GMER 1.0.11.11633 - http://www.gmer.net Rootkit scan 2006-10-09 15:29:00 Windows 5.1.2600 Dodatek Service Pack 2 ---- System - GMER 1.0.11 ---- SSDT ZwCreateProcess bmtdhk.sys SSDT ZwCreateProcessEx bmtdhk.sys SSDT ZwOpenProcess bmtdhk.sys SSDT ZwOpenThread bmtdhk.sys SSDT ZwQueryDirectoryFile bmtdhk.sys SSDT ZwQuerySystemInformation bmtdhk.sys ---- Kernel code sections - GMER 1.0.11 ---- .text ntoskrnl.exe!_abnormal_termination + 267 804E2DDC 8 Bytes .text ntoskrnl.exe!_abnormal_termination + 567 804E2F08 4 Bytes .text ntoskrnl.exe!_abnormal_termination + 591 804E2F20 4 Bytes .text ntoskrnl.exe!_abnormal_termination + 659 804E2F64 4 Bytes .text ntoskrnl.exe!_abnormal_termination + 771 804E2FD4 4 Bytes ---- User code sections - GMER 1.0.11 ---- .text C:\WINDOWS\gmer.exe[504] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00010016 .text C:\WINDOWS\gmer.exe[504] USER32.dll!GetDlgItemTextA + 2 77D8AC08 5 Bytes JMP 000102B3 .text C:\WINDOWS\gmer.exe[504] WS2_32.dll!gethostbyname + 2 71A54FD6 5 Bytes JMP 00010C14 .text C:\WINDOWS\gmer.exe[504] WININET.dll!InternetConnectA 771B44DB 5 Bytes JMP 00010F44 .text C:\WINDOWS\gmer.exe[504] WININET.dll!HttpOpenRequestA + 2 771B4AC7 5 Bytes JMP 000110B9 .text C:\WINDOWS\gmer.exe[504] WININET.dll!InternetOpenA + 2 771B6D2C 5 Bytes JMP 00011042 .text C:\WINDOWS\gmer.exe[504] WININET.dll!HttpSendRequestA + 2 771B76BA 5 Bytes JMP 10001000 C:\WINDOWS\system32\bmtdhh.dll .text C:\WINDOWS\gmer.exe[504] WININET.dll!InternetReadFile + 2 771B9557 5 Bytes JMP 00010FA1 .text C:\WINDOWS\gmer.exe[504] WININET.dll!InternetQueryDataAvailable + 2 771C3261 5 Bytes JMP 00010EC4 .text C:\WINDOWS\system32\cmd.exe[672] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00010016 .text C:\WINDOWS\system32\cmd.exe[672] USER32.dll!GetDlgItemTextA + 2 77D8AC08 5 Bytes JMP 000102B3 .text C:\WINDOWS\system32\cmd.exe[672] WS2_32.dll!gethostbyname + 2 71A54FD6 5 Bytes JMP 00010C14 .text C:\WINDOWS\system32\cmd.exe[672] WININET.dll!InternetConnectA 771B44DB 5 Bytes JMP 00010F44 .text C:\WINDOWS\system32\cmd.exe[672] WININET.dll!HttpOpenRequestA + 2 771B4AC7 5 Bytes JMP 000110B9 .text C:\WINDOWS\system32\cmd.exe[672] WININET.dll!InternetOpenA + 2 771B6D2C 5 Bytes JMP 00011042 .text C:\WINDOWS\system32\cmd.exe[672] WININET.dll!HttpSendRequestA + 2 771B76BA 5 Bytes JMP 10001000 C:\WINDOWS\system32\bmtdhh.dll .text C:\WINDOWS\system32\cmd.exe[672] WININET.dll!InternetReadFile + 2 771B9557 5 Bytes JMP 00010FA1 .text C:\WINDOWS\system32\cmd.exe[672] WININET.dll!InternetQueryDataAvailable + 2 771C3261 5 Bytes JMP 00010EC4 .text C:\WINDOWS\system32\spoolsv.exe[1108] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00010016 .text C:\WINDOWS\system32\spoolsv.exe[1108] USER32.dll!GetDlgItemTextA + 2 77D8AC08 5 Bytes JMP 000102B3 .text C:\WINDOWS\system32\spoolsv.exe[1108] WS2_32.dll!gethostbyname + 2 71A54FD6 5 Bytes JMP 00010C14 .text C:\WINDOWS\system32\spoolsv.exe[1108] WININET.dll!InternetConnectA 771B44DB 5 Bytes JMP 00010F44 .text C:\WINDOWS\system32\spoolsv.exe[1108] WININET.dll!HttpOpenRequestA + 2 771B4AC7 5 Bytes JMP 000110B9 .text C:\WINDOWS\system32\spoolsv.exe[1108] WININET.dll!InternetOpenA + 2 771B6D2C 5 Bytes JMP 00011042 .text C:\WINDOWS\system32\spoolsv.exe[1108] WININET.dll!HttpSendRequestA + 2 771B76BA 5 Bytes JMP 10001000 C:\WINDOWS\system32\bmtdhh.dll .text C:\WINDOWS\system32\spoolsv.exe[1108] WININET.dll!InternetReadFile + 2 771B9557 5 Bytes JMP 00010FA1 .text C:\WINDOWS\system32\spoolsv.exe[1108] WININET.dll!InternetQueryDataAvailable + 2 771C3261 5 Bytes JMP 00010EC4 .text C:\WINDOWS\explorer.exe[1384] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00010016 .text C:\WINDOWS\explorer.exe[1384] USER32.dll!GetDlgItemTextA + 2 77D8AC08 5 Bytes JMP 000102B3 .text C:\WINDOWS\explorer.exe[1384] WININET.dll!InternetConnectA 771B44DB 5 Bytes JMP 00010F44 .text C:\WINDOWS\explorer.exe[1384] WININET.dll!HttpOpenRequestA + 2 771B4AC7 5 Bytes JMP 000110B9 .text C:\WINDOWS\explorer.exe[1384] WININET.dll!InternetOpenA + 2 771B6D2C 5 Bytes JMP 00011042 .text C:\WINDOWS\explorer.exe[1384] WININET.dll!HttpSendRequestA + 2 771B76BA 5 Bytes JMP 10001000 C:\WINDOWS\system32\bmtdhh.dll .text C:\WINDOWS\explorer.exe[1384] WININET.dll!InternetReadFile + 2 771B9557 5 Bytes JMP 00010FA1 .text C:\WINDOWS\explorer.exe[1384] WININET.dll!InternetQueryDataAvailable + 2 771C3261 5 Bytes JMP 00010EC4 .text C:\WINDOWS\explorer.exe[1384] WS2_32.dll!gethostbyname + 2 71A54FD6 5 Bytes JMP 00010C14 .text C:\WINDOWS\explorer.exe[1384] iphlpapi.dll!GetTcpTableFromStack + 2 76D5DCE0 5 Bytes JMP 0001124B .text C:\WINDOWS\explorer.exe[1384] inetmib1.dll!SnmpExtensionQuery 66BD1A4E 5 Bytes JMP 000113AA .text C:\WINDOWS\system32\ctfmon.exe[1784] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 00010016 .text C:\WINDOWS\system32\ctfmon.exe[1784] USER32.dll!GetDlgItemTextA + 2 77D8AC08 5 Bytes JMP 000102B3 .text C:\WINDOWS\system32\ctfmon.exe[1784] WS2_32.dll!gethostbyname + 2 71A54FD6 5 Bytes JMP 00010C14 .text C:\WINDOWS\system32\ctfmon.exe[1784] WININET.dll!InternetConnectA 771B44DB 5 Bytes JMP 00010F44 .text C:\WINDOWS\system32\ctfmon.exe[1784] WININET.dll!HttpOpenRequestA + 2 771B4AC7 5 Bytes JMP 000110B9 .text C:\WINDOWS\system32\ctfmon.exe[1784] WININET.dll!InternetOpenA + 2 771B6D2C 5 Bytes JMP 00011042 .text C:\WINDOWS\system32\ctfmon.exe[1784] WININET.dll!HttpSendRequestA + 2 771B76BA 5 Bytes JMP 10001000 C:\WINDOWS\system32\bmtdhh.dll .text C:\WINDOWS\system32\ctfmon.exe[1784] WININET.dll!InternetReadFile + 2 771B9557 5 Bytes JMP 00010FA1 .text C:\WINDOWS\system32\ctfmon.exe[1784] WININET.dll!InternetQueryDataAvailable + 2 771C3261 5 Bytes JMP 00010EC4 ---- Processes - GMER 1.0.11 ---- Process C:\WINDOWS\system32\winlogon.exe (*** hidden *** ) 484 Library C:\WINDOWS\system32\bmtdhh.dll (*** hidden *** ) @ C:\WINDOWS\system32\winlogon.exe [484] 0x10000000 Library C:\WINDOWS\system32\bmtdhh.dll (*** hidden *** ) @ C:\WINDOWS\gmer.exe [504] 0x10000000 Library C:\WINDOWS\system32\bmtdhh.dll (*** hidden *** ) @ C:\WINDOWS\system32\cmd.exe [672] 0x10000000 Library C:\WINDOWS\system32\bmtdhh.dll (*** hidden *** ) @ C:\WINDOWS\system32\spoolsv.exe [1108] 0x10000000 Process C:\WINDOWS\explorer.exe (*** hidden *** ) 1384 Library C:\WINDOWS\system32\bmtdhh.dll (*** hidden *** ) @ C:\WINDOWS\explorer.exe [1384] 0x10000000 Library C:\WINDOWS\system32\bmtdhh.dll (*** hidden *** ) @ C:\WINDOWS\system32\ctfmon.exe [1784] 0x10000000 ---- Files - GMER 1.0.11 ---- File C:\WINDOWS\system32\bmtdhh.dll File C:\WINDOWS\system32\bmtdhk.sys <-- ROOTKIT !!! File C:\WINDOWS\system32\klgcptini.dat File C:\WINDOWS\system32\rd.dll File C:\WINDOWS\system32\rd.sys File C:\WINDOWS\system32\st889.dat ---- Services - GMER 1.0.11 ---- Service C:\WINDOWS\system32\bmtdhk.sys [BOOT] bmtdhk <-- ROOTKIT !!! ---- EOF - GMER 1.0.11 ----