GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-05-24 20:16:08 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3500418AS rev.CC34 Running: eck3w6qh.exe; Driver: C:\DOKUME~1\UserX\Ustawienia lokalne\Temp\uxtdypod.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB70D93C0, 0x95AAEA, 0xE8000020] .text C:\WINDOWS\system32\drivers\oreans32.sys section is writeable [0xB8178280, 0x7B1C, 0xE8000020] .text win32k.sys!EngAcquireSemaphore + 2645 BF8089A9 5 Bytes JMP 8999D4D0 .text win32k.sys!EngFreeUserMem + 5502 BF80EE60 5 Bytes JMP 8999D430 .text win32k.sys!EngStretchBlt + 42A5 BF850EF3 5 Bytes JMP 8999D750 .text win32k.sys!EngCreatePalette + 1C0 BF856A6D 5 Bytes JMP 8999D570 .text win32k.sys!FONTOBJ_pxoGetXform + 5449 BF8B522A 5 Bytes JMP 8999D610 .text win32k.sys!EngAlphaBlend + 1A08 BF8C30B3 5 Bytes JMP 8999D6B0 .text win32k.sys!PATHOBJ_vGetBounds + 74E3 BF8F002B 5 Bytes JMP 8999D7F0 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[2376] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01279720 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2376] kernel32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 014AE21B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2376] kernel32.dll!MapViewOfFile 7C80B995 5 Bytes JMP 014AE1F4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2376] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 013F7657 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2376] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 014AE17E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip nltdi.sys (NetLimiter 3 TDI driver/Locktime Software) AttachedDevice \Driver\Tcpip \Device\Tcp nltdi.sys (NetLimiter 3 TDI driver/Locktime Software) AttachedDevice \Driver\Tcpip \Device\Udp nltdi.sys (NetLimiter 3 TDI driver/Locktime Software) AttachedDevice \Driver\Tcpip \Device\RawIp nltdi.sys (NetLimiter 3 TDI driver/Locktime Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x26 0xD7 0x4B 0x9B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x38 0x0F 0x98 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x68 0x07 0x9F 0x36 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x26 0xD7 0x4B 0x9B ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x38 0x0F 0x98 0x02 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x68 0x07 0x9F 0x36 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0808583D-5071-D3F4-B1EA-6C444D63F63D} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0808583D-5071-D3F4-B1EA-6C444D63F63D}@paiimjnjmmjdlcmdpijjajpaneelfmlc 0x6A 0x61 0x6E 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0808583D-5071-D3F4-B1EA-6C444D63F63D}@oacicegcmaknnhhplbnedjlejdbgjm 0x6A 0x61 0x6A 0x6C ... ---- EOF - GMER 1.0.15 ----