GMER 1.0.15.15279 - http://www.gmer.net Rootkit scan 2009-12-15 04:46:33 Windows 6.1.7600 Running: svchost.com.exe; Driver: C:\Users\DEANWA~1\AppData\Local\Temp\awlyifod.sys ---- System - GMER 1.0.15 ---- INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83240AF8 INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83240104 INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832403F4 INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83228634 INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83228898 INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832401DC INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83240958 INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832406F8 INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83240F2C INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832411A8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E59579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E7DF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ? System32\drivers\jykovhsx.sys The system cannot find the path specified. ! .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x91231320, 0x3F5147, 0xE8000020] .text peauth.sys 9DE93C9D 28 Bytes [C4, 98, 01, 1C, 33, 64, 26, ...] .text peauth.sys 9DE93CC1 28 Bytes [C4, 98, 01, 1C, 33, 64, 26, ...] PAGE peauth.sys 9DE99B9B 72 Bytes [09, 8D, B1, CF, 6B, E2, 35, ...] PAGE peauth.sys 9DE99BEC 83 Bytes [D9, 60, 78, A9, A4, 6F, DB, ...] PAGE peauth.sys 9DE99C40 27 Bytes JMP 16A28CC6 PAGE ... ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\rundll32.exe[228] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[228] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[228] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[228] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1236] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1236] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1236] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1236] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2344] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2344] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2344] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2344] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Program Files\Sophos\AutoUpdate\ALsvc.exe[2344] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3412] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3412] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3412] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3412] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3748] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3748] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3748] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3748] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3756] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3756] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3756] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[3756] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [758E5D3D] C:\Windows\system32\apphelp.dll (Application Compatibility Client Library/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----