GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-12-08 23:27:13 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST9160821AS rev.3.ALC Running: 8c3qcdn5.exe; Driver: C:\DOCUME~1\OLA~1.OLA\USTAWI~1\Temp\afrcqfod.sys ---- System - GMER 1.0.15 ---- SSDT BA728884 ZwClose SSDT BA72883E ZwCreateKey SSDT BA72888E ZwCreateSection SSDT BA728834 ZwCreateThread SSDT BA728843 ZwDeleteKey SSDT BA72884D ZwDeleteValueKey SSDT BA72887F ZwDuplicateObject SSDT BA728852 ZwLoadKey SSDT BA728820 ZwOpenProcess SSDT BA728825 ZwOpenThread SSDT BA72885C ZwReplaceKey SSDT BA728857 ZwRestoreKey SSDT BA728893 ZwSetContextThread SSDT BA728848 ZwSetValueKey SSDT BA72882F ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xAC47C400, 0x7A186, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAC51AA20] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAC51AA20] .protect˙˙˙˙hardlockunknown last code section [0xAC51A800, 0x5041, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xAC51A800, 0x5041, 0xE0000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Programy\Mozilla Firefox\firefox.exe[3728] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01495B00 C:\Programy\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Programy\Mozilla Firefox\firefox.exe[3728] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 016D7B58 C:\Programy\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Programy\Mozilla Firefox\firefox.exe[3728] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 1 Byte [E9] .text C:\Programy\Mozilla Firefox\firefox.exe[3728] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 016D7B35 C:\Programy\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Programy\Mozilla Firefox\firefox.exe[3728] kernel32.dll!ValidateLocale + B130 7C844958 7 Bytes JMP 0149EF12 C:\Programy\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Programy\Mozilla Firefox\firefox.exe[3728] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 016D7AB6 C:\Programy\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x52 0xAA 0x0E 0x0B ... ---- EOF - GMER 1.0.15 ----