GMER 1.0.15.15252 - http://www.gmer.net Rootkit scan 2009-12-01 19:51:18 Windows 5.1.2600 Service Pack 3 Running: neyqltk1.exe; Driver: C:\DOKUME~1\clemens\LOKALE~1\Temp\pxtdqpow.sys ---- Kernel code sections - GMER 1.0.15 ---- init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xF5796900] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF5387000, 0x1C5D58, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- ? C:\WINDOWS\system32\svchost.exe[384] image checksum mismatch; time/date stamp mismatch; unknown module: MSVBVM60.DLL ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegQueryValueExW] [73487532] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorDacl] [73493B68] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetEntriesInAclW] [73476EFB] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorGroup] [734773E4] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetSecurityDescriptorOwner] [73477445] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!InitializeSecurityDescriptor] [7339A1A3] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!GetTokenInformation] [7346CB51] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenProcessToken] [7346CB86] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!OpenThreadToken] [73477465] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!SetServiceStatus] [734880D9] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegisterServiceCtrlHandlerW] [73476E26] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegCloseKey] [73476E73] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!RegOpenKeyExW] [73477C3F] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ADVAPI32.dll!StartServiceCtrlDispatcherW] [734599CF] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] [73474624] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrlenW] [73487C1B] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalFree] [73488804] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcess] [73477C6A] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThread] [73477D91] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcAddress] [73470D93] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] [73478E2D] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LCMapStringW] [7346EDBA] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!FreeLibrary] [733935A4] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcpyW] [7348737C] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] [73476BDE] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpiW] [73476BF1] C:\WINDOWS\system32\MSVBVM60.DLL (Visual Basic Virtual Machine/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!ExitProcess] 00000000 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCommandLineW] 00000000 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InitializeCriticalSection] 00000000 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetProcessHeap] 00000000 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetErrorMode] 103825FF IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObject] [00401050] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 101025FF IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] [00401054] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetTickCount] 105825FF IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentThreadId] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetCurrentProcessId] [0040107C] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 105C25FF IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!TerminateProcess] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] [00401078] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LocalAlloc] 102825FF IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!lstrcmpW] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] [00401008] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtQuerySecurityObject] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlFreeHeap] [00401024] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] 102C25FF IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscat] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcscpy] [00401030] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlAllocateHeap] 106825FF IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCompareUnicodeString] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitUnicodeString] [0040101C] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlInitializeSid] 101825FF IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] [00401014] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] 107425FF IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetDaclSecurityDescriptor] [00401000] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlQueryInformationAcl] 104825FF IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlGetAce] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlImageNtHeader] [00401020] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!wcslen] 104C25FF IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!RtlCopySid] [0040100C] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] [00401044] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 106025FF IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerListen] [00401040] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 103425FF IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 25FF0040 IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] [0040103C] C:\WINDOWS\system32\svchost.exe (Generic Host Process for Win32 Services/Microsoft Corporation) IAT C:\WINDOWS\system32\svchost.exe[384] @ C:\WINDOWS\system32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] 100425FF ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET) Device -> \Driver\atapi \Device\Harddisk0\DR0 864A4618 ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 1.0.15 ----