GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2009-12-29 20:35:38 Windows 6.0.6002 Service Pack 2 Running: x0hsscpi.exe; Driver: C:\Users\DR\AppData\Local\Temp\pgtdapow.sys ---- System - GMER 1.0.15 ---- Code 849620E8 ZwEnumerateKey Code 84E2A378 ZwFlushInstructionCache Code 84D6435D IofCallDriver Code 8486FDBE IofCompleteRequest ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!IofCallDriver 81C8611B 5 Bytes JMP 84D64362 .text ntoskrnl.exe!IofCompleteRequest 81C86188 5 Bytes JMP 8486FDC3 PAGE ntoskrnl.exe!ZwFlushInstructionCache 81DE80AA 5 Bytes JMP 84E2A37C PAGE ntoskrnl.exe!ZwEnumerateKey 81E13366 5 Bytes JMP 849620EC ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[468] USER32.dll!DialogBoxParamW 76DA10B0 5 Bytes JMP 7282541D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[468] WININET.dll!HttpAddRequestHeadersA 76B5CF46 5 Bytes JMP 008C000A .text C:\Program Files\Internet Explorer\iexplore.exe[468] WININET.dll!HttpAddRequestHeadersW 76B5FE49 5 Bytes JMP 0093000A .text C:\Program Files\Internet Explorer\iexplore.exe[1476] USER32.dll!DialogBoxParamW 76DA10B0 5 Bytes JMP 7282541D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1476] WININET.dll!HttpAddRequestHeadersA 76B5CF46 5 Bytes JMP 008D000A .text C:\Program Files\Internet Explorer\iexplore.exe[1476] WININET.dll!HttpAddRequestHeadersW 76B5FE49 5 Bytes JMP 0094000A .text C:\Program Files\Internet Explorer\iexplore.exe[1568] USER32.dll!DialogBoxParamW 76DA10B0 5 Bytes JMP 7282541D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1568] WININET.dll!HttpAddRequestHeadersA 76B5CF46 5 Bytes JMP 008D000A .text C:\Program Files\Internet Explorer\iexplore.exe[1568] WININET.dll!HttpAddRequestHeadersW 76B5FE49 5 Bytes JMP 0094000A .text C:\Program Files\Internet Explorer\Iexplore.exe[2964] USER32.dll!DialogBoxParamW 76DA10B0 5 Bytes JMP 7282541D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[2964] WININET.dll!HttpAddRequestHeadersA 76B5CF46 5 Bytes JMP 0033000A .text C:\Program Files\Internet Explorer\Iexplore.exe[2964] WININET.dll!HttpAddRequestHeadersW 76B5FE49 5 Bytes JMP 003B000A .text C:\Program Files\Internet Explorer\Iexplore.exe[2996] USER32.dll!DialogBoxParamW 76DA10B0 5 Bytes JMP 7282541D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\Iexplore.exe[2996] WININET.dll!HttpAddRequestHeadersA 76B5CF46 5 Bytes JMP 008C000A .text C:\Program Files\Internet Explorer\Iexplore.exe[2996] WININET.dll!HttpAddRequestHeadersW 76B5FE49 5 Bytes JMP 0093000A ---- Modules - GMER 1.0.15 ---- Module \systemroot\system32\drivers\H8SRTxyvnornqtv.sys (*** hidden *** ) 8C9C1000-8C9DD000 (114688 bytes) ---- Processes - GMER 1.0.15 ---- Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [468] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [780] 0x009C0000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [860] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1000] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1032] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Windows\System32\svchost.exe [1064] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1112] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1152] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Windows\Explorer.EXE [1416] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1436] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [1476] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\iexplore.exe [1568] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1684] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [2964] 0x10000000 Library \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll (*** hidden *** ) @ C:\Program Files\Internet Explorer\Iexplore.exe [2996] 0x10000000 ---- Services - GMER 1.0.15 ---- Service C:\Windows\system32\drivers\H8SRTxyvnornqtv.sys (*** hidden *** ) [SYSTEM] H8SRTd.sys <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTxyvnornqtv.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTxyvnornqtv.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTyoeodfabau.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTmpwnpfiyvp.dat Reg HKLM\SYSTEM\CurrentControlSet\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@start 1 Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@type 1 Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@imagepath \systemroot\system32\drivers\H8SRTxyvnornqtv.sys Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys@group file system Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTd \\?\globalroot\systemroot\system32\drivers\H8SRTxyvnornqtv.sys Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTc \\?\globalroot\systemroot\system32\H8SRTyoeodfabau.dll Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@H8SRTsrcr \\?\globalroot\systemroot\system32\H8SRTmpwnpfiyvp.dat Reg HKLM\SYSTEM\ControlSet003\Services\H8SRTd.sys\modules@h8srtserf \\?\globalroot\systemroot\system32\H8SRTbsgpoikvfm.dll ---- Files - GMER 1.0.15 ---- File C:\Users\DR\AppData\Local\Temp\H8SRTc228.tmp 679936 bytes executable File C:\Users\DR\AppData\Local\Temp\~DF1597.tmp 0 bytes File C:\Users\DR\AppData\Local\Temp\~DFB3B.tmp 0 bytes File C:\Windows\System32\drivers\H8SRTxyvnornqtv.sys 39936 bytes executable <-- ROOTKIT !!! File C:\Windows\System32\H8SRTbsgpoikvfm.dll 36864 bytes executable File C:\Windows\System32\H8SRTmpwnpfiyvp.dat 205 bytes File C:\Windows\System32\H8SRTyoeodfabau.dll 23040 bytes executable File C:\Windows\Temp\H8SRTaa81.tmp 199 bytes ---- EOF - GMER 1.0.15 ----