GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-21 12:47:54 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800BB-00JHC0 rev.05.01C05 74,53GB Running: zc4h2uwf.exe; Driver: C:\DOCUME~1\Zosia\USTAWI~1\Temp\pwpdaaow.sys ---- System - GMER 2.1 ---- SSDT F7C5ED5C ZwClose SSDT F7C5ED16 ZwCreateKey SSDT F7C5ED66 ZwCreateSection SSDT F7C5ED0C ZwCreateThread SSDT F7C5ED1B ZwDeleteKey SSDT F7C5ED25 ZwDeleteValueKey SSDT F7C5ED57 ZwDuplicateObject SSDT F7C5ED2A ZwLoadKey SSDT F7C5ECF8 ZwOpenProcess SSDT F7C5ECFD ZwOpenThread SSDT F7C5ED7F ZwQueryValueKey SSDT F7C5ED34 ZwReplaceKey SSDT F7C5ED70 ZwRequestWaitReplyPort SSDT F7C5ED2F ZwRestoreKey SSDT F7C5ED6B ZwSetContextThread SSDT F7C5ED75 ZwSetSecurityObject SSDT F7C5ED20 ZwSetValueKey SSDT F7C5ED7A ZwSystemDebugControl SSDT F7C5ED07 ZwTerminateProcess INT 0x62 ? 82FDBCB8 INT 0x63 ? 82D51F00 INT 0x73 ? 82D51F00 INT 0x83 ? 82D51F00 ---- Kernel code sections - GMER 2.1 ---- .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF74DFCF2] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF54C6000, 0x1C5D38, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text D:\mozilla\firefox.exe[128] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 015EDFF0 D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[128] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 01D79796 D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[128] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 01D79773 D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[128] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 015F5F1A D:\mozilla\xul.dll .text D:\mozilla\firefox.exe[128] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 01D796F4 D:\mozilla\xul.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 82FDA1F8 Device \Driver\usbohci \Device\USBPDO-0 82E7D1F8 Device \Driver\usbohci \Device\USBPDO-1 82E7D1F8 Device \Driver\usbehci \Device\USBPDO-2 82D461F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{02084701-7957-48C3-BB20-5D99C22B9CDD} 82CDE440 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F73A8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F73A8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F73A8B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 82CDE440 Device \Driver\NetBT \Device\NetbiosSmb 82CDE440 Device \Driver\usbohci \Device\USBFDO-0 82E7D1F8 Device \Driver\usbohci \Device\USBFDO-1 82E7D1F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 82D6A440 Device \Driver\usbehci \Device\USBFDO-2 82D461F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 82D6A440 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0xEA 0xB2 0x4E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x40 0xEA 0xB2 0x4E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 C:\Program Files\DAEMON Tools\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x74 0x40 0xA5 0x5A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xF0 0xF7 0x87 0xAC ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x8E 0x40 0x18 0xBE ... ---- EOF - GMER 2.1 ----