GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-12-10 21:43:15 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdePort2 SAMSUNG_SP0812C rev.SU100-34 Running: kosx4rhj.exe; Driver: C:\DOCUME~1\user\USTAWI~1\Temp\aflirfow.sys ---- System - GMER 1.0.15 ---- SSDT 81B45C90 ZwAssignProcessToJobObject SSDT 81B46200 ZwDebugActiveProcess SSDT 81B462F0 ZwDuplicateObject SSDT 81B45590 ZwOpenProcess SSDT 81B45800 ZwOpenThread SSDT 81B45FD0 ZwProtectVirtualMemory SSDT 81B460E0 ZwQueueApcThread SSDT 81B45EC0 ZwSetContextThread SSDT 81B45D90 ZwSetInformationThread SSDT 81B42DA0 ZwSetSecurityObject SSDT 81B45B90 ZwSuspendProcess SSDT 81B45A80 ZwSuspendThread SSDT 81B456E0 ZwTerminateProcess SSDT 81B45A50 ZwTerminateThread SSDT 81B466D0 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xAA3BCF00, 0x24000, 0x48000000] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\System32\svchost.exe[1044] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00AE000A .text C:\WINDOWS\System32\svchost.exe[1044] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00AF000A .text C:\WINDOWS\System32\svchost.exe[1044] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00AD000C .text C:\WINDOWS\System32\svchost.exe[1044] USER32.dll!GetCursorPos 7E36BD5E 5 Bytes JMP 008C000A .text C:\WINDOWS\System32\svchost.exe[1044] ole32.dll!CoCreateInstance 774F057E 5 Bytes JMP 00C9000A .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1560] kernel32.dll!SetUnhandledExceptionFilter 7C84480D 4 Bytes [C2, 04, 00, 00] .text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 00FD000A .text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 00FE000A .text C:\WINDOWS\Explorer.EXE[1728] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 00D8000C .text C:\Program Files\Mozilla Firefox\firefox.exe[2924] ntdll.dll!NtProtectVirtualMemory 7C90DEB6 5 Bytes JMP 016A000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2924] ntdll.dll!NtWriteVirtualMemory 7C90EA32 5 Bytes JMP 016B000A .text C:\Program Files\Mozilla Firefox\firefox.exe[2924] ntdll.dll!KiUserExceptionDispatcher 7C90EAEC 5 Bytes JMP 0169000C .text C:\Program Files\Mozilla Firefox\firefox.exe[3312] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3368] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8232239B Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8232239B Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8232239B Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8232239B Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP0T1L0-3 8232239B AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET) Device \Device\Ide\IdeDeviceP2T0L0-e -> \??\IDE#DiskSAMSUNG_SP0812C_________________________SU100-34#30535531314a5930333530383838202020202020#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x85 0x73 0xC1 0xDB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA6 0xF0 0x4F 0x9C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE6 0x12 0x6D 0x5F ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 2 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x85 0x73 0xC1 0xDB ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA6 0xF0 0x4F 0x9C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xE6 0x12 0x6D 0x5F ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 10: rootkit-like behavior; Disk \Device\Harddisk0\DR0 sector 63: rootkit-like behavior; ---- EOF - GMER 1.0.15 ----