GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-10-16 12:10:20 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-19 WDC_WD2500JS-00MHB1 rev.10.02E01 Running: 76wjps9r.exe; Driver: C:\DOCUME~1\UKASZ~1\USTAWI~1\Temp\agacyfod.sys ---- System - GMER 1.0.15 ---- SSDT F7C20B1C ZwClose SSDT F7C20AD6 ZwCreateKey SSDT F7C20B26 ZwCreateSection SSDT F7C20ACC ZwCreateThread SSDT F7C20ADB ZwDeleteKey SSDT F7C20AE5 ZwDeleteValueKey SSDT F7C20B17 ZwDuplicateObject SSDT F7C20AEA ZwLoadKey SSDT F7C20AB8 ZwOpenProcess SSDT F7C20ABD ZwOpenThread SSDT F7C20AF4 ZwReplaceKey SSDT F7C20AEF ZwRestoreKey SSDT F7C20B2B ZwSetContextThread SSDT F7C20AE0 ZwSetValueKey SSDT F7C20AC7 ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 24EC 80501D14 4 Bytes JMP 8EF7C20A ---- User code sections - GMER 1.0.15 ---- .text C:\Documents and Settings\Łukasz\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[528] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00F7C595 C:\Documents and Settings\Łukasz\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll (GG Network S.A.) .text C:\Documents and Settings\Łukasz\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[528] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 0176D724 C:\Documents and Settings\Łukasz\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll (GG Network S.A.) .text C:\Documents and Settings\Łukasz\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[528] kernel32.dll!MapViewOfFile 7C80B995 5 Bytes JMP 0176D76A C:\Documents and Settings\Łukasz\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll (GG Network S.A.) .text C:\Documents and Settings\Łukasz\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[528] GDI32.dll!CreateDIBSection 77F19E09 5 Bytes JMP 0176D791 C:\Documents and Settings\Łukasz\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll (GG Network S.A.) .text C:\Program Files\Mozilla Firefox\firefox.exe[2504] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 011D0C00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2504] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 01407B4C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2504] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 01407B29 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2504] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 011D3FAC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2504] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 01407AAA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 61 Disk \Device\Harddisk0\DR0 PE file @ sector 488376000 ---- EOF - GMER 1.0.15 ----