GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-24 18:43:43 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600BEVT-22ZCT0 rev.11.01A11 149,05GB Running: yfcx76se.exe; Driver: C:\DOCUME~1\Kuba\USTAWI~1\Temp\pxriypoc.sys ---- User code sections - GMER 2.1 ---- .text D:\Origin\Origin.exe[628] kernel32.dll!CreateFileW 7C8107F0 5 Bytes JMP 103B9740 D:\Origin\OriginClient.dll .text D:\Origin\Origin.exe[628] USER32.dll!ShowWindowAsync 7E37337D 5 Bytes JMP 103B8DE0 D:\Origin\OriginClient.dll .text D:\Origin\Origin.exe[628] USER32.dll!SetForegroundWindow 7E3742ED 5 Bytes JMP 103B8D50 D:\Origin\OriginClient.dll .text D:\Origin\Origin.exe[628] USER32.dll!SetActiveWindow 7E377822 5 Bytes JMP 103B8F00 D:\Origin\OriginClient.dll .text D:\Origin\Origin.exe[628] USER32.dll!SetWindowPos 7E3799F3 5 Bytes JMP 103B8EB0 D:\Origin\OriginClient.dll .text D:\Origin\Origin.exe[628] USER32.dll!ShowWindow 7E37AF56 5 Bytes JMP 103B8E30 D:\Origin\OriginClient.dll .text D:\Origin\Origin.exe[628] USER32.dll!SetFocus 7E37B112 5 Bytes JMP 103B8E80 D:\Origin\OriginClient.dll .text D:\Origin\Origin.exe[628] USER32.dll!BringWindowToTop 7E3803A8 5 Bytes JMP 103B8D80 D:\Origin\OriginClient.dll .text D:\Origin\Origin.exe[628] USER32.dll!SwitchToThisWindow 7E3A581C 5 Bytes JMP 103B8DB0 D:\Origin\OriginClient.dll .text D:\Origin\Origin.exe[628] ole32.dll!DoDragDrop 775C0B6D 5 Bytes JMP 103B8D30 D:\Origin\OriginClient.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1128] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 018D3D20 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1128] ntdll.dll!NtFlushBuffersFile 7C90D310 5 Bytes JMP 018BC661 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1128] ntdll.dll!NtQueryFullAttributesFile 7C90D790 5 Bytes JMP 018D3820 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1128] ntdll.dll!NtReadFile 7C90D9B0 5 Bytes JMP 018BC750 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1128] ntdll.dll!NtReadFileScatter 7C90D9C0 5 Bytes JMP 0215E1FF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1128] ntdll.dll!NtWriteFile 7C90DF60 5 Bytes JMP 018D43D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1128] ntdll.dll!NtWriteFileGather 7C90DF70 5 Bytes JMP 0215E1AE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1128] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 10001F4C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1128] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 020FF582 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1128] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 020FF55F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1128] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 018D06F3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1128] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 020FF4E0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1128] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 0200E5A9 C:\Program Files\Mozilla Firefox\xul.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\hsrxlhdnv@DisplayName Monitor Support Reg HKLM\SYSTEM\ControlSet001\Services\hsrxlhdnv@Type 32 Reg HKLM\SYSTEM\ControlSet001\Services\hsrxlhdnv@Start 2 Reg HKLM\SYSTEM\ControlSet001\Services\hsrxlhdnv@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet001\Services\hsrxlhdnv@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet001\Services\hsrxlhdnv@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet001\Services\hsrxlhdnv@Description Transferuje dane pomi?dzy klientami a serwerami w tle. Je?eli us?uga BITS zostanie wy??czona, funkcje takie jak Windows Update nie b?d? dzia?a? poprawnie. Reg HKLM\SYSTEM\ControlSet001\Services\hsrxlhdnv\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\hsrxlhdnv\Parameters@ServiceDll C:\WINDOWS\system32\dkitejaj.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x87 0x43 0x9A 0x6D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x87 0x43 0x9A 0x6D ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x87 0x43 0x9A 0x6D ... ---- EOF - GMER 2.1 ----