GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-31 21:32:52 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdePort0 SAMSUNG_SP1654N rev.BV100-45 Running: gyvm2j3b.exe; Driver: C:\DOCUME~1\ADMINI~1.DOM\USTAWI~1\Temp\kwedifod.sys ---- System - GMER 1.0.15 ---- SSDT B86C276C ZwClose SSDT B86C2726 ZwCreateKey SSDT B86C2776 ZwCreateSection SSDT B86C271C ZwCreateThread SSDT B86C272B ZwDeleteKey SSDT B86C2735 ZwDeleteValueKey SSDT B86C2767 ZwDuplicateObject SSDT B86C273A ZwLoadKey SSDT B86C2708 ZwOpenProcess SSDT B86C270D ZwOpenThread SSDT B86C278F ZwQueryValueKey SSDT B86C2744 ZwReplaceKey SSDT B86C2780 ZwRequestWaitReplyPort SSDT B86C273F ZwRestoreKey SSDT B86C277B ZwSetContextThread SSDT B86C2785 ZwSetSecurityObject SSDT B86C2730 ZwSetValueKey SSDT B86C278A ZwSystemDebugControl SSDT B86C2717 ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB69E93A0, 0x59FFE5, 0xE8000020] .rsrc C:\WINDOWS\system32\DRIVERS\mouclass.sys entry point in ".rsrc" section [0xB843C814] ? C:\WINDOWS\system32\DRIVERS\mouclass.sys suspicious PE modification init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xB2036A80] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[460] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 1 Byte [C3] .text F:\Program Files\Mozilla Firefox\firefox.exe[1300] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00CB000A .text F:\Program Files\Mozilla Firefox\firefox.exe[1300] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00CC000A .text F:\Program Files\Mozilla Firefox\firefox.exe[1300] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00CA000C .text F:\Program Files\Mozilla Firefox\firefox.exe[1300] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01939720 F:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text F:\Program Files\Mozilla Firefox\firefox.exe[1300] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 01B6E21B F:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text F:\Program Files\Mozilla Firefox\firefox.exe[1300] kernel32.dll!MapViewOfFile 7C80B9A5 5 Bytes JMP 01B6E1F4 F:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text F:\Program Files\Mozilla Firefox\firefox.exe[1300] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 01B6E17E F:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE000A .text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C4000A .text C:\WINDOWS\Explorer.EXE[1332] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BD000C .text C:\WINDOWS\System32\svchost.exe[2052] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 0098000A .text C:\WINDOWS\System32\svchost.exe[2052] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 0099000A .text C:\WINDOWS\System32\svchost.exe[2052] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 0097000C .text F:\Program Files\Mozilla Firefox\plugin-container.exe[3180] USER32.dll!SetWindowLongA 7E37C29D 5 Bytes JMP 106775F7 F:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text F:\Program Files\Mozilla Firefox\plugin-container.exe[3180] USER32.dll!SetWindowLongW 7E37C2BB 5 Bytes JMP 10677589 F:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text F:\Program Files\Mozilla Firefox\plugin-container.exe[3180] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 1044FE0A F:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text F:\Program Files\Mozilla Firefox\plugin-container.exe[3180] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 104503C5 F:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Devices - GMER 1.0.15 ---- Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8970F8B4 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8970F8B4 Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-c 8970F8B4 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \Device\Ide\IdeDeviceP0T0L0-4 -> \??\IDE#DiskSAMSUNG_SP1654N_________________________BV100-45#30534547314a4c30313535323139202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00025b00c255 Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00025b00c255 (not active ControlSet) ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\system32\DRIVERS\mouclass.sys suspicious modification; TDL3 <-- ROOTKIT !!! ---- EOF - GMER 1.0.15 ----