GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-09-19 15:43:34 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7 rev. Running: js8h7p48.exe; Driver: C:\DOCUME~1\user\USTAWI~1\Temp\awnyqfoc.sys ---- System - GMER 1.0.15 ---- SSDT B871EB2C ZwClose SSDT B871EAE6 ZwCreateKey SSDT B871EB36 ZwCreateSection SSDT B871EADC ZwCreateThread SSDT B871EAEB ZwDeleteKey SSDT B871EAF5 ZwDeleteValueKey SSDT B871EB27 ZwDuplicateObject SSDT B871EAFA ZwLoadKey SSDT B871EAC8 ZwOpenProcess SSDT B871EACD ZwOpenThread SSDT B871EB04 ZwReplaceKey SSDT B871EAFF ZwRestoreKey SSDT B871EB3B ZwSetContextThread SSDT B871EAF0 ZwSetValueKey SSDT B871EAD7 ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C88 80504524 4 Bytes JMP 91B6B871 .text ntkrnlpa.exe!ZwCallbackReturn + 2CB8 80504554 4 Bytes [DC, EA, 71, B8] {FSUB ST(2), ST; JNO 0xffffffffffffffbc} .text ntkrnlpa.exe!ZwCallbackReturn + 2CE0 8050457C 4 Bytes [EB, EA, 71, B8] {JMP 0xffffffffffffffec; JNO 0xffffffffffffffbc} .text ntkrnlpa.exe!ZwCallbackReturn + 2CE8 80504584 4 Bytes JMP 926EB871 .text ntkrnlpa.exe!ZwCallbackReturn + 2D6C 80504608 4 Bytes [FA, EA, 71, B8] .text ... .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB74643A0, 0x5CC259, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1160] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3632] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADB3C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 406146A6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A5337 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A5269 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A52D4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A513A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A519C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A539A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A51FE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 406ADB98 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] ole32.dll!OleLoadFromStream 7751981B 5 Bytes JMP 407A569F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[3712] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\Disk \Device\Harddisk0\DR0 89C30A0A AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Processes - GMER 1.0.15 ---- Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (*** hidden *** ) 3632 Process C:\Program Files\Internet Explorer\IEXPLORE.EXE (*** hidden *** ) 3712 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3A 0xDE 0xC2 0x44 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3A 0xDE 0xC2 0x44 ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 Whistler@MBR code has been found <-- ROOTKIT !!! Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior ---- EOF - GMER 1.0.15 ----