GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-01-16 22:25:16 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FBEO Running: dy6eingq.exe; Driver: C:\Users\Emil\AppData\Local\Temp\kwldapod.sys ---- System - GMER 1.0.15 ---- INT 0x52 ? 87B89F00 INT 0x62 ? 87B89F00 INT 0x72 ? 85F2ABF8 INT 0x72 ? 87B89F00 INT 0x72 ? 87B89F00 INT 0x72 ? 85F2ABF8 INT 0x82 ? 87B89F00 INT 0xA2 ? 87B89F00 INT 0xA2 ? 85597BF8 INT 0xA2 ? 85597BF8 INT 0xA2 ? 85597BF8 INT 0xA2 ? 85597BF8 INT 0xA2 ? 87B89F00 INT 0xA2 ? 87B89F00 ---- Kernel code sections - GMER 1.0.15 ---- ? System32\Drivers\splb.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F406320, 0x3E4E87, 0xE8000020] .text USBPORT.SYS!DllUnload 8B1DB41B 5 Bytes JMP 87B894E0 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[3752] ntdll.dll!LdrLoadDll 77099390 5 Bytes JMP 00DD13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3752] WS2_32.dll!connect 768440D9 5 Bytes JMP 03A52850 C:\Program Files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabKernel.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3752] WS2_32.dll!WSASend 76844496 5 Bytes JMP 03A53CD0 C:\Program Files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabKernel.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3752] WS2_32.dll!WSARecv 76848400 5 Bytes JMP 03A541B0 C:\Program Files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabKernel.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3752] WS2_32.dll!WSAConnect 7684D7B0 5 Bytes JMP 03A52A50 C:\Program Files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabKernel.dll ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [806966D6] \SystemRoot\System32\Drivers\splb.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [80696042] \SystemRoot\System32\Drivers\splb.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [80696800] \SystemRoot\System32\Drivers\splb.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [806960C0] \SystemRoot\System32\Drivers\splb.sys IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8069613E] \SystemRoot\System32\Drivers\splb.sys IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [806A5B90] \SystemRoot\System32\Drivers\splb.sys ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73E17817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73E6A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73E1BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73E0F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73E175E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73E0E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73E48395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73E1DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73E0FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73E0FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73E071CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73E9CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73E3C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73E0D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73E06853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73E0687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[504] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73E12AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [73E17817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [73E6A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73E1BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73E0F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [73E175E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73E0E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73E48395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [73E1DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [73E0FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [73E0FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [73E071CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [73E9CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [73E3C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73E0D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [73E06853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [73E0687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[2276] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73E12AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18005_none_9e50b396ca17ae07\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 85F4D1F8 Device \FileSystem\fastfat \FatCdrom 88AC91F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) Device \Driver\volmgr \Device\VolMgrControl 85F281F8 Device \Driver\netbt \Device\NetBT_Tcpip_{6F333765-C4DF-409D-9CE9-B2CB1868750F} 8898C500 Device \Driver\usbuhci \Device\USBPDO-0 87C5B1F8 Device \Driver\usbuhci \Device\USBPDO-1 87C5B1F8 Device \Driver\usbehci \Device\USBPDO-2 87BC11F8 Device \Driver\usbuhci \Device\USBPDO-3 87C5B1F8 Device \Driver\netbt \Device\NetBT_Tcpip_{0A17280D-2BF3-4F41-B9A8-AACDF630069F} 8898C500 Device \Driver\usbuhci \Device\USBPDO-4 87C5B1F8 AttachedDevice \Driver\tdx \Device\Tcp Lbd.sys (Boot Driver/Lavasoft AB) Device \Driver\usbuhci \Device\USBPDO-5 87C5B1F8 Device \Driver\usbuhci \Device\USBPDO-6 87C5B1F8 Device \Driver\volmgr \Device\HarddiskVolume1 85F281F8 Device \Driver\usbehci \Device\USBPDO-7 87BC11F8 Device \Driver\volmgr \Device\HarddiskVolume2 85F281F8 Device \Driver\cdrom \Device\CdRom0 87D43500 Device \Driver\iaStor \Device\Ide\iaStor0 [8AC48EB0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [8AC48EB0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-1 [8AC48EB0] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\volmgr \Device\HarddiskVolume3 85F281F8 Device \Driver\BTHUSB \Device\000000b1 bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \Driver\volmgr \Device\HarddiskVolume4 85F281F8 Device \FileSystem\fastfat \Fat 88AC91F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) Device \FileSystem\cdfs \Cdfs 897FB500 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186bd7916 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186bd7916@d488905743ca 0x46 0x60 0xB3 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDA 0xC9 0xFC 0x49 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186bd7916 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186bd7916@d488905743ca 0x46 0x60 0xB3 0xBF ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDA 0xC9 0xFC 0x49 ... ---- Files - GMER 1.0.15 ---- File C:\Users\Emil\AppData\Local\Google\Chrome\User Data\Safe Browsing Bloom_new 0 bytes ---- EOF - GMER 1.0.15 ----