GMER 1.0.11.11633 - http://www.gmer.net Rootkit scan 2006-10-09 15:48:58 Windows 5.1.2600 Dodatek Service Pack 2 ---- Kernel code sections - GMER 1.0.11 ---- .text ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 7FFA488D .text ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes JMP 7FFA45F7 .text ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 7FFA3E1C .text ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 7FFA3F11 .text ntdll.dll!NtOpenProcess 7C90DD7B 5 Bytes JMP 7FFA4828 .text ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 7FFA3CF0 .text ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 7FFA3B5E .text ntdll.dll!NtQueryVolumeInformationFile 7C90E228 5 Bytes JMP 7FFA4527 .text ntdll.dll!NtReadVirtualMemory 7C90E2BB 5 Bytes JMP 7FFA3FE9 .text ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 7FFA3DC1 .text ntdll.dll!NtVdmControl 7C90E975 5 Bytes JMP 7FFA3D52 .text ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 7FFA41E9 ---- User code sections - GMER 1.0.11 ---- .text C:\WINDOWS\system32\winlogon.exe[496] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 7FF9488D .text C:\WINDOWS\system32\winlogon.exe[496] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes JMP 7FF945F7 .text C:\WINDOWS\system32\winlogon.exe[496] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 7FF93E1C .text C:\WINDOWS\system32\winlogon.exe[496] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 7FF93F11 .text C:\WINDOWS\system32\winlogon.exe[496] ntdll.dll!NtOpenProcess 7C90DD7B 5 Bytes JMP 7FF94828 .text C:\WINDOWS\system32\winlogon.exe[496] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 7FF93CF0 .text C:\WINDOWS\system32\winlogon.exe[496] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 7FF93B5E .text C:\WINDOWS\system32\winlogon.exe[496] ntdll.dll!NtQueryVolumeInformationFile 7C90E228 5 Bytes JMP 7FF94527 .text C:\WINDOWS\system32\winlogon.exe[496] ntdll.dll!NtReadVirtualMemory 7C90E2BB 5 Bytes JMP 7FF93FE9 .text C:\WINDOWS\system32\winlogon.exe[496] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 7FF93DC1 .text C:\WINDOWS\system32\winlogon.exe[496] ntdll.dll!NtVdmControl 7C90E975 5 Bytes JMP 7FF93D52 .text C:\WINDOWS\system32\winlogon.exe[496] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 7FF941E9 .text C:\WINDOWS\system32\winlogon.exe[496] kernel32.dll!ReadFile 7C80180E 5 Bytes JMP 7FF93A74 .text C:\WINDOWS\system32\winlogon.exe[496] ADVAPI32.dll!EnumServicesStatusA 77DDAF3F 5 Bytes JMP 7FF943C1 .text C:\WINDOWS\system32\winlogon.exe[496] ADVAPI32.dll!EnumServicesStatusExW 77E2681B 5 Bytes JMP 7FF94421 .text C:\WINDOWS\system32\winlogon.exe[496] ADVAPI32.dll!EnumServiceGroupW 77E268E9 5 Bytes JMP 7FF9435E .text C:\WINDOWS\system32\winlogon.exe[496] ADVAPI32.dll!EnumServicesStatusExA 77E26A8F 5 Bytes JMP 7FF94487 .text C:\WINDOWS\system32\winlogon.exe[496] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 7FF9428B .text C:\WINDOWS\system32\winlogon.exe[496] WS2_32.dll!recv 71A5615A 5 Bytes JMP 7FF9422B .text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 7FF9488D .text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes JMP 7FF945F7 .text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 7FF93E1C .text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 7FF93F11 .text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!NtOpenProcess 7C90DD7B 5 Bytes JMP 7FF94828 .text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 7FF93CF0 .text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 7FF93B5E .text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!NtQueryVolumeInformationFile 7C90E228 5 Bytes JMP 7FF94527 .text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!NtReadVirtualMemory 7C90E2BB 5 Bytes JMP 7FF93FE9 .text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 7FF93DC1 .text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!NtVdmControl 7C90E975 5 Bytes JMP 7FF93D52 .text C:\WINDOWS\system32\lsass.exe[564] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 7FF941E9 .text C:\WINDOWS\system32\lsass.exe[564] kernel32.dll!ReadFile 7C80180E 5 Bytes JMP 7FF93A74 .text C:\WINDOWS\system32\lsass.exe[564] ADVAPI32.dll!EnumServicesStatusA 77DDAF3F 5 Bytes JMP 7FF943C1 .text C:\WINDOWS\system32\lsass.exe[564] ADVAPI32.dll!EnumServicesStatusExW 77E2681B 5 Bytes JMP 7FF94421 .text C:\WINDOWS\system32\lsass.exe[564] ADVAPI32.dll!EnumServiceGroupW 77E268E9 5 Bytes JMP 7FF9435E .text C:\WINDOWS\system32\lsass.exe[564] ADVAPI32.dll!EnumServicesStatusExA 77E26A8F 5 Bytes JMP 7FF94487 .text C:\WINDOWS\system32\lsass.exe[564] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 7FF9428B .text C:\WINDOWS\system32\lsass.exe[564] WS2_32.dll!recv 71A5615A 5 Bytes JMP 7FF9422B .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 7FF7488D .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes JMP 7FF745F7 .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtEnumerateKey 7C90D94C 5 Bytes JMP 7FF73E1C .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtEnumerateValueKey 7C90D976 5 Bytes JMP 7FF73F11 .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtOpenProcess 7C90DD7B 5 Bytes JMP 7FF74828 .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtQueryDirectoryFile 7C90DF5E 5 Bytes JMP 7FF73CF0 .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtQuerySystemInformation 7C90E1AA 5 Bytes JMP 7FF73B5E .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtQueryVolumeInformationFile 7C90E228 5 Bytes JMP 7FF74527 .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtReadVirtualMemory 7C90E2BB 5 Bytes JMP 7FF73FE9 .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtResumeThread 7C90E45F 5 Bytes JMP 7FF73DC1 .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!NtVdmControl 7C90E975 5 Bytes JMP 7FF73D52 .text C:\WINDOWS\system32\svchost.exe[884] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 7FF741E9 .text C:\WINDOWS\system32\svchost.exe[884] kernel32.dll!ReadFile 7C80180E 5 Bytes JMP 7FF73A74 .text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!EnumServicesStatusA 77DDAF3F 5 Bytes JMP 7FF743C1 .text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!EnumServicesStatusExW 77E2681B 5 Bytes JMP 7FF74421 .text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!EnumServiceGroupW 77E268E9 5 Bytes JMP 7FF7435E .text C:\WINDOWS\system32\svchost.exe[884] ADVAPI32.dll!EnumServicesStatusExA 77E26A8F 5 Bytes JMP 7FF74487 .text C:\WINDOWS\system32\svchost.exe[884] WS2_32.dll!WSARecv 71A54318 5 Bytes JMP 7FF7428B .text C:\WINDOWS\system32\svchost.exe[884] WS2_32.dll!recv 71A5615A 5 Bytes JMP 7FF7422B ---- Processes - GMER 1.0.11 ---- Process C:\rootkits\hxdef100\hxdef100.exe (*** hidden *** ) 680 Library C:\rootkits\hxdef100\hxdef100.exe (*** hidden *** ) @ C:\rootkits\hxdef100\hxdef100.exe [680] 0x00400000 ---- Services - GMER 1.0.11 ---- Service C:\rootkits\hxdef100\hxdef100.exe (*** hidden *** ) [AUTO] HackerDefender100 <-- ROOTKIT !!! Service C:\rootkits\hxdef100\hxdefdrv.sys (*** hidden *** ) [MANUAL] HackerDefenderDrv100 <-- ROOTKIT !!! ---- Files - GMER 1.0.11 ---- File C:\rootkits\hxdef100 File C:\rootkits\hxdef100\hxdef100.2.ini File C:\rootkits\hxdef100\hxdef100.exe <-- ROOTKIT !!! File C:\rootkits\hxdef100\hxdef100.ini File C:\rootkits\hxdef100\hxdefdrv.sys <-- ROOTKIT !!! File C:\WINDOWS\Prefetch\HXDEF100.EXE-351601D2.pf ---- EOF - GMER 1.0.11 ----