GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2009-12-20 17:36:46 Windows 6.0.6002 Service Pack 2 Running: b0rt9ntr.exe; Driver: C:\Users\DENVER~1\AppData\Local\Temp\kxkirpob.sys ---- System - GMER 1.0.15 ---- Code 87400390 ZwEnumerateKey Code 871F1A18 ZwFlushInstructionCache Code 871F2615 IofCallDriver Code 8734513E IofCompleteRequest ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\tdx \Device\Tcp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\Udp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \Driver\tdx \Device\RawIp Mpfp.sys (McAfee Personal Firewall Plus Driver/McAfee, Inc.) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [256] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [436] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [600] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [740] 0x01200000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [912] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1040] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1092] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1124] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1260] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1332] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1376] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1536] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1748] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2636] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [2676] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [2836] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [3108] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [4412] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [5284] 0x10000000 ---- Services - GMER 1.0.15 ---- Service C:\Windows\system32\drivers\H8SRTqwpswvdxxr.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTqwpswvdxxr.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTqwpswvdxxr.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTqfoauntiqt.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTdtxibniyce.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTqwpswvdxxr.sys Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTqwpswvdxxr.sys Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTqfoauntiqt.dll Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTdtxibniyce.dat Reg HKLM\SYSTEM\ControlSet002\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTqwpswvdxxr.sys Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTqwpswvdxxr.sys Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTqfoauntiqt.dll Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTdtxibniyce.dat Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTqwpswvdxxr.sys Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTqwpswvdxxr.sys Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTqfoauntiqt.dll Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTdtxibniyce.dat Reg HKLM\SYSTEM\ControlSet004\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTqwpswvdxxr.sys Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTqwpswvdxxr.sys Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTqfoauntiqt.dll Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTdtxibniyce.dat Reg HKLM\SYSTEM\ControlSet005\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTqwpswvdxxr.sys Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTqwpswvdxxr.sys Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTqfoauntiqt.dll Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTdtxibniyce.dat Reg HKLM\SYSTEM\ControlSet006\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTpsbqmwjepn.dll ---- Files - GMER 1.0.15 ---- File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.ci 0 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.dir 0 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010004.wid 0 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.ci 0 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.dir 0 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010005.wid 0 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.ci 0 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.dir 0 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010006.wid 0 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.ci 0 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.dir 0 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010007.wid 0 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.ci 4096 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.dir 4096 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\Projects\SystemIndex\Indexer\CiFiles\00010008.wid 65536 bytes File C:\Users\Denver Broncos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Denver Broncos\AppData\Local\Temp\H8SRT81c.tmp 679936 bytes executable File C:\Users\Denver Broncos\AppData\Local\Microsoft\Windows\Temporary Internet Files\Virtualized\C\Users\Denver Broncos\AppData\Roaming\Macromedia\Flash Player\#SharedObjects\Z7AZWGYU\media.mtvnservices.com\global\apps\player\gui\com\mtvnservices\media\player\gui\FFMod.swf 0 bytes File C:\Users\Denver Broncos\AppData\Local\Temp\H8SRT81c.tmp 679936 bytes executable File C:\Users\Denver Broncos\AppData\Local\Temp\Low\H8SRT7ae.tmp 17408 bytes executable File C:\Windows\System32\drivers\H8SRTqwpswvdxxr.sys 40960 bytes executable <-- ROOTKIT !!! File C:\Windows\System32\H8SRTdtxibniyce.dat 202 bytes File C:\Windows\System32\H8SRTpsbqmwjepn.dll 36864 bytes executable File C:\Windows\System32\H8SRTqfoauntiqt.dll 23040 bytes executable File C:\Windows\Temp\H8SRT39d4.tmp 202 bytes File C:\Windows\Temp\H8SRT3f31.tmp 201 bytes File C:\Windows\Temp\H8SRT4a48.tmp 203 bytes File C:\Windows\Temp\H8SRT5205.tmp 201 bytes File C:\Windows\Temp\H8SRT8b9b.tmp 203 bytes File C:\Windows\Temp\H8SRTaa23.tmp 202 bytes File C:\Windows\Temp\H8SRTbc1d.tmp 203 bytes ---- EOF - GMER 1.0.15 ----