Bob4
I ran Gmer, and it reported a warning that that rootkit actvity was detected.
The log is below.
Thanks
srs
GMER 1.0.12.11889 -
http://www.gmer.net
Rootkit scan 2006-11-08 13:30:37
Windows 5.1.2600 Service Pack 1
---- System - GMER 1.0.12 ----
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwOpenProcess
SSDT \??\C:\Program Files\ewido anti-spyware 4.0\guard.sys ZwTerminateProcess
SYSENTER ? F562EED5
Code F562D940 pIofCallDriver
---- Kernel code sections - GMER 1.0.12 ----
.text ntoskrnl.exe!Kei386EoiHelper + 151A 804DCA64 3 Bytes
.text ntdll.dll!NtClose 77F5B5C8 5 Bytes JMP 72033A2A
.text ntdll.dll!NtCreateProcess 77F5B728 5 Bytes JMP 72033BB5
.text ntdll.dll!NtCreateProcessEx 77F5B738 5 Bytes JMP 72033A99
.text ntdll.dll!NtCreateSection 77F5B758 5 Bytes JMP 72033A48
.text ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
---- User code sections - GMER 1.0.12 ----
.text C:\Program Files\U-Storage Tools2.65\UStorage.exe[440] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\U-Storage Tools2.65\UStorage.exe[440] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\U-Storage Tools2.65\UStorage.exe[440] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\U-Storage Tools2.65\UStorage.exe[440] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\U-Storage Tools2.65\UStorage.exe[440] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\WINDOWS\SYSTEM32\adirss.exe[560] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\WINDOWS\SYSTEM32\adirss.exe[560] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\WINDOWS\SYSTEM32\adirss.exe[560] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\WINDOWS\SYSTEM32\adirss.exe[560] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\WINDOWS\SYSTEM32\adirss.exe[560] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Messenger\msmsgs.exe[572] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\Messenger\msmsgs.exe[572] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\Messenger\msmsgs.exe[572] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\Messenger\msmsgs.exe[572] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\Messenger\msmsgs.exe[572] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\WINDOWS\SYSTEM32\CTFMON.EXE[588] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\WINDOWS\SYSTEM32\CTFMON.EXE[588] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\WINDOWS\SYSTEM32\CTFMON.EXE[588] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\WINDOWS\SYSTEM32\CTFMON.EXE[588] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\WINDOWS\SYSTEM32\CTFMON.EXE[588] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe[604] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe[604] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe[604] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe[604] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Documents and Settings\Suresh Senathirajah\mpajee4.exe[604] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[652] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[652] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[652] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[652] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\Microsoft ActiveSync\wcescomm.exe[652] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[692] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[692] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[692] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[692] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\Google\GoogleToolbarNotifier\1.2.908.5008\GoogleToolbarNotifier.exe[692] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[744] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[744] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[744] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[744] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[744] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Logitech\SetPoint\KEM.exe[760] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\Logitech\SetPoint\KEM.exe[760] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\Logitech\SetPoint\KEM.exe[760] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\Logitech\SetPoint\KEM.exe[760] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\Logitech\SetPoint\KEM.exe[760] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe[784] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe[784] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe[784] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe[784] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\Sony Ericsson\Mobile\audevicemgr.exe[784] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe[812] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe[812] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe[812] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe[812] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\ScanSoft\NaturallySpeaking\Program\natspeak.exe[812] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Logitech\SetPoint\KHALMNPR.exe[952] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\Program Files\Logitech\SetPoint\KHALMNPR.exe[952] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\Program Files\Logitech\SetPoint\KHALMNPR.exe[952] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\Program Files\Logitech\SetPoint\KHALMNPR.exe[952] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\Program Files\Logitech\SetPoint\KHALMNPR.exe[952] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE[984] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE[984] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE[984] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE[984] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE[984] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\PROGRA~1\SONYER~1\Mobile\CONNEC~1\CONNMN~1.EXE[984] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE[1320] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE[1320] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE[1320] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE[1320] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\PROGRA~1\INTUWA~1\Shared\MROUTE~1\MROUTE~2.EXE[1320] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe[1328] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1448] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1448] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1448] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1448] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\PROGRA~1\MI3AA1~1\rapimgr.exe[1448] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\WINDOWS\SYSTEM32\nvsvc32.exe[1992] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\WINDOWS\EXPLORER.EXE[2036] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\WINDOWS\EXPLORER.EXE[2036] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\WINDOWS\EXPLORER.EXE[2036] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\WINDOWS\EXPLORER.EXE[2036] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\WINDOWS\EXPLORER.EXE[2036] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\WINDOWS\SYSTEM32\wdfmgr.exe[2088] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\WINDOWS\SYSTEM32\WLTRYSVC.EXE[2156] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\WINDOWS\SYSTEM32\BCMWLTRY.EXE[2196] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\WINDOWS\SYSTEM32\uwdf.exe[2796] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3232] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3232] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3232] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3232] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3232] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\WINDOWS\SYSTEM32\wuauclt.exe[3232] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
.text C:\GMER\gmer.exe[3288] ntdll.dll!NtOpenProcess 77F5BBD8 3 Bytes
.text C:\GMER\gmer.exe[3288] ntdll.dll!NtOpenProcess + 4 77F5BBDC 2 Bytes
.text C:\GMER\gmer.exe[3288] kernel32.dll!OpenProcess 77E72E23 6 Bytes
.text C:\GMER\gmer.exe[3288] kernel32.dll!LoadLibraryExW 77E7D839 6 Bytes
.text C:\GMER\gmer.exe[3288] kernel32.dll!FreeLibrary + 11 77E7E69D 4 Bytes
.text C:\GMER\gmer.exe[3288] kernel32.dll!DebugActiveProcess 77EAEE80 6 Bytes
---- Devices - GMER 1.0.12 ----
Device \FileSystem\Fs_Rec \FileSystem\UdfsCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F36BF617] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatCdRomRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F36BF617] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\CdfsRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F36BF617] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\FatDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F36BF617] tfsnifs.sys
Device \FileSystem\Fs_Rec \FileSystem\UdfsDiskRecognizer IRP_MJ_FILE_SYSTEM_CONTROL [F36BF617] tfsnifs.sys
Device \FileSystem\Cdfs \Cdfs IRP_MJ_FILE_SYSTEM_CONTROL [F36BF79B] tfsnifs.sys
---- Modules - GMER 1.0.12 ----
Module (noname) (*** hidden *** ) F562A000
---- Threads - GMER 1.0.12 ----
Thread 4:1324 F562CF6C
---- Services - GMER 1.0.12 ----
Service C:\WINDOWS\System32\lzx32.sys (*** hidden *** ) [SYSTEM] pe386 <-- ROOTKIT !!!
---- Registry - GMER 1.0.12 ----
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet001\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\ControlSet003\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Security
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386\Enum
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Type 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Start 1
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ErrorControl 0
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ImagePath \??\C:\WINDOWS\System32\lzx32.sys
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@DisplayName Win23 lzx files loader
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Group Base
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@ExtParam 0x72 0x13 0x1B 0x10 ...
Reg \Registry\MACHINE\SYSTEM\CurrentControlSet\Services\pe386@Checked 1
---- Files - GMER 1.0.12 ----
ADS C:\WINDOWS\SYSTEM32:lzx32.sys
File C:\WINDOWS\SYSTEM32\lzx32.sys <-- ROOTKIT !!!
---- EOF - GMER 1.0.12 ----