GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-04-21 05:13:53 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Scsi\nvidesm1Port0Path0Target0Lun0 WDC_WD80 rev.05.0 Running: fk4lhqxt.exe; Driver: C:\DOCUME~1\Cap\USTAWI~1\Temp\pwrdqpog.sys ---- System - GMER 1.0.15 ---- INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B15D516D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) B15D4FC2 ---- Kernel code sections - GMER 1.0.15 ---- init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xB9D7B510] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB98F3000, 0x1C5D38, 0xE8000020] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xADE0D400, 0x87EE2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xADEB1620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xADEB1620] .protect˙˙˙˙hardlockunknown last code section [0xADEB1400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xADEB1400, 0x5126, 0xE0000020] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL 99F25E22B9375C15337B1049BFA15B4303F38B50B2AA20443B9C863BB4EA64ED4FC518A9A21B8503773E6ADC7E5ACC4306D72CD1A96C198B0AFA5EE7791A4B8048C6E691099F844E794581A26D1E3AFAE4AB6D9F2F2D953DBFB2802A96F224F564F07972C9CD5722585327C2B89156F21C9DE712D74D1B67537B6B2C2F2BEA7DBA25CE66B4D78EEDE51303697B7C647DDA3D0686ADCCC45A746D6E9AD99D2F091326BD0B0E0FCC6428900E46C84D3FAE848009FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808FEBC9E127BECC74CA9C6AECB7A5D1407C038D530D6EB345210233451C6FCCE8DB45C7DC16EF316562F742215A0FD9DBDB963351192EB1A307DEC3E2B39E68CB79388745AD23DCF7824A10CB50D0F1D73041F0B682E3E3923F0C5B56FD132A2E3D35F8EA9BEEFD3A99B3CD5BBBD7B998AA17B303C8D10ED9821A74839DC1E7306B92A0E015DA671228C7A7D4CDE5C6920DC3B7CA87F97372F4906C438689C486394245D4620B0586D74872424E2FA46A48294EADB963D795F294120B1C8554E97B0000AF0B9129E6B5400100F7D5B505D63B4199AA9A0F97081B370FD15229491E4E34310A3033D4FAF77ABEFA8AF886156B8CABA519166021A2872892711901486655EC3986D12A20FF0053D21E2D51FB5B467286 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@LoadAppInit_DLLs 1 Reg HKLM\SOFTWARE\Classes\CLSID\{1BF0DBD2-2BDF-18DE-ED9A-C481F00E248D}\InProcServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{1BF0DBD2-2BDF-18DE-ED9A-C481F00E248D}\InProcServer32@jaaefninooaffhimcohp 0x6B 0x61 0x70 0x63 ... Reg HKLM\SOFTWARE\Classes\CLSID\{1BF0DBD2-2BDF-18DE-ED9A-C481F00E248D}\InProcServer32@iaaelnomffaomeiagl 0x6A 0x61 0x63 0x64 ... Reg HKLM\SOFTWARE\Classes\CLSID\{1BF0DBD2-2BDF-18DE-ED9A-C481F00E248D}\InProcServer32@faaennilfdli 0x64 0x61 0x62 0x67 ... Reg HKLM\SOFTWARE\Classes\CLSID\{1BF0DBD2-2BDF-18DE-ED9A-C481F00E248D}\InProcServer32@eaaeinnmmn 0x6B 0x61 0x70 0x63 ... ---- EOF - GMER 1.0.15 ----