GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-06-13 18:13:54 Windows 5.1.2600 Dodatek Service Pack 3 Running: l8y18bx8.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\kwlcikob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwAssignProcessToJobObject [0xF758D59A] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwCreateThread [0xF758D5DE] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteKey [0xF758D3B0] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwDeleteValueKey [0xF758D428] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenProcess [0xF758D95C] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwOpenThread [0xF758D80A] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwProtectVirtualMemory [0xF758D67C] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetContextThread [0xF758D550] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwSetValueKey [0xF758D4B6] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateProcess [0xF758DAEE] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwTerminateThread [0xF758D712] SSDT \SystemRoot\System32\drivers\pxrts.sys (Prevx Realtime Security/Prevx) ZwWriteVirtualMemory [0xF758D754] ---- Kernel code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\drivers\SafeBoot.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\Explorer.EXE[2584] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 02656641 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx) .text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!CreateThread 7C8106D7 2 Bytes JMP 02655C60 C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx) .text C:\WINDOWS\Explorer.EXE[2584] kernel32.dll!CreateThread + 3 7C8106DA 2 Bytes [E4, 85] {IN AL, 0x85} .text C:\WINDOWS\Explorer.EXE[2584] USER32.dll!SetWindowTextW 7E37960E 5 Bytes JMP 0265633A C:\WINDOWS\system32\PxSecure.dll (Prevx Security Library/Prevx) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[3716] USER32.dll!SetScrollInfo 7E369056 3 Bytes JMP 00E6E144 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[3716] USER32.dll!SetScrollInfo + 4 7E36905A 1 Byte [82] .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[3716] USER32.dll!GetScrollInfo 7E37DFE2 5 Bytes JMP 00E6E0C0 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[3716] USER32.dll!ShowScrollBar 7E37F2F2 5 Bytes JMP 00E6E1C8 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[3716] USER32.dll!GetScrollPos 7E37F704 5 Bytes JMP 00E6E0EC C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[3716] USER32.dll!SetScrollPos 7E37F750 5 Bytes JMP 00E6E170 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[3716] USER32.dll!GetScrollRange 7E37F787 5 Bytes JMP 00E6E118 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[3716] USER32.dll!SetScrollRange 7E37F99B 5 Bytes JMP 00E6E19C C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) .text C:\Program Files\BullGuard Ltd\BullGuard\bullguard.exe[3716] USER32.dll!EnableScrollBar 7E3B8005 5 Bytes JMP 00E6E094 C:\Program Files\BullGuard Ltd\BullGuard\gui\BgScrollHookDll.dll (BullGuard Scrollbar Module/BullGuard Ltd.) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\ndiswan.sys[NDIS.SYS!NdisOpenAdapter] [F6284928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F6284928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F6284928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F6284928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F6284928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\arp1394.sys[NDIS.SYS!NdisOpenAdapter] [F6284928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F6284928] \SystemRoot\system32\DRIVERS\afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs BdFileSpy.sys (BullGuard File Monitor (x86)/BullGuard Ltd.) Device \Driver\Tcpip \Device\Ip afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) Device \Driver\Tcpip \Device\Tcp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys (Prevx Realtime Security/Prevx) Device \Driver\Tcpip \Device\Udp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\RawIp afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) Device \Driver\Tcpip \Device\IPMULTICAST afwcore.sys (Agnitum Firewall Core Driver/Agnitum Ltd.) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BsFileScan\Statistics@UiTotalScans 2051 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-73048860-3076797083-264437785-500@RefCount 10 ---- EOF - GMER 1.0.15 ----