Rootkit scan 2009-03-25 20:44:54
Windows 5.1.2600 Service Pack 3
---- System - GMER 1.0.12 ----
SSDT \SystemRoot\System32\vsdatant.sys ZwConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateFile
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateKey
SSDT \SystemRoot\System32\vsdatant.sys ZwCreatePort
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateProcessEx
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateSection
SSDT \SystemRoot\System32\vsdatant.sys ZwCreateWaitablePort
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteFile
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDeleteValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwDuplicateObject
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey
SSDT \SystemRoot\System32\vsdatant.sys ZwLoadKey2
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenFile
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenProcess
SSDT \SystemRoot\System32\vsdatant.sys ZwOpenThread
SSDT \SystemRoot\System32\vsdatant.sys ZwRenameKey
SSDT \SystemRoot\System32\vsdatant.sys ZwReplaceKey
SSDT \SystemRoot\System32\vsdatant.sys ZwRequestWaitReplyPort
SSDT \SystemRoot\System32\vsdatant.sys ZwRestoreKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSecureConnectPort
SSDT \SystemRoot\System32\vsdatant.sys ZwSetInformationFile
SSDT \SystemRoot\System32\vsdatant.sys ZwSetValueKey
SSDT \SystemRoot\System32\vsdatant.sys ZwSystemDebugControl
SSDT \SystemRoot\System32\vsdatant.sys ZwTerminateProcess
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!ZwYieldExecution + 12E 804E4968 12 Bytes [ 90, CE, CA, AD, 80, 3C, CB, ... ]
.text ntoskrnl.exe!ZwYieldExecution + 16E 804E49A8 8 Bytes [ 70, 9C, CA, AD, 10, 6D, CB, ... ]
.text ntoskrnl.exe!ZwYieldExecution + 1FE 804E4A38 8 Bytes [ 30, 72, CB, AD, B0, 72, CB, ... ]
.text ntoskrnl.exe!ZwYieldExecution + 376 804E4BB0 8 Bytes [ 70, 79, CB, AD, D0, 73, CB, ... ]
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Udfs \UdfsCdRom IRP_MJ_FILE_SYSTEM_CONTROL [ADA66C3D] tfsnifs.sys
Device \FileSystem\Udfs \UdfsDisk IRP_MJ_FILE_SYSTEM_CONTROL [ADA66C3D] tfsnifs.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CREATE [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLOSE [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_DEVICE_CONTROL [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_INTERNAL_DEVICE_CONTROL [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Ip IRP_MJ_CLEANUP [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CREATE [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLOSE [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_DEVICE_CONTROL [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_INTERNAL_DEVICE_CONTROL [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Tcp IRP_MJ_CLEANUP [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CREATE [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLOSE [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_DEVICE_CONTROL [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_INTERNAL_DEVICE_CONTROL [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\Udp IRP_MJ_CLEANUP [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CREATE [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLOSE [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_DEVICE_CONTROL [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_INTERNAL_DEVICE_CONTROL [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\RawIp IRP_MJ_CLEANUP [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CREATE [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLOSE [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_DEVICE_CONTROL [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_INTERNAL_DEVICE_CONTROL [ADCC05C0] vsdatant.sys
Device \Driver\Tcpip \Device\IPMULTICAST IRP_MJ_CLEANUP [ADCC05C0] vsdatant.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CREATE BA958400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLOSE BA958400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_READ BA958400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_INFORMATION BA958400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SET_INFORMATION BA958400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_QUERY_VOLUME_INFORMATION BA958400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DIRECTORY_CONTROL BA958400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL BA958400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_DEVICE_CONTROL BA958400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_SHUTDOWN BA95BC74
Device \FileSystem\Cdfs \Cdfs IRP_MJ_LOCK_CONTROL BA958400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_CLEANUP BA958400
Device \FileSystem\Cdfs \Cdfs IRP_MJ_PNP BA958400
Device \FileSystem\Cdfs \Cdfs FastIoCheckIfPossible BA95BBCE
---- Files - GMER 1.0.12 ----
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c811155aec9a.tif:Xj1phwzh5qcwungrN45kt3kiCe
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c811155aec9a.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c811155b1c35.tif:Xj1phwzh5qcwungrN45kt3kiCe
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c811155b1c35.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c811155b6d3c.tif:Xj1phwzh5qcwungrN45kt3kiCe
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c811155b6d3c.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c820b800bbad.tif:Xj1phwzh5qcwungrN45kt3kiCe
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c820b800bbad.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c83cfa7b1763.tif:Xj1phwzh5qcwungrN45kt3kiCe
ADS C:\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c83cfa7b1763.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS C:\Documents and Settings\All Users\Documents\Favorites\AT&T - Residential Products and Services.url:favicon
ADS ...
ADS N:\Seagate Backup\NMP\C\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c811155aec9a.tif:Xj1phwzh5qcwungrN45kt3kiCe
ADS N:\Seagate Backup\NMP\C\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c811155aec9a.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS N:\Seagate Backup\NMP\C\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c811155b1c35.tif:Xj1phwzh5qcwungrN45kt3kiCe
ADS N:\Seagate Backup\NMP\C\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c811155b1c35.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS N:\Seagate Backup\NMP\C\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c811155b6d3c.tif:Xj1phwzh5qcwungrN45kt3kiCe
ADS N:\Seagate Backup\NMP\C\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c811155b6d3c.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS N:\Seagate Backup\NMP\C\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c820b800bbad.tif:Xj1phwzh5qcwungrN45kt3kiCe
ADS N:\Seagate Backup\NMP\C\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c820b800bbad.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS N:\Seagate Backup\NMP\C\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c83cfa7b1763.tif:Xj1phwzh5qcwungrN45kt3kiCe
ADS N:\Seagate Backup\NMP\C\Documents and Settings\All Users\Application Data\Microsoft\Windows NT\MSFax\SentItems\S-1-5-21-1582456506-3236537422-1373595852-1006$201c83cfa7b1763.tif:{4c8cc155-6c1e-11d1-8e41-00c04fb9386d}
ADS N:\Seagate Backup\NMP\C\Documents and Settings\All Users\Documents\Favorites\AT&T - Residential Products and Services.url:favicon
ADS ...
---- EOF - GMER 1.0.12 ----