GMER 1.0.15.15281 - http://www.gmer.net
Rootkit scan 2010-01-12 19:49:20
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: C:\DOKUME~1\JOHANN~1\LOKALE~1\Temp\pwtdrpog.sys
---- System - GMER 1.0.15 ----
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcess [0xBA6CECD6] <-- ROOTKIT !!!
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcessEx [0xBA6CECF0] <-- ROOTKIT !!!
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateThread [0xBA6CDE8C] <-- ROOTKIT !!!
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwLoadDriver [0xBA6CE1BC] <-- ROOTKIT !!!
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwMapViewOfSection [0xBA6CDBCC] <-- ROOTKIT !!!
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwOpenSection [0xBA6CE5EE] <-- ROOTKIT !!!
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwRenameKey [0xBA6CF88C] <-- ROOTKIT !!!
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSetSystemInformation [0xBA6CE43E] <-- ROOTKIT !!!
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendProcess [0xBA6CDA4C] <-- ROOTKIT !!!
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendThread [0xBA6CDEC0] <-- ROOTKIT !!!
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSystemDebugControl [0xBA6CE042] <-- ROOTKIT !!!
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateProcess [0xBA6CD9A6] <-- ROOTKIT !!!
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateThread [0xBA6CDB06] <-- ROOTKIT !!!
SSDT \??\C:\Programme\cablecom\hispeed security package\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwWriteVirtualMemory [0xBA6CDF86] <-- ROOTKIT !!!
Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice
.text ntoskrnl.exe!_abnormal_termination + 440 804E2A9C 12 Bytes [4C, DA, 6C, BA, C0, DE, 6C, ...]
.text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xB9887360, 0x24BB1D, 0xE8000020]
.text C:\WINDOWS\system32\drivers\ACEDRV05.sys section is writeable [0xB837A000, 0x30A4A, 0xE8000020]
.pklstb C:\WINDOWS\system32\drivers\ACEDRV05.sys entry point in ".pklstb" section [0xB83BC000]
.relo2 C:\WINDOWS\system32\drivers\ACEDRV05.sys unknown last
---- User code sections - GMER 1.0.15 ----
.text C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[3772] ntdll.dll!NtCreateProcessEx 7C91D15E 5 Bytes JMP 0097100C
.text C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[3772] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0097200C
.text C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[3772] kernel32.dll!TerminateThread 7C81CB3B 5 Bytes JMP 0097300C
.text C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[3772] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0097400C
.text C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[3772] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0097A00C
.text C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[3772] ADVAPI32.dll!CloseServiceHandle 77DB6CE5 5 Bytes JMP 0097700C
.text C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[3772] ADVAPI32.dll!OpenServiceW 77DB6FFD 5 Bytes JMP 0097500C
.text C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[3772] ADVAPI32.dll!ControlService 77DC4A09 5 Bytes JMP 0097600C
.text C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[3772] ADVAPI32.dll!CreateServiceW 77E073A9 5 Bytes JMP 0097800C
.text C:\Programme\Hewlett-Packard\Digital Imaging\Bin\hpoSTS08.exe[3772] ole32.dll!CoCreateInstanceEx 774D0526 5 Bytes JMP 0097900C
---- Devices - GMER 1.0.15 ----
Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation)
AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation)
---- Services - GMER 1.0.15 ----
Service C:\Programme\Microsoft (*** hidden *** ) [MANUAL] MSSQLSERVER <-- ROOTKIT !!!
Service C:\Programme\Microsoft (*** hidden *** ) [MANUAL] SQLSERVERAGENT <-- ROOTKIT !!!
---- EOF - GMER 1.0.15 ----