GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-05 22:03:40 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\0000006d SAMSUNG_HD502HJ rev.1AJ100E4 Running: d75f8w0d.exe; Driver: C:\DOCUME~1\1\USTAWI~1\Temp\kgriqaoc.sys ---- System - GMER 1.0.15 ---- SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xB9E54D3A] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xB9E23C0C] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xB9E23ED4] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xB9E55634] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xB9E5594C] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xB9E53EBE] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xB9E55E16] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xB9E5509A] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwTerminateProcess [0xB9E2380A] ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8CF9000, 0x21F557, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA8A57300, 0x3B6D8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xBA4A0300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1360] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 1044FE0A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[1360] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 104503C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01269720 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 0149E21B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] kernel32.dll!MapViewOfFile 7C80B995 5 Bytes JMP 0149E1F4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 0349DC86 .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] USER32.dll!DrawTextExW 7E37B415 5 Bytes JMP 0349EED3 .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] USER32.dll!DrawTextW 7E37D7E2 5 Bytes JMP 0349ED11 .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] USER32.dll!SetClipboardData 7E380F9E 5 Bytes JMP 0349E987 .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] USER32.dll!DrawTextA 7E38C702 5 Bytes JMP 0349EC36 .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] USER32.dll!DrawTextExA 7E38C739 5 Bytes JMP 0349EDEC .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] GDI32.dll!TextOutW 77F17EAC 5 Bytes JMP 0349EB6A .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] GDI32.dll!ExtTextOutW 77F18086 5 Bytes JMP 0349F09E .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] GDI32.dll!CreateDIBSection 77F19E09 5 Bytes JMP 0149E17E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] GDI32.dll!TextOutA 77F1BA3F 5 Bytes JMP 0349EA9E .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] GDI32.dll!ExtTextOutA 77F1D3EA 5 Bytes JMP 0349EFBA .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] GDI32.dll!GetGlyphIndicesA 77F3DD2B 5 Bytes JMP 0349F45E .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] GDI32.dll!GetGlyphIndicesW 77F52111 5 Bytes JMP 0349F52B .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] WS2_32.dll!getaddrinfo 71A52A6F 5 Bytes JMP 0349D7D7 .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] WS2_32.dll!closesocket 71A53E2B 5 Bytes JMP 0349E8E0 .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] WS2_32.dll!send 71A54C27 5 Bytes JMP 0349E455 .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] WS2_32.dll!WSARecv 71A54CB5 5 Bytes JMP 0349E67C .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] WS2_32.dll!gethostbyname 71A55355 5 Bytes JMP 0349D716 .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] WS2_32.dll!recv 71A5676F 5 Bytes JMP 0349E4FA .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 0349E5A8 .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] WS2_32.dll!WSAAsyncGetHostByName 71A5E99D 5 Bytes JMP 0349DBA7 .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] WININET.dll!InternetCrackUrlA 771B7549 5 Bytes JMP 0349F7F1 .text C:\Program Files\Mozilla Firefox\firefox.exe[2516] WININET.dll!InternetCrackUrlW 771E9C6E 5 Bytes JMP 0349F93A ---- Devices - GMER 1.0.15 ---- Device Ntfs.sys (NT File System Driver/Microsoft Corporation) Device tsk2.tmp (Windows NT SMB Minirdr/Microsoft Corporation) Device InCDfs.SYS (InCD File System Driver/Ahead Software AG) Device Cdfs.SYS (CD-ROM File System Driver/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Documents and Settings\1\Pulpit\Nowy folder\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x89 0xAD 0xFB 0x23 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x37 0xB9 0x53 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8B 0xB1 0x55 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x14 0x60 0x86 0x14 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Documents and Settings\1\Pulpit\Nowy folder\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x89 0xAD 0xFB 0x23 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x37 0xB9 0x53 0x93 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x8B 0xB1 0x55 0x0B ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x14 0x60 0x86 0x14 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... ---- EOF - GMER 1.0.15 ----