GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2008-10-26 00:21:36 Windows 5.1.2600 Service Pack 2 ---- Devices - GMER 1.0.14 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Development Company, L.P.) Device \Driver\prodrv06 \Device\ProDrv06 E1968AF0 Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\prohlp02 \Device\ProHlp02 E18C47E8 ---- Registry - GMER 1.0.14 ---- Reg HKLM\SYSTEM\ControlSet001\Services\SysmonLog\Log Queries\{8cea385d-8ea5-4673-9c2d-0790cdee69b2}@\20\4B\4@\48\0041\4C\4B\4K\4 \0E\4@\0040\4=\0045\4=\48\4O\4 \0004\0040\4=\4=\4K\4E\4 33 Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0L\0002\0T\0P\0) 1? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0P\0P\0T\0P\0) 1? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0P\0P\0P\0o\0E\0) 1? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\37\4@\4O\4<\4>\49\4 \0?\0040\4@\0040\4;\4;\0045\4;\4L\4=\4K\49\4 \0?\4>\4@\4B\4 1? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0I\0P\0) 1? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0?\4;\0040\4=\48\4@\4>\0042\4I\48\4:\0040\4 \0?\0040\4:\0045\4B\4>\0042\4 1?2?3?4? Reg HKLM\SYSTEM\CurrentControlSet\Services\SysmonLog\Log Queries\{8cea385d-8ea5-4673-9c2d-0790cdee69b2}@\20\4B\4@\48\0041\4C\4B\4K\4 \0E\4@\0040\4=\0045\4=\48\4O\4 \0004\0040\4=\4=\4K\4E\4 33 Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0L\0002\0T\0P\0) 1? Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0P\0P\0T\0P\0) 1? Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0P\0P\0P\0o\0E\0) 1? Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\37\4@\4O\4<\4>\49\4 \0?\0040\4@\0040\4;\4;\0045\4;\4L\4=\4K\49\4 \0?\4>\4@\4B\4 1? Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0I\0P\0) 1? Reg HKLM\SYSTEM\ControlSet003\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0?\4;\0040\4=\48\4@\4>\0042\4I\48\4:\0040\4 \0?\0040\4:\0045\4B\4>\0042\4 1?2?3?4? Reg HKLM\SYSTEM\ControlSet003\Services\SysmonLog\Log Queries\{8cea385d-8ea5-4673-9c2d-0790cdee69b2}@\20\4B\4@\48\0041\4C\4B\4K\4 \0E\4@\0040\4=\0045\4=\48\4O\4 \0004\0040\4=\4=\4K\4E\4 33 Reg HKLM\SYSTEM\ControlSet005\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0L\0002\0T\0P\0) 1? Reg HKLM\SYSTEM\ControlSet005\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0P\0P\0T\0P\0) 1? Reg HKLM\SYSTEM\ControlSet005\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0P\0P\0P\0o\0E\0) 1? Reg HKLM\SYSTEM\ControlSet005\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\37\4@\4O\4<\4>\49\4 \0?\0040\4@\0040\4;\4;\0045\4;\4L\4=\4K\49\4 \0?\4>\4@\4B\4 1? Reg HKLM\SYSTEM\ControlSet005\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0W\0A\0N\0 \0(\0I\0P\0) 1? Reg HKLM\SYSTEM\ControlSet005\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\Descriptions@\34\48\4=\48\4?\4>\4@\4B\4 \0?\4;\0040\4=\48\4@\4>\0042\4I\48\4:\0040\4 \0?\0040\4:\0045\4B\4>\0042\4 1?2?3?4? Reg HKLM\SYSTEM\ControlSet005\Services\SysmonLog\Log Queries\{8cea385d-8ea5-4673-9c2d-0790cdee69b2}@\20\4B\4@\48\0041\4C\4B\4K\4 \0E\4@\0040\4=\0045\4=\48\4O\4 \0004\0040\4=\4=\4K\4E\4 33 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG08.00.00.01WORKSTATION 50AEA1EFE5FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C8EDD5E5BE2F6E667A6171C11EC38DE3DFEBC9E127BECC74CA9C6AECB7A5D1407CBD03F8FDA59B9C681B22C42291D1C5A5C8EAE3BE85615C5A3DE0B95904CD09AF15ED34C80D8C8C952D50202BAC243329879D44F6A231FB617DD0AA73F5C6FED99EC5D4910A06A5ABAFD63425B86A131836C2B02083493BBD9C82E7D0210833E419B9EDC228B2AEEEFACF14368762F092767CB9F01E9F6606AC4B28B1DB7BF8C7FCC0D4520F989A6B9267F2B11A2DA1121300A53EAA34753DDB483A82CA5CB82FA28D3224850FD4177711484D99E07412550E9B12DC771E5D946420F1CAFC4EC7018D078ADF4EF2319DB6A3A980589B87815A23087BF5A121A6544E02E31BA39B0CC972EB7D43C562474731FFB712B38F58EA12B0879D770ED44941F780831FD9F396F13A0DDB5083210526981842C270B12865E9468B4C0395B6F32E59620F13414CF56F6851E0870C65D307DE13D8EBBBA27EDE57E31E5F2E0C665B246736F7D58E98B1FC2324B1F74227318B3839B9CE38BDE09B7FDE5255640E772FE0CF899451FABCD909B6B163ADE124C279BA1D82E6F9DDE12C5EC707C354D882F3EB13D5F86948E6EFDA4BBFA86D36BEA11962E00C3779A0F204908DA320EB0CBCF6030EB6A04BF61EC588EDEC Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@AppInit_DLLs Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 ---- Files - GMER 1.0.14 ---- File C:\WINDOWS\system32\wbem\Performance\WmiApRpl_new.ini 950 bytes ---- EOF - GMER 1.0.14 ----