GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-11 18:19:54 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD502HI rev.1AG01118 Running: 07gc6h7p.exe; Driver: C:\Users\Joanna\AppData\Local\Temp\pgloqpod.sys ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[384] ntdll.dll!LdrLoadDll 770079B3 5 Bytes JMP 01121410 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1968] kernel32.dll!SetUnhandledExceptionFilter 76A4700D 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3068] kernel32.dll!SetUnhandledExceptionFilter 76A4700D 5 Bytes JMP 610E5B49 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation) .text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[3068] ole32.dll!OleLoadFromStream 76EA9794 5 Bytes JMP 61400DB5 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4388] USER32.dll!GetWindowInfo 76E00560 5 Bytes JMP 66C07187 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4388] USER32.dll!SetWindowLongA 76E00736 5 Bytes JMP 66DD8DD9 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4388] USER32.dll!SetWindowLongW 76E01F35 5 Bytes JMP 66DD8D6B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4388] USER32.dll!TrackPopupMenu 76E11417 5 Bytes JMP 66C07781 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [740288B4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [740698A5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7402B9D4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7401FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74027A79] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7401EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7405B17D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7402BC9A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7402074E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [740206B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [740171B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [740AD848] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74047379] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7401E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7401697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [740169A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2380] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74022465] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18175_none_9e7bbe54c9c04bca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\tdx \Device\Tcp epfwtdir.sys ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x41 0x62 0xDB 0x47 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x41 0x62 0xDB 0x47 ... ---- EOF - GMER 1.0.15 ----