GMER 1.0.15.15640 - http://www.gmer.net Rootkit scan 2011-05-31 12:04:39 Windows 5.1.2600 Dodatek Service Pack 3 Running: GMER.exe; Driver: C:\DOCUME~1\KRYSTI~1\USTAWI~1\Temp\pxtdqpob.sys ---- System - GMER 1.0.15 ---- INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F163516D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) F1634FC2 ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xF140B400, 0x87EE2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF14AF620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xF14AF620] .protect˙˙˙˙hardlockunknown last code section [0xF14AF400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xF14AF400, 0x5126, 0xE0000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[824] ntdll.dll!LdrLoadDll 7C9163C3 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) .text C:\WINDOWS\System32\svchost.exe[1072] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes JMP 0215ADCD .text C:\WINDOWS\System32\svchost.exe[1072] NETAPI32.dll!NetpwPathCanonicalize 6FF4A3A9 5 Bytes JMP 0215AD64 .text C:\WINDOWS\system32\svchost.exe[1152] ntdll.dll!NtQueryInformationProcess 7C90D7FE 5 Bytes JMP 0079ADCD .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2812] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 1040C334 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Services - GMER 1.0.15 ---- Service C:\WINDOWS\system32\svchost.exe (*** hidden *** ) [AUTO] srbdfgdfm <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\srbdfgdfm@DisplayName Universal Shell Reg HKLM\SYSTEM\CurrentControlSet\Services\srbdfgdfm@Type 32 Reg HKLM\SYSTEM\CurrentControlSet\Services\srbdfgdfm@Start 2 Reg HKLM\SYSTEM\CurrentControlSet\Services\srbdfgdfm@ErrorControl 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\srbdfgdfm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\CurrentControlSet\Services\srbdfgdfm@ObjectName LocalSystem Reg HKLM\SYSTEM\CurrentControlSet\Services\srbdfgdfm@Description Zapewnia automatyczn? konfiguracj? kart 802.11 Reg HKLM\SYSTEM\CurrentControlSet\Services\srbdfgdfm\Parameters Reg HKLM\SYSTEM\CurrentControlSet\Services\srbdfgdfm\Parameters@ServiceDll C:\WINDOWS\system32\btzbflss.dll Reg HKLM\SYSTEM\ControlSet003\Services\srbdfgdfm@DisplayName Universal Shell Reg HKLM\SYSTEM\ControlSet003\Services\srbdfgdfm@Type 32 Reg HKLM\SYSTEM\ControlSet003\Services\srbdfgdfm@Start 2 Reg HKLM\SYSTEM\ControlSet003\Services\srbdfgdfm@ErrorControl 0 Reg HKLM\SYSTEM\ControlSet003\Services\srbdfgdfm@ImagePath %SystemRoot%\system32\svchost.exe -k netsvcs Reg HKLM\SYSTEM\ControlSet003\Services\srbdfgdfm@ObjectName LocalSystem Reg HKLM\SYSTEM\ControlSet003\Services\srbdfgdfm@Description Zapewnia automatyczn? konfiguracj? kart 802.11 Reg HKLM\SYSTEM\ControlSet003\Services\srbdfgdfm\Parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\srbdfgdfm\Parameters@ServiceDll C:\WINDOWS\system32\btzbflss.dll ---- EOF - GMER 1.0.15 ----