GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-06-21 19:21:49
Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0 WDC_WD16 rev.01.0
Running: yhy77shm.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pxtdipod.sys


---- System - GMER 1.0.15 ----

Code     \??\C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\catchme.sys                              pIofCallDriver

---- Kernel code sections - GMER 1.0.15 ----

.text    C:\WINDOWS\system32\DRIVERS\nv4_mini.sys                                        section is writeable [0xF6652380, 0x566465, 0xE8000020]
?        C:\WINDOWS\system32\Drivers\PROCEXP113.SYS                                      Nie można odnaleźć określonego pliku. !
?        C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\catchme.sys                                  Nie można odnaleźć określonego pliku. !

---- User code sections - GMER 1.0.15 ----

.text    C:\WINDOWS\System32\svchost.exe[872] ntdll.dll!NtQueryInformationProcess        7C90E01B 5 Bytes  JMP 01A19DC4 
.text    C:\WINDOWS\System32\svchost.exe[872] NETAPI32.dll!NetpwPathCanonicalize         6FF4A259 5 Bytes  JMP 01A19D64 
.text    C:\WINDOWS\system32\svchost.exe[912] ntdll.dll!NtQueryInformationProcess        7C90E01B 5 Bytes  JMP 008D9DC4 
.text    K:\firefox.exe[3668] ntdll.dll!LdrLoadDll                                       7C9161CA 5 Bytes  JMP 0116FA35 K:\xul.dll (Mozilla Foundation)
.text    K:\firefox.exe[3668] kernel32.dll!VirtualAlloc                                  7C809A81 5 Bytes  JMP 014107C5 K:\xul.dll (Mozilla Foundation)
.text    K:\firefox.exe[3668] kernel32.dll!MapViewOfFile                                 7C80B78D 5 Bytes  JMP 0141079E K:\xul.dll (Mozilla Foundation)
.text    K:\firefox.exe[3668] GDI32.dll!CreateDIBSection                                 77F19610 5 Bytes  JMP 01410728 K:\xul.dll (Mozilla Foundation)

---- Services - GMER 1.0.15 ----

Service  C:\WINDOWS\system32\09.tmp (*** hidden *** )                                    [MANUAL] wuhol                                                                                             <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\06.tmp (*** hidden *** )                                    [MANUAL] xkpga                                                                                             <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\0C.tmp (*** hidden *** )                                    [MANUAL] xndlut                                                                                            <-- ROOTKIT !!!
Service  C:\WINDOWS\system32\02.tmp (*** hidden *** )                                    [MANUAL] zefdaj                                                                                            <-- ROOTKIT !!!

---- Registry - GMER 1.0.15 ----

Reg      HKLM\SYSTEM\ControlSet002\Services\ppmfwysn@DisplayName                         Manager Update
Reg      HKLM\SYSTEM\ControlSet002\Services\ppmfwysn@Type                                32
Reg      HKLM\SYSTEM\ControlSet002\Services\ppmfwysn@Start                               2
Reg      HKLM\SYSTEM\ControlSet002\Services\ppmfwysn@ErrorControl                        0
Reg      HKLM\SYSTEM\ControlSet002\Services\ppmfwysn@ImagePath                           %SystemRoot%\system32\svchost.exe -k netsvcs
Reg      HKLM\SYSTEM\ControlSet002\Services\ppmfwysn@ObjectName                          LocalSystem
Reg      HKLM\SYSTEM\ControlSet002\Services\ppmfwysn@Description                         Zarz?dza zasadami zabezpiecze? IP i uruchamia sterownik ISAKMP/Oakley (IKE) i sterownik zabezpiecze? IP.
Reg      HKLM\SYSTEM\ControlSet002\Services\ppmfwysn\Parameters (not active ControlSet)  
Reg      HKLM\SYSTEM\ControlSet002\Services\ppmfwysn\Parameters@ServiceDll               C:\WINDOWS\system32\tycxonig.dll

---- EOF - GMER 1.0.15 ----