GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-15 21:46:14 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3 ST360015A rev.3.33 Running: wkobuogs.exe; Driver: H:\DOCUME~1\Greg\USTAWI~1\Temp\kgrdipod.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0xB2E2E004] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0xB2E2E0D4] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xB2E2DD76] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xB2E2DE1E] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xB2E2DEBA] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xB2E2DF56] ---- Kernel code sections - GMER 1.0.15 ---- .text H:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6D0B380, 0x2F2537, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text H:\Program Files\Mozilla Firefox\firefox.exe[1844] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0149A650 H:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text H:\Program Files\Mozilla Firefox\firefox.exe[1844] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 016D7E1A H:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text H:\Program Files\Mozilla Firefox\firefox.exe[1844] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 016D7DF7 H:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text H:\Program Files\Mozilla Firefox\firefox.exe[1844] kernel32.dll!ValidateLocale + B130 7C844958 7 Bytes JMP 0149EDB3 H:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text H:\Program Files\Mozilla Firefox\firefox.exe[1844] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 016D7D78 H:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT H:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[864] @ H:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [00F92BC8] H:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC) IAT H:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[864] @ H:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!UnhandledExceptionFilter] [00F92CE9] H:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC) IAT H:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[864] @ H:\WINDOWS\system32\msvcrt.dll [KERNEL32.dll!TerminateProcess] [00F92CB8] H:\WINDOWS\system32\VSINIT.dll (TrueVector Service/Zone Labs, LLC) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. ) AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. ) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x98 0x36 0x3F 0x66 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x98 0x36 0x3F 0x66 ... ---- EOF - GMER 1.0.15 ----