GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-03-22 18:21:29 Windows 5.1.2600 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HM160HC rev.LQ100-10 Running: gmer.exe; Driver: C:\DOCUME~1\NEO\LOCALS~1\Temp\agxcapoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwConnectPort [0xF7476534] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateFile [0xF7470782] SSDT F9EA9026 ZwCreateKey SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreatePort [0xF7476CC0] SSDT F9EA901C ZwCreateThread SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwCreateWaitablePort [0xF7476DF6] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwDeleteFile [0xF7471398] SSDT F9EA902B ZwDeleteKey SSDT F9EA9035 ZwDeleteValueKey SSDT spnu.sys ZwEnumerateKey [0xF9754E4C] SSDT spnu.sys ZwEnumerateValueKey [0xF97551DA] SSDT F9EA9053 ZwLoadDriver SSDT F9EA903A ZwLoadKey SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwLoadKey2 [0xF7491B44] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwOpenFile [0xF7470FAA] SSDT spnu.sys ZwOpenKey [0xF973A0C0] SSDT F9EA9008 ZwOpenProcess SSDT F9EA900D ZwOpenThread SSDT spnu.sys ZwQueryKey [0xF97552B2] SSDT spnu.sys ZwQueryValueKey [0xF9755132] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRenameKey [0xF74928D2] SSDT F9EA9044 ZwReplaceKey SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwRequestWaitReplyPort [0xF74760F4] SSDT F9EA903F ZwRestoreKey SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetInformationFile [0xF747175C] SSDT \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ZwSetSecurityObject [0xF7492E12] SSDT F9EA9058 ZwSetSystemInformation SSDT F9EA9030 ZwSetValueKey SSDT F9EA9017 ZwTerminateProcess SSDT F9EA9012 ZwWriteVirtualMemory INT 0x3E ? 812F4C88 INT 0x3F ? 812F4C88 Code \??\C:\DOCUME~1\NEO\LOCALS~1\Temp\catchme.sys pIofCallDriver ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + CC 804E2D9D 3 Bytes [65, 47, F7] .text ntoskrnl.exe!_abnormal_termination + 1D3 804E2EA4 12 Bytes JMP EA903AF9 ? kcmlb.sys Le fichier spécifié est introuvable. ! ? spnu.sys Le fichier spécifié est introuvable. ! .text ag1fj0qg.SYS F8747306 50 Bytes [00, 00, 00, 48, 03, 00, F0, ...] .text ag1fj0qg.SYS F8747339 23 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ag1fj0qg.SYS F8747351 87 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ag1fj0qg.SYS F87473A9 10 Bytes [00, 00, 00, 00, 00, 00, 00, ...] {ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL; ADD [EAX], AL} .text ag1fj0qg.SYS F87473B4 12 Bytes [40, 00, 00, C8, 50, 41, 47, ...] {INC EAX; ADD [EAX], AL; ENTER 0x4150, 0x47; INC EBP; ADD [EAX], AL; ADD [EAX], AL} .text ... ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Le fichier spécifié est introuvable. ! ? C:\DOCUME~1\NEO\LOCALS~1\Temp\catchme.sys Le fichier spécifié est introuvable. ! ? C:\DOCUME~1\NEO\LOCALS~1\Temp\mbr.sys Le fichier spécifié est introuvable. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3084] ntdll.dll!NtAccessCheckByType 7C91D3B8 5 Bytes JMP 20C78791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3084] ntdll.dll!NtImpersonateClientOfPort 7C91DADB 5 Bytes JMP 20C78D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3084] ntdll.dll!NtSetInformationProcess 7C91E62D 5 Bytes JMP 20C789AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3084] kernel32.dll!SetUnhandledExceptionFilter 7C810386 5 Bytes JMP 209B37DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWDMP.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3084] kernel32.dll!OpenProcess 7C81E079 5 Bytes JMP 20C7846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3084] ADVAPI32.dll!ImpersonateNamedPipeClient 77DA7C97 5 Bytes JMP 20C78E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3084] ADVAPI32.dll!SetThreadToken 77DA7E3D 5 Bytes JMP 20C79036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \WINDOWS\System32\Drivers\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 812FA308 IAT pci.sys[ntoskrnl.exe!IoDetachDevice] [F9768ECE] spnu.sys IAT pci.sys[ntoskrnl.exe!IoAttachDeviceToDeviceStack] [F9768F22] spnu.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F973B3E6] spnu.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F973B90E] spnu.sys IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F973BF9C] spnu.sys IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F973B90E] spnu.sys IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F973B1D4] spnu.sys IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F973B116] spnu.sys IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F973C178] spnu.sys IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F973BF9C] spnu.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F974C976] spnu.sys IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] FF9B2580 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoCreateDevice] 000AB0B6 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoDetachDevice] 09E85300 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!ExFreePoolWithTag] 850001F5 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoFreeWorkItem] EBD474C0 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoDeleteDevice] 0C75FF97 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!KeWaitForSingleObject] 2C57FF57 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!KeSetEvent] 8B55C9EB IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!ObfReferenceObject] 0C458BEC IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!ExAllocatePoolWithTag] 2B34488B IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!RtlAnsiStringToUnicodeString] 00982DC1 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!RtlxAnsiStringToUnicodeSize] 99560000 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!NlsMbCodePageTag] 000D28BE IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!RtlInitAnsiString] 50FEF700 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!RtlInitUnicodeString] FED0E851 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!sprintf] 5D5EFFFF IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoFreeIrp] CC0008C2 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoCancelIrp] 51EC8B55 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoAllocateIrp] FC458D56 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!KeInitializeEvent] 68106A50 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoSetCompletionRoutineEx] 4F525044 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoInitializeTimer] F6331C6A IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IofCallDriver] 2DE85656 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoAttachDeviceToDeviceStack] F70001F4 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoSetStartIoAttributes] F7C01BD8 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoStartPacket] FC4523D0 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!PoRequestPowerIrp] 2274C63B IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoStopTimer] 56084D8B IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoStartTimer] 40C75650 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoAllocateWorkItem] 7702D408 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoReleaseCancelSpinLock] 0C4089F8 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!KeRemoveEntryDeviceQueue] 89107089 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoQueueWorkItem] 30891470 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoFreeMdl] E8184889 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!MmBuildMdlForNonPagedPool] 0001F3EC IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoAllocateMdl] 75FF08EB IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] FCB2E808 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!memmove] C95EFFFF IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!KefReleaseSpinLockFromDpcLevel] CC0004C2 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!KefAcquireSpinLockAtDpcLevel] FFEC8B55 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoBuildPartialMdl] 9DE80C75 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoAcquireCancelSpinLock] 5DFFFFFF IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!KeTickCount] CC0008C2 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!KeBugCheckEx] 53EC8B55 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IofCompleteRequest] 08758B56 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoStartNextPacket] 5E39DB33 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!PoStartNextPowerIrp] 39517574 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!PoCallDriver] 4C750C5D IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoOpenDeviceRegistryKey] 3C7E8D57 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!RtlQueryRegistryValues] 8B40C033 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!KeInitializeSpinLock] 850187CF IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!ZwClose] 333C75C0 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!MmHighestUserAddress] 40468DC9 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[ntoskrnl.exe!IoBuildSynchronousFsdRequest] C10FF041 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[HAL.dll!KeGetCurrentIrql] 5E0001F4 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[HAL.dll!KfAcquireSpinLock] C2C95B5F IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[HAL.dll!KfReleaseSpinLock] 5F380008 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[HAL.dll!KfRaiseIrql] 56227411 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[HAL.dll!KfLowerIrql] 74963A68 IAT \SystemRoot\System32\Drivers\ag1fj0qg.SYS[USBD.SYS!USBD_CreateConfigurationRequestEx] F7C31352 IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisRegisterProtocol] [F747B672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisOpenAdapter] [F747B4C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisCloseAdapter] [F747BCBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\raspppoe.sys[NDIS.SYS!NdisDeregisterProtocol] [F7479C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisDeregisterProtocol] [F7479C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisRegisterProtocol] [F747B672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisOpenAdapter] [F747B4C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\psched.sys[NDIS.SYS!NdisCloseAdapter] [F747BCBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisRegisterProtocol] [F747B672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisCloseAdapter] [F747BCBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisOpenAdapter] [F747B4C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\Drivers\NDProxy.SYS[NDIS.SYS!NdisDeregisterProtocol] [F7479C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisCloseAdapter] [F747BCBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisRegisterProtocol] [F747B672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\tcpip.sys[NDIS.SYS!NdisOpenAdapter] [F747B4C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\System32\drivers\afd.sys[ntoskrnl.exe!IoCreateFile] [F74593C4] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisDeregisterProtocol] [F7479C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisRegisterProtocol] [F747B672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisOpenAdapter] [F747B4C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\wanarp.sys[NDIS.SYS!NdisCloseAdapter] [F747BCBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisRegisterProtocol] [F747B672] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisDeregisterProtocol] [F7479C2A] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisCloseAdapter] [F747BCBA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\ndisuio.sys[NDIS.SYS!NdisOpenAdapter] [F747B4C8] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtOpenFile] [F747241C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtSetInformationFile] [F74722AA] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!IoCreateFile] [F747260C] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) IAT \SystemRoot\system32\DRIVERS\srv.sys[ntoskrnl.exe!NtCreateFile] [F7471D40] \SystemRoot\System32\vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[3084] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [20C7835C] C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll (ZoneAlarm ForceField/Check Point Software Technologies) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 812F21F8 Device \FileSystem\Fastfat \FatCdrom FFA34470 Device \Driver\Tcpip \Device\Ip vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\usbuhci \Device\USBPDO-0 FF9B3470 Device \Driver\dmio \Device\DmControl\DmIoDaemon 812F51F8 Device \Driver\dmio \Device\DmControl\DmConfig 812F51F8 Device \Driver\dmio \Device\DmControl\DmPnP 812F51F8 Device \Driver\dmio \Device\DmControl\DmInfo 812F51F8 Device \Driver\Tcpip \Device\Tcp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\Ftdisk \Device\HarddiskVolume1 812F61F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 812F61F8 Device \Driver\Cdrom \Device\CdRom0 FF9A9470 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 812F41F8 Device \Driver\atapi \Device\Ide\IdePort0 812F41F8 Device \Driver\atapi \Device\Ide\IdePort1 812F41F8 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e 812F41F8 Device \Driver\Ftdisk \Device\HarddiskVolume3 812F61F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{95EFADE7-8427-4BC1-9A5E-1E4F4A85CEBC} 811DA1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{7F7B2566-336E-4641-A1EE-88848A0377B6} 811DA1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 811DA1F8 Device \Driver\PCI_PNP3264 \Device\0000004a spnu.sys Device \Driver\NetBT \Device\NetbiosSmb 811DA1F8 Device \Driver\sptd \Device\2190004704 spnu.sys Device \Driver\Tcpip \Device\Udp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\Tcpip \Device\RawIp vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \Driver\usbuhci \Device\USBFDO-0 FF9B3470 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver FF956470 Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys (ZoneAlarm Firewalling Driver/Check Point Software Technologies LTD) Device \FileSystem\MRxSmb \Device\LanmanRedirector FF956470 Device \Driver\Ftdisk \Device\FtControl 812F61F8 Device \Driver\ag1fj0qg \Device\Scsi\ag1fj0qg1 8117C470 Device \FileSystem\Fastfat \Fat FFA34470 Device \FileSystem\Cdfs \Cdfs FFA4D470 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x86 0xBB 0xA6 0xB2 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x87 0xA2 0xA9 0x95 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x64 0xCE 0x1B 0xB4 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5E 0xF2 0xE7 0x50 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCE 0x20 0x8E 0x3B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x52 0x1A 0x03 0xE0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xEA 0xCB 0xAD 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5E 0xF2 0xE7 0x50 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x86 0xBB 0xA6 0xB2 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x52 0x1A 0x03 0xE0 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCB 0xD7 0x93 0x22 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x5E 0xF2 0xE7 0x50 ... Reg HKLM\SOFTWARE\Classes\CLSID\{1902ec02-b3c8-4faa-a8a3-c2ad5d7431d9}@Model 149 Reg HKLM\SOFTWARE\Classes\CLSID\{1902ec02-b3c8-4faa-a8a3-c2ad5d7431d9}@Therad 21 Reg HKLM\SOFTWARE\Classes\CLSID\{1902ec02-b3c8-4faa-a8a3-c2ad5d7431d9}@MData 0x73 0xD5 0xCF 0xB8 ... Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x94 0xFE 0xF8 0xD3 ... Reg HKLM\SOFTWARE\Classes\CLSID\{68f5f69f-6f53-4339-8117-6056275bbc9c}@Model 84 Reg HKLM\SOFTWARE\Classes\CLSID\{68f5f69f-6f53-4339-8117-6056275bbc9c}@Therad 23 Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0xB6 0x91 0x86 0x43 ... ---- EOF - GMER 1.0.15 ----