BdFileSpy.sys (BullGuard File Monitor (x86)/BullGuard Ltd.) Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx) Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\IPMULTICAST afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device -> \Driver\atapi \Device\Harddisk0\DR0 83F81EC5 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BsFileScan\Statistics@UiTotalScans 1179 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-73048860-3076797083-264437785-500@RefCount 3 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\DRIVERS\ipsec.sys suspicious modification File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ----