GMER 1.0.15.15627 - http://www.gmer.net Rootkit scan 2011-05-14 19:38:24 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk2\DR2 -> \Device\Ide\IdeDeviceP3T0L0-22 WDC_WD2500JS-00SGB0 rev.20.06C03 Running: e8h3m78x.exe; Driver: C:\DOCUME~1\Krzys\USTAWI~1\Temp\kxtdqpob.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwAssignProcessToJobObject [0xAA147FC0] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwCreateFile [0xAA148A56] SSDT \??\C:\Documents and Settings\All Users\Dane aplikacji\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwCreateThread [0xB824CDB6] SSDT \??\C:\Documents and Settings\All Users\Dane aplikacji\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwDeleteFile [0xB824BE12] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteKey [0xAA14C27C] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwDeleteValueKey [0xAA14C2AE] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwLoadKey [0xAA14C410] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenFile [0xAA148B2C] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenProcess [0xAA148104] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwOpenThread [0xAA1482F6] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwProtectVirtualMemory [0xAA148428] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwQueryValueKey [0xAA14C386] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRenameKey [0xAA14C2F0] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwReplaceKey [0xAA14C322] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwRestoreKey [0xAA14C354] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSetContextThread [0xAA147F66] SSDT \??\C:\Documents and Settings\All Users\Dane aplikacji\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwSetInformationFile [0xB824BE86] SSDT \??\C:\Documents and Settings\All Users\Dane aplikacji\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwSetValueKey [0xB824CC92] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwSuspendThread [0xAA147F02] SSDT \??\C:\Documents and Settings\All Users\Dane aplikacji\Trusteer\Rapport\store\exts\RapportCerberus\26169\RapportCerberus_26169.sys (RapportCerberus/Trusteer Ltd.) ZwTerminateProcess [0xB824BD98] SSDT \??\C:\Program Files\Trusteer\Rapport\bin\RapportPG.sys (RapportPG/Trusteer Ltd.) ZwTerminateThread [0xAA147E9E] ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntkrnlpa.exe!ZwQueryValueKey + 349 8062265D 7 Bytes JMP B86C5198 .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB6CDC000, 0x2A556C, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA678C300, 0x3AE88, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xAA2D4300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[404] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 0043EA30 C:\Program Files\Trusteer\Rapport\bin\RapportService.exe (RapportService/Trusteer Ltd.) .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[404] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AC0001 .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[404] USER32.dll!GetGUIThreadInfo + FB 7E378023 6 Bytes JMP 71AE001E .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[404] WS2_32.dll!getaddrinfo 71A52A6F 5 Bytes JMP 719E0022 .text C:\Program Files\Trusteer\Rapport\bin\RapportService.exe[404] WS2_32.dll!gethostbyname 71A55355 5 Bytes JMP 71A20022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1220] ntdll.dll!KiUserApcDispatcher 7C90E450 5 Bytes JMP 00414130 C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe (RapportMgmtService/Trusteer Ltd.) .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1220] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AB0001 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1220] WS2_32.dll!getaddrinfo 71A52A6F 5 Bytes JMP 71A10022 .text C:\Program Files\Trusteer\Rapport\bin\RapportMgmtService.exe[1220] WS2_32.dll!gethostbyname 71A55355 5 Bytes JMP 71AE0022 ---- Devices - GMER 1.0.15 ---- Device \Driver\atapi \Device\Ide\IdePort0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-22 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort2 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort3 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort4 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort5 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-17 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\Imagedrv \Device\Scsi\Imagedrv1Port0Path0Target0Lun0 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\Imagedrv \Device\Scsi\Imagedrv1 sfsync02.sys (StarForce Protection Synchronization Driver/Protection Technology) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS (InCD File System Recognizer/Nero AG) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBB 0x13 0x48 0x6F ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xF7 0x0D 0x41 0x59 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158307c65a Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001986000f4b Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001986000f4b@00027817e0f8 0x8B 0xF3 0x79 0xA5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBB 0x13 0x48 0x6F ... Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\00158307c65a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\001986000f4b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\001986000f4b@00027817e0f8 0x8B 0xF3 0x79 0xA5 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xBB 0x13 0x48 0x6F ... ---- EOF - GMER 1.0.15 ----