GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-24 14:25:42 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS543225L9A300 rev.FBEOC40C Running: 80ooppe3.exe; Driver: D:\DOCUME~1\MATEUSZ\USTAWI~1\Temp\pxtdypow.sys ---- System - GMER 1.0.15 ---- SSDT BA7D54A4 ZwClose SSDT BA7D545E ZwCreateKey SSDT BA7D54AE ZwCreateSection SSDT BA7D5454 ZwCreateThread SSDT BA7D5463 ZwDeleteKey SSDT BA7D546D ZwDeleteValueKey SSDT BA7D549F ZwDuplicateObject SSDT BA7D5472 ZwLoadKey SSDT BA7D5440 ZwOpenProcess SSDT BA7D5445 ZwOpenThread SSDT BA7D54C7 ZwQueryValueKey SSDT BA7D547C ZwReplaceKey SSDT BA7D54B8 ZwRequestWaitReplyPort SSDT BA7D5477 ZwRestoreKey SSDT BA7D54B3 ZwSetContextThread SSDT BA7D54BD ZwSetSecurityObject SSDT BA7D5468 ZwSetValueKey SSDT BA7D54C2 ZwSystemDebugControl SSDT BA7D544F ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text D:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9539000, 0x188AF6, 0xE8000020] .text D:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA9E79400, 0x7960C, 0xE8000020] .protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA9F1B420] D:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xA9F1B420] .protectÿÿÿÿhardlockunknown last code section [0xA9F1B200, 0x5049, 0xE0000020] D:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA9F1B200, 0x5049, 0xE0000020] ---- User code sections - GMER 1.0.15 ---- .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 1067C453 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!SetWindowLongA + 19 7E37C2B6 7 Bytes JMP 1067C3E2 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 1043BACC D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\plugin-container.exe[1956] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 1043C0F9 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\firefox.exe[2608] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 011BB52A D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\firefox.exe[2608] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 0146B6F5 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\firefox.exe[2608] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 0146B6D2 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text D:\Program Files\Mozilla Firefox\firefox.exe[2608] kernel32.dll!MoveFileExW 7C835673 6 Bytes JMP 01FF12B1 D:\Program Files\Common Files\Spigot\Search Settings\wth.dll (WTH Dynamic Link Library/Spigot, Inc.) .text D:\Program Files\Mozilla Firefox\firefox.exe[2608] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 0146B653 D:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Processes - GMER 1.0.15 ---- Library c:\windows\system32\n (*** hidden *** ) @ D:\WINDOWS\Explorer.EXE [200] 0x45670000 Library c:\windows\system32\n (*** hidden *** ) @ D:\WINDOWS\System32\svchost.exe [1180] 0x45670000 ---- Registry - GMER 1.0.15 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.@jpg\0\x2d9\x2d9\x2d9\x2d9Û\1\x2018|ÉÃÁwN\0_\0a\0u\0t\0o\0_\0f\0i\0l\0e ---- EOF - GMER 1.0.15 ----