GMER 1.0.15.15570 - http://www.gmer.net Rootkit scan 2011-03-31 23:11:42 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Scsi\nvgts1Port2Path0Target0Lun0 SAMSUNG_ rev.CP10 Running: t83ey5v3.exe; Driver: C:\DOCUME~1\ANTY~1.CHW\USTAWI~1\Temp\kfndyaog.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB751A360, 0x3D46A5, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\winlogon.exe[712] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 01D9BEC8 .text C:\WINDOWS\system32\winlogon.exe[712] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 01D9BEB3 .text C:\WINDOWS\system32\winlogon.exe[712] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 01D9BEAC .text C:\WINDOWS\system32\winlogon.exe[712] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 01D9BCC8 .text C:\WINDOWS\system32\winlogon.exe[712] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 01D9BCC1 .text C:\WINDOWS\system32\winlogon.exe[712] kernel32.dll!SearchPathW 7C80E6EC 5 Bytes JMP 01D9BEC1 .text C:\WINDOWS\system32\winlogon.exe[712] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 01D9BECF .text C:\WINDOWS\system32\winlogon.exe[712] kernel32.dll!ExitProcess 7C81CDEA 5 Bytes JMP 01D9BB2C .text C:\WINDOWS\system32\winlogon.exe[712] kernel32.dll!SearchPathA 7C8217FA 5 Bytes JMP 01D9BEBA .text C:\WINDOWS\system32\services.exe[756] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00E2BEC8 .text C:\WINDOWS\system32\services.exe[756] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00E2BEB3 .text C:\WINDOWS\system32\services.exe[756] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00E2BEAC .text C:\WINDOWS\system32\services.exe[756] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00E2BCC8 .text C:\WINDOWS\system32\services.exe[756] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00E2BCC1 .text C:\WINDOWS\system32\services.exe[756] kernel32.dll!SearchPathW 7C80E6EC 5 Bytes JMP 00E2BEC1 .text C:\WINDOWS\system32\services.exe[756] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00E2BECF .text C:\WINDOWS\system32\services.exe[756] kernel32.dll!ExitProcess 7C81CDEA 5 Bytes JMP 00E2BB2C .text C:\WINDOWS\system32\services.exe[756] kernel32.dll!SearchPathA 7C8217FA 5 Bytes JMP 00E2BEBA .text C:\WINDOWS\system32\lsass.exe[768] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 00DBBEC8 .text C:\WINDOWS\system32\lsass.exe[768] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 00DBBEB3 .text C:\WINDOWS\system32\lsass.exe[768] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 00DBBEAC .text C:\WINDOWS\system32\lsass.exe[768] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 00DBBCC8 .text C:\WINDOWS\system32\lsass.exe[768] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 00DBBCC1 .text C:\WINDOWS\system32\lsass.exe[768] kernel32.dll!SearchPathW 7C80E6EC 5 Bytes JMP 00DBBEC1 .text C:\WINDOWS\system32\lsass.exe[768] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 00DBBECF .text C:\WINDOWS\system32\lsass.exe[768] kernel32.dll!ExitProcess 7C81CDEA 5 Bytes JMP 00DBBB2C .text C:\WINDOWS\system32\lsass.exe[768] kernel32.dll!SearchPathA 7C8217FA 5 Bytes JMP 00DBBEBA .text C:\WINDOWS\system32\nvsvc32.exe[920] kernel32.dll!CreateFileA 7C801A24 5 Bytes JMP 0093BEC8 .text C:\WINDOWS\system32\nvsvc32.exe[920] kernel32.dll!LoadLibraryExW 7C801AF1 5 Bytes JMP 0093BEB3 .text C:\WINDOWS\system32\nvsvc32.exe[920] kernel32.dll!LoadLibraryExA 7C801D4F 5 Bytes JMP 0093BEAC .text C:\WINDOWS\system32\nvsvc32.exe[920] kernel32.dll!CreateProcessW 7C802332 5 Bytes JMP 0093BCC8 .text C:\WINDOWS\system32\nvsvc32.exe[920] kernel32.dll!CreateProcessA 7C802367 5 Bytes JMP 0093BCC1 .text C:\WINDOWS\system32\nvsvc32.exe[920] kernel32.dll!SearchPathW 7C80E6EC 5 Bytes JMP 0093BEC1 .text C:\WINDOWS\system32\nvsvc32.exe[920] kernel32.dll!CreateFileW 7C810770 5 Bytes JMP 0093BECF .text C:\WINDOWS\system32\nvsvc32.exe[920] kernel32.dll!ExitProcess 7C81CDEA 5 Bytes JMP 0093BB2C .text C:\WINDOWS\system32\nvsvc32.exe[920] kernel32.dll!SearchPathA 7C8217FA 5 Bytes JMP 0093BEBA .text C:\Program Files\Mozilla Firefox\firefox.exe[2896] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC4 0x99 0x65 0xD7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x36 0x7A 0xF9 0x0E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC4 0x99 0x65 0xD7 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x36 0x7A 0xF9 0x0E ... ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 PE file @ sector 625121280 ---- EOF - GMER 1.0.15 ----