GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-10 23:54:30 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-f Maxtor_6L120P0 rev.BAH41G10 114,50GB Running: 9ct3l063.exe; Driver: C:\DOCUME~1\User\USTAWI~1\Temp\kwwcifoc.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcess [0xF79E5CC6] SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateProcessEx [0xF79E5CE0] SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwCreateThread [0xF79E4E7C] SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwLoadDriver [0xF79E51AC] SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwMapViewOfSection [0xF79E4BBC] SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwOpenSection [0xF79E55DE] SSDT \??\C:\WINDOWS\system32\drivers\avgtpx86.sys (AVG Technologies) ZwQueryValueKey [0xF6E971D6] SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwRenameKey [0xF79E687C] SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSetSystemInformation [0xF79E542E] SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendProcess [0xF79E4A3C] SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSuspendThread [0xF79E4EB0] SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwSystemDebugControl [0xF79E5032] SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateProcess [0xF79E4996] SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwTerminateThread [0xF79E4AF6] SSDT \??\C:\Program Files\F-Secure\HIPS\drivers\fshs.sys (HIPS 32-bit kernel module/F-Secure Corporation) ZwWriteVirtualMemory [0xF79E4F76] INT 0x62 ? 867CECC8 INT 0x73 ? 867D2CC8 INT 0x82 ? 867CECC8 INT 0x83 ? 86660CC8 INT 0xA4 ? 86660CC8 INT 0xB4 ? 86660CC8 Code fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) IoCreateDevice ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwYieldExecution + 46A 804E4C14 12 Bytes [3C, 4A, 9E, F7, B0, 4E, 9E, ...] PAGE ntoskrnl.exe!IoCreateDevice 805A1E50 5 Bytes JMP F7598FFA fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF7828346] PAGENPNP NDIS.SYS!NdisRegisterProtocol F756917F 5 Bytes JMP F7598E0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENPNP NDIS.SYS!NdisOpenAdapter F7569399 5 Bytes JMP F7599394 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENPNP NDIS.SYS!NdisCloseAdapter F7573642 5 Bytes JMP F7598F18 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENPNP NDIS.SYS!NdisDeregisterProtocol F7573821 5 Bytes JMP F75991B0 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisReturnPackets F7576810 5 Bytes JMP F7599C0C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisRequest F757697B 5 Bytes JMP F75995AC fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisSend F7579986 5 Bytes JMP F759A58C fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisSendPackets F75799A3 5 Bytes JMP F759A65E fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDSP NDIS.SYS!NdisTransferData F75799BE 5 Bytes JMP F7599D0A fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDCO NDIS.SYS!NdisCoCreateVc F7580186 5 Bytes JMP F7598E76 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDCO NDIS.SYS!NdisCoDeleteVc F7581557 5 Bytes JMP F7598EE4 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) PAGENDCO NDIS.SYS!NdisCoSendPackets F7581AF1 5 Bytes JMP F759A376 fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6FE9000, 0x1A51FA, 0xE8000020] .text USBPORT.SYS!DllUnload F6F8C92A 5 Bytes JMP 866601D8 .text ap53q6oo.SYS!A0DB34FC6FE35D429A28ADDE5467D4D7 F6ECDCA0 48 Bytes [CB, 96, 75, 06, FA, 9A, F5, ...] ? C:\WINDOWS\System32\Drivers\ap53q6oo.SYS suspicious PE modification ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\loggingserver.exe[600] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01E5000C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\loggingserver.exe[600] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 01E5100C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\loggingserver.exe[600] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01E5200C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\loggingserver.exe[600] kernel32.dll!TerminateThread 7C81D233 5 Bytes JMP 01E5300C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\loggingserver.exe[600] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 01E5700C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\loggingserver.exe[600] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 01E5500C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\loggingserver.exe[600] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 01E5600C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\loggingserver.exe[600] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 01E5800C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\loggingserver.exe[600] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 01E5400C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\loggingserver.exe[600] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 01E5900C .text C:\WINDOWS\system32\winlogon.exe[692] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D1000C .text C:\WINDOWS\system32\winlogon.exe[692] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00D1100C .text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D1200C .text C:\WINDOWS\system32\winlogon.exe[692] kernel32.dll!TerminateThread 7C81D233 5 Bytes JMP 00D1300C .text C:\WINDOWS\system32\winlogon.exe[692] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00D1700C .text C:\WINDOWS\system32\winlogon.exe[692] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00D1500C .text C:\WINDOWS\system32\winlogon.exe[692] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00D1600C .text C:\WINDOWS\system32\winlogon.exe[692] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00D1800C .text C:\WINDOWS\system32\winlogon.exe[692] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00D1400C .text C:\WINDOWS\system32\winlogon.exe[692] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00D1A00C .text C:\WINDOWS\system32\winlogon.exe[692] ole32.dll!CoCreateInstanceEx 774EF17C 5 Bytes JMP 00D1900C .text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0005000C .text C:\WINDOWS\system32\lsass.exe[748] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0005100C .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0005200C .text C:\WINDOWS\system32\lsass.exe[748] kernel32.dll!TerminateThread 7C81D233 5 Bytes JMP 0005300C .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0005700C .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0005500C .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0005600C .text C:\WINDOWS\system32\lsass.exe[748] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0005800C .text C:\WINDOWS\system32\lsass.exe[748] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0005400C .text C:\WINDOWS\system32\lsass.exe[748] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0005A00C .text C:\WINDOWS\system32\lsass.exe[748] ole32.dll!CoCreateInstanceEx 774EF17C 5 Bytes JMP 0005900C .text C:\WINDOWS\system32\Ati2evxx.exe[916] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0251000C .text C:\WINDOWS\system32\Ati2evxx.exe[916] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0251100C .text C:\WINDOWS\system32\Ati2evxx.exe[916] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0251200C .text C:\WINDOWS\system32\Ati2evxx.exe[916] kernel32.dll!TerminateThread 7C81D233 5 Bytes JMP 0251300C .text C:\WINDOWS\system32\Ati2evxx.exe[916] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0251400C .text C:\WINDOWS\system32\Ati2evxx.exe[916] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0251A00C .text C:\WINDOWS\system32\Ati2evxx.exe[916] ole32.dll!CoCreateInstanceEx 774EF17C 5 Bytes JMP 0251900C .text C:\WINDOWS\system32\Ati2evxx.exe[916] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0251700C .text C:\WINDOWS\system32\Ati2evxx.exe[916] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0251500C .text C:\WINDOWS\system32\Ati2evxx.exe[916] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0251600C .text C:\WINDOWS\system32\Ati2evxx.exe[916] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0251800C .text C:\WINDOWS\system32\Ati2evxx.exe[1296] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 00D6000C .text C:\WINDOWS\system32\Ati2evxx.exe[1296] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 00D6100C .text C:\WINDOWS\system32\Ati2evxx.exe[1296] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 00D6200C .text C:\WINDOWS\system32\Ati2evxx.exe[1296] kernel32.dll!TerminateThread 7C81D233 5 Bytes JMP 00D6300C .text C:\WINDOWS\system32\Ati2evxx.exe[1296] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 00D6400C .text C:\WINDOWS\system32\Ati2evxx.exe[1296] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 00D6A00C .text C:\WINDOWS\system32\Ati2evxx.exe[1296] ole32.dll!CoCreateInstanceEx 774EF17C 5 Bytes JMP 00D6900C .text C:\WINDOWS\system32\Ati2evxx.exe[1296] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 00D6700C .text C:\WINDOWS\system32\Ati2evxx.exe[1296] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 00D6500C .text C:\WINDOWS\system32\Ati2evxx.exe[1296] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 00D6600C .text C:\WINDOWS\system32\Ati2evxx.exe[1296] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 00D6800C .text C:\Program Files\Java\jre7\bin\jqs.exe[1764] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 01C0000C .text C:\Program Files\Java\jre7\bin\jqs.exe[1764] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 01C0100C .text C:\Program Files\Java\jre7\bin\jqs.exe[1764] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 01C0200C .text C:\Program Files\Java\jre7\bin\jqs.exe[1764] kernel32.dll!TerminateThread 7C81D233 5 Bytes JMP 01C0300C .text C:\Program Files\Java\jre7\bin\jqs.exe[1764] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 01C0700C .text C:\Program Files\Java\jre7\bin\jqs.exe[1764] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 01C0500C .text C:\Program Files\Java\jre7\bin\jqs.exe[1764] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 01C0600C .text C:\Program Files\Java\jre7\bin\jqs.exe[1764] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 01C0800C .text C:\Program Files\Java\jre7\bin\jqs.exe[1764] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 01C0400C .text C:\Program Files\Java\jre7\bin\jqs.exe[1764] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 01C0A00C .text C:\Program Files\Java\jre7\bin\jqs.exe[1764] ole32.dll!CoCreateInstanceEx 774EF17C 5 Bytes JMP 01C0900C .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1856] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 023C000C .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1856] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 023C100C .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1856] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 023C200C .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1856] kernel32.dll!TerminateThread 7C81D233 5 Bytes JMP 023C300C .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1856] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 023C700C .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1856] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 023C500C .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1856] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 023C600C .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1856] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 023C800C .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1856] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 023C400C .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1856] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 023CA00C .text C:\Program Files\Alcohol Soft\Alcohol 120\StarWind\StarWindServiceAE.exe[1856] ole32.dll!CoCreateInstanceEx 774EF17C 5 Bytes JMP 023C900C .text C:\WINDOWS\Explorer.EXE[1972] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 02BA000C .text C:\WINDOWS\Explorer.EXE[1972] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 02BA100C .text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 02BA200C .text C:\WINDOWS\Explorer.EXE[1972] kernel32.dll!TerminateThread 7C81D233 5 Bytes JMP 02BA300C .text C:\WINDOWS\Explorer.EXE[1972] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 02BA700C .text C:\WINDOWS\Explorer.EXE[1972] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 02BA500C .text C:\WINDOWS\Explorer.EXE[1972] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 02BA600C .text C:\WINDOWS\Explorer.EXE[1972] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 02BA800C .text C:\WINDOWS\Explorer.EXE[1972] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 02BA400C .text C:\WINDOWS\Explorer.EXE[1972] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 02BAA00C .text C:\WINDOWS\Explorer.EXE[1972] ole32.dll!CoCreateInstanceEx 774EF17C 5 Bytes JMP 02BA900C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\ToolbarUpdater.exe[2008] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 0306000C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\ToolbarUpdater.exe[2008] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 0306100C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\ToolbarUpdater.exe[2008] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 0306200C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\ToolbarUpdater.exe[2008] kernel32.dll!TerminateThread 7C81D233 5 Bytes JMP 0306300C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\ToolbarUpdater.exe[2008] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 0306400C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\ToolbarUpdater.exe[2008] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 0306A00C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\ToolbarUpdater.exe[2008] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 0306700C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\ToolbarUpdater.exe[2008] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 0306500C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\ToolbarUpdater.exe[2008] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 0306600C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\ToolbarUpdater.exe[2008] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 0306800C .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\17.2.0\ToolbarUpdater.exe[2008] ole32.dll!CoCreateInstanceEx 774EF17C 5 Bytes JMP 0306900C .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 003F000C .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 003F100C .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0182E210 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003F200C .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01FF22CD C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01FF22AA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] kernel32.dll!TerminateThread 7C81D233 5 Bytes JMP 003F300C .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] kernel32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 01832C10 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003F400C .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 01F0F425 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 003F900C .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01FF222B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 003F700C .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 003F500C .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 003F600C .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003F800C .text C:\Program Files\Mozilla Firefox\firefox.exe[2788] ole32.dll!CoCreateInstanceEx 774EF17C 5 Bytes JMP 003FA00C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 012D000C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 012D100C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 012D200C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] kernel32.dll!TerminateThread 7C81D233 5 Bytes JMP 012D300C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 012D700C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 012D500C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 012D600C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 012D800C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 012D400C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 106112C8 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] USER32.dll!SetWindowLongA + 19 7E37C2B6 7 Bytes JMP 10611339 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 1061508F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 012DA00C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 1060EA7F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3748] ole32.dll!CoCreateInstanceEx 774EF17C 5 Bytes JMP 012D900C .text C:\WINDOWS\notepad.exe[3836] ntdll.dll!NtCreateProcess 7C90D14E 3 Bytes JMP 0091000C .text C:\WINDOWS\notepad.exe[3836] ntdll.dll!NtCreateProcess + 4 7C90D152 1 Byte [84] .text C:\WINDOWS\notepad.exe[3836] ntdll.dll!NtCreateProcessEx 7C90D15E 3 Bytes JMP 0091100C .text C:\WINDOWS\notepad.exe[3836] ntdll.dll!NtCreateProcessEx + 4 7C90D162 1 Byte [84] .text C:\Documents and Settings\User\Pulpit\Skanowanie\9ct3l063.exe[4048] ntdll.dll!NtCreateProcess 7C90D14E 5 Bytes JMP 003D000C .text C:\Documents and Settings\User\Pulpit\Skanowanie\9ct3l063.exe[4048] ntdll.dll!NtCreateProcessEx 7C90D15E 5 Bytes JMP 003D100C .text C:\Documents and Settings\User\Pulpit\Skanowanie\9ct3l063.exe[4048] kernel32.dll!LoadLibraryExW 7C801AF5 5 Bytes JMP 003D200C .text C:\Documents and Settings\User\Pulpit\Skanowanie\9ct3l063.exe[4048] kernel32.dll!TerminateThread 7C81D233 5 Bytes JMP 003D300C .text C:\Documents and Settings\User\Pulpit\Skanowanie\9ct3l063.exe[4048] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 003D400C .text C:\Documents and Settings\User\Pulpit\Skanowanie\9ct3l063.exe[4048] USER32.dll!DdeConnect 7E3A81C3 5 Bytes JMP 003D900C .text C:\Documents and Settings\User\Pulpit\Skanowanie\9ct3l063.exe[4048] ADVAPI32.dll!CloseServiceHandle 77DD6CE5 5 Bytes JMP 003D700C .text C:\Documents and Settings\User\Pulpit\Skanowanie\9ct3l063.exe[4048] ADVAPI32.dll!OpenServiceW 77DD6FFD 5 Bytes JMP 003D500C .text C:\Documents and Settings\User\Pulpit\Skanowanie\9ct3l063.exe[4048] ADVAPI32.dll!ControlService 77DE4A09 5 Bytes JMP 003D600C .text C:\Documents and Settings\User\Pulpit\Skanowanie\9ct3l063.exe[4048] ADVAPI32.dll!CreateServiceW 77E273A9 5 Bytes JMP 003D800C .text C:\Documents and Settings\User\Pulpit\Skanowanie\9ct3l063.exe[4048] ole32.dll!CoCreateInstanceEx 774EF17C 5 Bytes JMP 003DA00C ---- Kernel IAT/EAT - GMER 2.1 ---- IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_ULONG] [F772E232] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!READ_PORT_UCHAR] [F772D730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\PCIIDEX.SYS[HAL.dll!WRITE_PORT_UCHAR] [F772DF12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_UCHAR] [F772D730] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_BUFFER_USHORT] [F772D914] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!READ_PORT_USHORT] [F772D856] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_BUFFER_USHORT] [F772E0F0] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT atapi.sys[HAL.dll!WRITE_PORT_UCHAR] [F772DF12] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \WINDOWS\system32\DRIVERS\SCSIPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 867D2308 IAT \SystemRoot\system32\DRIVERS\USBPORT.SYS[ntoskrnl.exe!DbgBreakPoint] 86660308 IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [F7741F1E] sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8679D1F8 Device \FileSystem\Fastfat \FatCdrom 858121F8 Device \Driver\Tcpip \Device\Ip fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\NetBT \Device\NetBT_Tcpip_{B4471493-0386-4324-97C1-97D97E989D2A} 859D51F8 Device \Driver\usbuhci \Device\USBPDO-0 866151F8 Device \Driver\PCI_PNP6536 \Device\00000044 sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) Device \Driver\usbuhci \Device\USBPDO-1 866151F8 Device \Driver\usbuhci \Device\USBPDO-2 866151F8 Device \Driver\usbuhci \Device\USBPDO-3 866151F8 Device \Driver\usbehci \Device\USBPDO-4 865E61F8 Device \Driver\Tcpip \Device\Tcp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Cdrom \Device\CdRom0 865D6430 Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 [F7697B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F7697B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7697B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7697B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f [F7697B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\Cdrom \Device\CdRom1 865D6430 Device \Driver\USBSTOR \Device\00000077 858181F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 859D51F8 Device \Driver\USBSTOR \Device\00000078 858181F8 Device \Driver\NetBT \Device\NetbiosSmb 859D51F8 Device \Driver\Tcpip \Device\Udp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\Tcpip \Device\RawIp fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\usbuhci \Device\USBFDO-0 866151F8 Device \Driver\usbuhci \Device\USBFDO-1 866151F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 859C31F8 Device \Driver\Tcpip \Device\IPMULTICAST fsdfw.sys (F-Secure Internet Shield Driver/F-Secure Corporation) Device \Driver\usbuhci \Device\USBFDO-2 866151F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 859C31F8 Device \Driver\usbuhci \Device\USBFDO-3 866151F8 Device \Driver\usbehci \Device\USBFDO-4 865E61F8 Device \Driver\JRAID \Device\Scsi\JRAID1Port2Path0Target1cLun0 8679E1F8 Device \Driver\JRAID \Device\Scsi\JRAID1 8679E1F8 Device \Driver\ap53q6oo \Device\Scsi\ap53q6oo1 865CB430 Device \Driver\ap53q6oo \Device\Scsi\ap53q6oo1Port3Path0Target0Lun0 865CB430 Device \FileSystem\Fastfat \Fat 858121F8 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \FileSystem\Cdfs \Cdfs 859A01F8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE1 0x04 0x50 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xB7 0x5F 0x74 0x45 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0F 0x14 0xCC 0x1A ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE8 0x86 0xDA 0x29 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xE1 0x04 0x50 0xBE ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0xB7 0x5F 0x74 0x45 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x0F 0x14 0xCC 0x1A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xE8 0x86 0xDA 0x29 ... ---- EOF - GMER 2.1 ----