GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-01-16 11:58:58 Windows 6.1.7600 Running: gmer.exe; Driver: C:\Users\AHMADA~1\AppData\Local\Temp\kxriypow.sys ---- System - GMER 1.0.15 ---- SSDT 8607CBE8 ZwAlertResumeThread SSDT 8690F048 ZwAlertThread SSDT 8743DB90 ZwAllocateVirtualMemory SSDT 8678F6C8 ZwAlpcConnectPort SSDT 87415A90 ZwAssignProcessToJobObject SSDT 87443D80 ZwCreateMutant SSDT 87447D38 ZwCreateSymbolicLinkObject SSDT 873D1438 ZwCreateThread SSDT 87446150 ZwCreateThreadEx SSDT 87436048 ZwDebugActiveProcess SSDT 8743DDA8 ZwDuplicateObject SSDT 8743D630 ZwFreeVirtualMemory SSDT 86829048 ZwImpersonateAnonymousToken SSDT 873C5048 ZwImpersonateThread SSDT 8679D490 ZwLoadDriver SSDT 8743D490 ZwMapViewOfSection SSDT 873D24B0 ZwOpenEvent SSDT 8743C078 ZwOpenProcess SSDT 867E2BD8 ZwOpenProcessToken SSDT 8742D048 ZwOpenSection SSDT 8743DEF8 ZwOpenThread SSDT 87446870 ZwProtectVirtualMemory SSDT 868D6ED8 ZwResumeThread SSDT 868E19B8 ZwSetContextThread SSDT 8743D238 ZwSetInformationProcess SSDT 8742F048 ZwSetSystemInformation SSDT 8742B048 ZwSuspendProcess SSDT 868DE1E8 ZwSuspendThread SSDT 868D7EB0 ZwTerminateProcess SSDT 86908048 ZwTerminateThread SSDT 868D9C48 ZwUnmapViewOfSection SSDT 8743D900 ZwWriteVirtualMemory INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C22AF8 INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C22104 INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C223F4 INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C0B2D8 INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C0A898 INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C221DC INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C22958 INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C226F8 INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C22F2C INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 82C231A8 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\tdx \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\ACPI_HAL \Device\0000005e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) ---- Files - GMER 1.0.15 ---- ADS C:\System Volume Information\_restore{D4AEC64C-A21C-4287-8572-BD6070A4A797}\RP74\A0018396.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{D4AEC64C-A21C-4287-8572-BD6070A4A797}\RP75\A0018432.exe:BAK 22528 bytes executable ADS C:\System Volume Information\_restore{D4AEC64C-A21C-4287-8572-BD6070A4A797}\RP76\A0018454.exe:BAK 22528 bytes executable ---- EOF - GMER 1.0.15 ----