GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-11-02 23:38:23 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Maxtor_6B200P0 rev.BAH41E00 Running: 0sn79h24.exe; Driver: C:\DOCUME~1\Przemek\USTAWI~1\Temp\pwldqpoc.sys ---- System - GMER 1.0.15 ---- SSDT 896FDC90 ZwAssignProcessToJobObject SSDT 896FE200 ZwDebugActiveProcess SSDT 896FE2F0 ZwDuplicateObject SSDT 896FD590 ZwOpenProcess SSDT 896FD800 ZwOpenThread SSDT 896FDFD0 ZwProtectVirtualMemory SSDT 896FE0E0 ZwQueueApcThread SSDT 896FDEC0 ZwSetContextThread SSDT 896FDD90 ZwSetInformationThread SSDT 896FADA0 ZwSetSecurityObject SSDT 896FDB90 ZwSuspendProcess SSDT 896FDA80 ZwSuspendThread SSDT 896FD6E0 ZwTerminateProcess SSDT 896FDA50 ZwTerminateThread SSDT 896FE6D0 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB833F360, 0x24526E, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\winlogon.exe[564] ntdll.dll!NtLockProductActivationKeys 7C90D490 5 Bytes JMP 10001000 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\winlogon.exe[564] USER32.dll!GetSystemMetrics 7E368F9C 5 Bytes JMP 10001018 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\wscntfy.exe[912] ws2_32.dll!getsockname 71A53D10 5 Bytes JMP 00BA008D .text C:\WINDOWS\system32\wscntfy.exe[912] ws2_32.dll!connect 71A54A07 5 Bytes JMP 00BA002D .text C:\WINDOWS\system32\wscntfy.exe[912] ws2_32.dll!getpeername 71A60B68 5 Bytes JMP 00BA00BD .text C:\WINDOWS\system32\wscntfy.exe[912] ws2_32.dll!WSAConnect 71A60C81 5 Bytes JMP 00BA005D .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1228] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 4 Bytes [C2, 04, 00, 00] .text C:\WINDOWS\Explorer.EXE[1832] ws2_32.dll!getsockname 71A53D10 5 Bytes JMP 0195008D .text C:\WINDOWS\Explorer.EXE[1832] ws2_32.dll!connect 71A54A07 5 Bytes JMP 0195002D .text C:\WINDOWS\Explorer.EXE[1832] ws2_32.dll!getpeername 71A60B68 5 Bytes JMP 019500BD .text C:\WINDOWS\Explorer.EXE[1832] ws2_32.dll!WSAConnect 71A60C81 5 Bytes JMP 0195005D .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2008] ws2_32.dll!getsockname 71A53D10 5 Bytes JMP 00F5008D .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2008] ws2_32.dll!connect 71A54A07 5 Bytes JMP 00F5002D .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2008] ws2_32.dll!getpeername 71A60B68 5 Bytes JMP 00F500BD .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[2008] ws2_32.dll!WSAConnect 71A60C81 5 Bytes JMP 00F5005D .text C:\WINDOWS\system32\ctfmon.exe[2024] ws2_32.dll!getsockname 71A53D10 5 Bytes JMP 00B2008D .text C:\WINDOWS\system32\ctfmon.exe[2024] ws2_32.dll!connect 71A54A07 5 Bytes JMP 00B2002D .text C:\WINDOWS\system32\ctfmon.exe[2024] ws2_32.dll!getpeername 71A60B68 5 Bytes JMP 00B200BD .text C:\WINDOWS\system32\ctfmon.exe[2024] ws2_32.dll!WSAConnect 71A60C81 5 Bytes JMP 00B2005D .text C:\Program Files\AutoConnect\AutoConnect.exe[2032] WS2_32.dll!getsockname 71A53D10 5 Bytes JMP 00C2008D .text C:\Program Files\AutoConnect\AutoConnect.exe[2032] WS2_32.dll!connect 71A54A07 5 Bytes JMP 00C2002D .text C:\Program Files\AutoConnect\AutoConnect.exe[2032] WS2_32.dll!getpeername 71A60B68 5 Bytes JMP 00C200BD .text C:\Program Files\AutoConnect\AutoConnect.exe[2032] WS2_32.dll!WSAConnect 71A60C81 5 Bytes JMP 00C2005D .text C:\Program Files\Mozilla Firefox\firefox.exe[2316] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0125FAE0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2316] USER32.dll!SetWindowLongA 7E37C29D 5 Bytes JMP 0161E417 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2316] USER32.dll!SetWindowLongW 7E37C2BB 5 Bytes JMP 0161E3B7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2316] WS2_32.dll!getsockname 71A53D10 5 Bytes JMP 0219008D .text C:\Program Files\Mozilla Firefox\firefox.exe[2316] WS2_32.dll!connect 71A54A07 5 Bytes JMP 0219002D .text C:\Program Files\Mozilla Firefox\firefox.exe[2316] WS2_32.dll!getpeername 71A60B68 5 Bytes JMP 021900BD .text C:\Program Files\Mozilla Firefox\firefox.exe[2316] WS2_32.dll!WSAConnect 71A60C81 5 Bytes JMP 0219005D .text F:\0sn79h24.exe[3408] ws2_32.dll!getsockname 71A53D10 5 Bytes JMP 00B6008D .text F:\0sn79h24.exe[3408] ws2_32.dll!connect 71A54A07 5 Bytes JMP 00B6002D .text F:\0sn79h24.exe[3408] ws2_32.dll!getpeername 71A60B68 5 Bytes JMP 00B600BD .text F:\0sn79h24.exe[3408] ws2_32.dll!WSAConnect 71A60C81 5 Bytes JMP 00B6005D ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x60 0x98 0x87 0xFE ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x60 0x98 0x87 0xFE ... ---- EOF - GMER 1.0.15 ----