GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-11-17 21:21:55 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3500320NS rev.SN05 Running: ke8dyeli.exe; Driver: C:\DOCUME~1\WIN\USTAWI~1\Temp\ufryqkow.sys ---- System - GMER 1.0.15 ---- SSDT 89085C90 ZwAssignProcessToJobObject SSDT 89086200 ZwDebugActiveProcess SSDT 890862F0 ZwDuplicateObject SSDT 89085590 ZwOpenProcess SSDT 89085800 ZwOpenThread SSDT 89085FD0 ZwProtectVirtualMemory SSDT 890860E0 ZwQueueApcThread SSDT 89085EC0 ZwSetContextThread SSDT 89085D90 ZwSetInformationThread SSDT 89082DA0 ZwSetSecurityObject SSDT 89085B90 ZwSuspendProcess SSDT 89085A80 ZwSuspendThread SSDT 890856E0 ZwTerminateProcess SSDT 89085A50 ZwTerminateThread SSDT 890866D0 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6BEB3A0, 0x585395, 0xE8000020] .PAGE1 C:\WINDOWS\system32\DRIVERS\serial.sys unknown last section [0xB81E5800, 0x100, 0xC0000040] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB28FE300, 0x3B6D8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB83A8300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[508] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 1004BF70 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[508] USER32.dll!SetWindowRgn + 2BD 7E37E7E5 7 Bytes JMP 1004BE30 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[508] USER32.dll!SetClipboardData + 19D 7E38113B 7 Bytes JMP 1004BF50 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[508] USER32.dll!MessageBoxA + 49 7E3A0833 7 Bytes JMP 1004C040 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[508] USER32.dll!MessageBoxExW + 1F 7E3A0857 7 Bytes JMP 1004C090 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SEPCSuite.exe[508] USER32.dll!MessageBoxTimeoutA + CA 7E3B64D0 7 Bytes JMP 1004BFC0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1944] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00] .text D:\Program Files\Mozilla Firefox\firefox.exe[2072] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 012A2EC0 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\WINDOWS\system32\svchost.exe[2176] USER32.dll!DialogBoxIndirectParamAorW 7E3749D0 5 Bytes [33, C0, C2, 18, 00] {XOR EAX, EAX; RET 0x18} .text D:\Program Files\Mozilla Firefox\plugin-container.exe[3516] USER32.dll!SetWindowLongA 7E37C29D 5 Bytes JMP 106AC350 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\plugin-container.exe[3516] USER32.dll!SetWindowLongW 7E37C2BB 5 Bytes JMP 106AC2E2 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\plugin-container.exe[3516] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 1045E363 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\plugin-container.exe[3516] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 1045E91C D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys (ESET Personal Firewall TDI filter/ESET) ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) B8258000-B8261000 (36864 bytes) Module (noname) (*** hidden *** ) B8178000-B8186000 (57344 bytes) ---- Threads - GMER 1.0.15 ---- Thread System [4:116] B825C3E0 Thread System [4:120] B825C3E0 Thread System [4:124] B825C3E0 Thread System [4:128] B825C3E0 Thread System [4:132] 89AE6330 Thread System [4:136] 89AE6330 Thread System [4:140] 89AE6330 Thread System [4:144] 89AE6330 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8D 0x9B 0xB1 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0A 0x38 0x5D 0xFC ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x43 0x60 0x56 0x2C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x8D 0x9B 0xB1 0x96 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0A 0x38 0x5D 0xFC ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x43 0x60 0x56 0x2C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1 ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\WIN\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\cwrzww6l.default\Cache\0\76\43AF9d01 4558 bytes File C:\Documents and Settings\WIN\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\cwrzww6l.default\Cache\0\7F\F41A2d01 4891 bytes File C:\Documents and Settings\WIN\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\cwrzww6l.default\Cache\0\8B\33BD2d01 3507 bytes File C:\Documents and Settings\WIN\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\cwrzww6l.default\Cache\0\E6\6DEFDd01 4806 bytes File C:\Documents and Settings\WIN\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\cwrzww6l.default\Cache\0\E7\A610Cd01 4851 bytes File C:\Documents and Settings\WIN\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\cwrzww6l.default\Cache\0\F6\A8A70d01 4375 bytes File C:\Documents and Settings\WIN\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\cwrzww6l.default\Cache\0\FB\33721m01 4095 bytes File C:\Documents and Settings\WIN\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\cwrzww6l.default\Cache\1\11\6A0C3d01 0 bytes File C:\Documents and Settings\WIN\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\cwrzww6l.default\Cache\1\A2\BA481d01 0 bytes File C:\Documents and Settings\WIN\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\cwrzww6l.default\Cache\4\DD\B3B23d01 0 bytes File C:\Documents and Settings\WIN\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\cwrzww6l.default\Cache\5\51\9461Fd01 3674 bytes File C:\Program Files\eplgOutlook.dll 270400 bytes executable File C:\Program Files\eplgOutlookEmon.dll 163280 bytes executable File C:\Program Files\eplgOutlookEmonLang.dll 19680 bytes executable File C:\Program Files\eplgOutlookLang.dll 12464 bytes executable File C:\Program Files\eplgOutlookSmon.dll 398120 bytes executable File C:\Program Files\eplgOutlookSmonLang.dll 11952 bytes executable File C:\Program Files\eplgTbEmon.dll 204480 bytes executable File C:\Program Files\eplgTbLang.dll 12464 bytes executable File C:\Program Files\eplgTbSmon.dll 394000 bytes executable File C:\Program Files\eplgTbSmonLang.dll 11952 bytes executable File C:\Program Files\eset.chm 4516853 bytes File C:\Program Files\eula.rtf 29202 bytes File C:\Program Files\http_dll.dll 76760 bytes File C:\Program Files\License 0 bytes File C:\Program Files\mfc80.dll 1101824 bytes executable File C:\Program Files\mfc80u.dll 1093120 bytes executable File C:\Program Files\EHttpSrv.exe 20680 bytes executable File C:\Program Files\ekrn.exe 727720 bytes executable File C:\Program Files\ekrnAmon.dll 171520 bytes executable File C:\Program Files\ekrnDmon.dll 109720 bytes File C:\Program Files\ekrnDmonLang.dll 10928 bytes executable File C:\Program Files\ekrnEmon.dll 113840 bytes executable File C:\Program Files\ekrnEpfw.dll 410480 bytes executable File C:\Program Files\ekrnEpfwLang.dll 20680 bytes executable File C:\Program Files\ekrnLang.dll 31000 bytes executable File C:\Program Files\ekrnMailPlugins.dll 105600 bytes executable File C:\Program Files\ekrnMailPluginsLang.dll 11952 bytes executable File C:\Program Files\ekrnScan.dll 171520 bytes executable File C:\Program Files\ekrnScanLang.dll 10928 bytes executable File C:\Program Files\ekrnSmon.dll 216840 bytes executable File C:\WINDOWS\$NtUninstallKB57265$\1535255323 0 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855 0 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855\@ 2048 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855\L 0 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855\L\doayofsk 65280 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855\loader.tlb 2632 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855\U 0 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855\U\@00000001 45968 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855\U\@000000c0 3072 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855\U\@000000cb 3072 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855\U\@000000cf 1536 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855\U\@80000000 23040 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855\U\@800000c0 35840 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855\U\@800000cb 24064 bytes File C:\WINDOWS\$NtUninstallKB57265$\2667691855\U\@800000cf 31744 bytes ---- EOF - GMER 1.0.15 ----