GMER 1.0.15.15477 -
http://www.gmer.netRootkit scan 2010-10-27 01:21:10
Windows 5.1.2600 Service Pack 3
Running: gmer.exe; Driver: D:\DOCUME~1\PROPRI~1\IMPOST~1\Temp\pftyipob.sys
---- User code sections - GMER 1.0.15 ----
.text C:\WINDOWS\System32\svchost.exe[900] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes JMP 01ECADCD
.text C:\WINDOWS\System32\svchost.exe[900] kernel32.dll!Sleep 7C802446 5 Bytes JMP 01E60000
.text C:\WINDOWS\System32\svchost.exe[900] NETAPI32.dll!NetpwPathCanonicalize 5BC7A3A9 5 Bytes JMP 01ECAD64
.text C:\WINDOWS\system32\svchost.exe[948] ntdll.dll!NtQueryInformationProcess 7C91D7FE 5 Bytes JMP 00DEADCD
.text C:\WINDOWS\system32\svchost.exe[948] kernel32.dll!Sleep 7C802446 5 Bytes JMP 00DD0000
.text C:\WINDOWS\Explorer.EXE[1468] ntdll.dll!NtQueryDirectoryFile + 6 7C91D774 4 Bytes [90, 61, F4, 00]
.text C:\Programmi\Mozilla Firefox\firefox.exe[1664] ntdll.dll!LdrLoadDll 7C9263C3 5 Bytes JMP 004013F0 C:\Programmi\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] kernel32.dll!LoadResource 7C80A055 7 Bytes JMP 2806CEC0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] kernel32.dll!FindResourceExW 7C80AD28 7 Bytes JMP 2806CD20 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] kernel32.dll!FindResourceW 7C80BC6E 7 Bytes JMP 2806CCA0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] kernel32.dll!SizeofResource 7C80BD09 7 Bytes JMP 2806CF70 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] kernel32.dll!FindResourceA 7C80BF29 7 Bytes JMP 2806CDA0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] kernel32.dll!LockResource 7C80CD37 5 Bytes JMP 2806CFE0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] kernel32.dll!CreateEventA 7C8308B5 5 Bytes JMP 2806C900 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] kernel32.dll!FindResourceExA 7C835FA8 7 Bytes JMP 2806CE30 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] ADVAPI32.dll!CryptDeriveKey 77F59FFD 7 Bytes JMP 2806C410 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] ADVAPI32.dll!CryptDecrypt 77F5A129 7 Bytes JMP 2806C470 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] USER32.dll!GetWindowLongW 7E3988A6 7 Bytes JMP 28070F10 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] USER32.dll!PeekMessageW 7E39929B 5 Bytes JMP 2806EF10 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] USER32.dll!SetWindowPlacement 7E39DE46 5 Bytes JMP 28070480 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] USER32.dll!CreateDialogParamW 7E39EA3B 5 Bytes JMP 280705D0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] USER32.dll!LoadImageW 7E3A7B97 5 Bytes JMP 28070C60 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] USER32.dll!CreateWindowExW 7E3AD0A3 5 Bytes JMP 2806E4A0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] USER32.dll!SetWindowRgn 7E3AE528 7 Bytes JMP 28070520 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] USER32.dll!LoadIconW 7E3AE8BC 5 Bytes JMP 28070DE0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] USER32.dll!MessageBoxIndirectW 7E3E64D5 5 Bytes JMP 28070800 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] USER32.dll!TrackPopupMenuEx 7E3ECF62 5 Bytes JMP 2806F590 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] SHELL32.dll!Shell_NotifyIconW 7CA3A587 5 Bytes JMP 2806DC10 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] ole32.dll!CoCreateInstance 774CF1AC 5 Bytes JMP 2806D5C0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] ole32.dll!CoInitializeEx 774D1473 5 Bytes JMP 2806D240 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] ole32.dll!CoRegisterClassObject 774E79C0 5 Bytes JMP 2806D340 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] WININET.dll!HttpOpenRequestA 77192B01 5 Bytes JMP 28073F30 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] WININET.dll!InternetCloseHandle 77194D94 5 Bytes JMP 280741D0 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] WININET.dll!HttpSendRequestA 771960A9 5 Bytes JMP 28074130 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
.text C:\Programmi\Windows Live\Messenger\msnmsgr.exe[1924] WININET.dll!InternetReadFile 771982F2 5 Bytes JMP 28074090 C:\Programmi\Messenger Plus! Live\MsgPlusLive.dll (Messenger Plus! Live Add-On/Yuna Software)
---- Devices - GMER 1.0.15 ----
AttachedDevice \FileSystem\Ntfs \Ntfs SiWinAcc.sys (Windows Accelerator Driver/Silicon Image, Inc.)
AttachedDevice \FileSystem\Ntfs \Ntfs amon.sys (Amon monitor/Eset )
---- Services - GMER 1.0.15 ----
Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] bridlccn <-- ROOTKIT !!!
---- Registry - GMER 1.0.15 ----
Reg HKLM\SYSTEM\CurrentControlSet\Services\bridlccn@DisplayName System Shell
Reg HKLM\SYSTEM\CurrentControlSet\Services\bridlccn@Type 32
Reg HKLM\SYSTEM\CurrentControlSet\Services\bridlccn@Start 2
Reg HKLM\SYSTEM\CurrentControlSet\Services\bridlccn@ErrorControl 0
Reg HKLM\SYSTEM\CurrentControlSet\Services\bridlccn@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\CurrentControlSet\Services\bridlccn@ObjectName LocalSystem
Reg HKLM\SYSTEM\CurrentControlSet\Services\bridlccn@Description Consente a pi? utenti di connettersi in modo interattivo a un computer e la visualizzazione di desktop e applicazioni a computer remoti. Complemento di Desktop remoto (incluso Desktop remoto per amministratori), Cambio rapido utente, Assistenza remota e Terminal Server.
Reg HKLM\SYSTEM\CurrentControlSet\Services\bridlccn\Parameters
Reg HKLM\SYSTEM\CurrentControlSet\Services\bridlccn\Parameters@ServiceDll C:\WINDOWS\system32\srtadqd.dll
Reg HKLM\SYSTEM\ControlSet002\Services\bridlccn@DisplayName System Shell
Reg HKLM\SYSTEM\ControlSet002\Services\bridlccn@Type 32
Reg HKLM\SYSTEM\ControlSet002\Services\bridlccn@Start 2
Reg HKLM\SYSTEM\ControlSet002\Services\bridlccn@ErrorControl 0
Reg HKLM\SYSTEM\ControlSet002\Services\bridlccn@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs
Reg HKLM\SYSTEM\ControlSet002\Services\bridlccn@ObjectName LocalSystem
Reg HKLM\SYSTEM\ControlSet002\Services\bridlccn@Description Consente a pi? utenti di connettersi in modo interattivo a un computer e la visualizzazione di desktop e applicazioni a computer remoti. Complemento di Desktop remoto (incluso Desktop remoto per amministratori), Cambio rapido utente, Assistenza remota e Terminal Server.
Reg HKLM\SYSTEM\ControlSet002\Services\bridlccn\Parameters (not active ControlSet)
Reg HKLM\SYSTEM\ControlSet002\Services\bridlccn\Parameters@ServiceDll C:\WINDOWS\system32\srtadqd.dll
---- EOF - GMER 1.0.15 ----