GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-15 19:19:30 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e SAMSUNG_HD040GJ/P rev.ZG100-34 Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pxtdipow.sys ---- Kernel code sections - GMER 1.0.15 ---- init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9B19F80] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[420] ws2_32.dll!getsockname 71A53D10 6 Bytes JMP 00F30000 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[420] ws2_32.dll!connect 71A54A07 6 Bytes JMP 00F20000 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[420] ws2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 00F00000 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[420] ws2_32.dll!getpeername 71A60B68 6 Bytes JMP 01040000 .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[420] ws2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 00F10000 .text C:\WINDOWS\notepad.exe[444] ws2_32.dll!getsockname 71A53D10 6 Bytes JMP 00A60000 .text C:\WINDOWS\notepad.exe[444] ws2_32.dll!connect 71A54A07 6 Bytes JMP 00A50000 .text C:\WINDOWS\notepad.exe[444] ws2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 00A30000 .text C:\WINDOWS\notepad.exe[444] ws2_32.dll!getpeername 71A60B68 6 Bytes JMP 00A70000 .text C:\WINDOWS\notepad.exe[444] ws2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 00A40000 .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[512] ws2_32.dll!getsockname 71A53D10 6 Bytes JMP 01840000 .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[512] ws2_32.dll!connect 71A54A07 6 Bytes JMP 01830000 .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[512] ws2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 01810000 .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[512] ws2_32.dll!getpeername 71A60B68 6 Bytes JMP 01850000 .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[512] ws2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 01820000 .text C:\WINDOWS\V0220Mon.exe[768] ws2_32.dll!getsockname 71A53D10 6 Bytes JMP 00D70000 .text C:\WINDOWS\V0220Mon.exe[768] ws2_32.dll!connect 71A54A07 6 Bytes JMP 00D60000 .text C:\WINDOWS\V0220Mon.exe[768] ws2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 00D40000 .text C:\WINDOWS\V0220Mon.exe[768] ws2_32.dll!getpeername 71A60B68 6 Bytes JMP 00D80000 .text C:\WINDOWS\V0220Mon.exe[768] ws2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 00D50000 .text C:\Program Files\Mozilla Firefox\firefox.exe[876] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 011A696F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[876] kernel32.dll!VirtualAlloc 7C809AF1 5 Bytes JMP 01450240 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[876] kernel32.dll!MapViewOfFile 7C80B9A5 5 Bytes JMP 01450219 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[876] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 014501A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[876] WS2_32.dll!getsockname 71A53D10 6 Bytes JMP 022C0000 .text C:\Program Files\Mozilla Firefox\firefox.exe[876] WS2_32.dll!connect 71A54A07 6 Bytes JMP 022B0000 .text C:\Program Files\Mozilla Firefox\firefox.exe[876] WS2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 02290000 .text C:\Program Files\Mozilla Firefox\firefox.exe[876] WS2_32.dll!getpeername 71A60B68 6 Bytes JMP 022D0000 .text C:\Program Files\Mozilla Firefox\firefox.exe[876] WS2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 022A0000 .text C:\WINDOWS\system32\wuauclt.exe[1000] ws2_32.dll!getsockname 71A53D10 6 Bytes JMP 00B70000 .text C:\WINDOWS\system32\wuauclt.exe[1000] ws2_32.dll!connect 71A54A07 6 Bytes JMP 00B60000 .text C:\WINDOWS\system32\wuauclt.exe[1000] ws2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 00B40000 .text C:\WINDOWS\system32\wuauclt.exe[1000] ws2_32.dll!getpeername 71A60B68 6 Bytes JMP 00B80000 .text C:\WINDOWS\system32\wuauclt.exe[1000] ws2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 00B50000 .text C:\WINDOWS\system32\hkcmd.exe[1684] ws2_32.dll!getsockname 71A53D10 6 Bytes JMP 00E20000 .text C:\WINDOWS\system32\hkcmd.exe[1684] ws2_32.dll!connect 71A54A07 6 Bytes JMP 00E10000 .text C:\WINDOWS\system32\hkcmd.exe[1684] ws2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 00DF0000 .text C:\WINDOWS\system32\hkcmd.exe[1684] ws2_32.dll!getpeername 71A60B68 6 Bytes JMP 00E30000 .text C:\WINDOWS\system32\hkcmd.exe[1684] ws2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 00E00000 .text C:\WINDOWS\system32\igfxpers.exe[1688] ws2_32.dll!getsockname 71A53D10 6 Bytes JMP 00E20000 .text C:\WINDOWS\system32\igfxpers.exe[1688] ws2_32.dll!connect 71A54A07 6 Bytes JMP 00E10000 .text C:\WINDOWS\system32\igfxpers.exe[1688] ws2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 00DF0000 .text C:\WINDOWS\system32\igfxpers.exe[1688] ws2_32.dll!getpeername 71A60B68 6 Bytes JMP 00E30000 .text C:\WINDOWS\system32\igfxpers.exe[1688] ws2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 00E00000 .text C:\WINDOWS\Explorer.EXE[1788] WS2_32.dll!getsockname 71A53D10 6 Bytes JMP 03530000 .text C:\WINDOWS\Explorer.EXE[1788] WS2_32.dll!connect 71A54A07 6 Bytes JMP 02570000 .text C:\WINDOWS\Explorer.EXE[1788] WS2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 02550000 .text C:\WINDOWS\Explorer.EXE[1788] WS2_32.dll!getpeername 71A60B68 6 Bytes JMP 03540000 .text C:\WINDOWS\Explorer.EXE[1788] WS2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 02560000 .text C:\Program Files\Microsoft Security Client\msseces.exe[1812] ws2_32.dll!getsockname 71A53D10 6 Bytes JMP 01AF0000 .text C:\Program Files\Microsoft Security Client\msseces.exe[1812] ws2_32.dll!connect 71A54A07 6 Bytes JMP 01AE0000 .text C:\Program Files\Microsoft Security Client\msseces.exe[1812] ws2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 01820000 .text C:\Program Files\Microsoft Security Client\msseces.exe[1812] ws2_32.dll!getpeername 71A60B68 6 Bytes JMP 01B00000 .text C:\Program Files\Microsoft Security Client\msseces.exe[1812] ws2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 01AD0000 .text C:\WINDOWS\system32\ctfmon.exe[1820] ws2_32.dll!getsockname 71A53D10 6 Bytes JMP 00D90000 .text C:\WINDOWS\system32\ctfmon.exe[1820] ws2_32.dll!connect 71A54A07 6 Bytes JMP 00D80000 .text C:\WINDOWS\system32\ctfmon.exe[1820] ws2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 00D60000 .text C:\WINDOWS\system32\ctfmon.exe[1820] ws2_32.dll!getpeername 71A60B68 6 Bytes JMP 00DA0000 .text C:\WINDOWS\system32\ctfmon.exe[1820] ws2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 00D70000 .text C:\Program Files\Gadu-Gadu\gg.exe[2176] WS2_32.dll!getsockname 71A53D10 6 Bytes JMP 02410000 .text C:\Program Files\Gadu-Gadu\gg.exe[2176] WS2_32.dll!connect 71A54A07 6 Bytes JMP 02400000 .text C:\Program Files\Gadu-Gadu\gg.exe[2176] WS2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 023E0000 .text C:\Program Files\Gadu-Gadu\gg.exe[2176] WS2_32.dll!getpeername 71A60B68 6 Bytes JMP 02420000 .text C:\Program Files\Gadu-Gadu\gg.exe[2176] WS2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 023F0000 .text C:\Documents and Settings\Administrator\vhdeez.exe[2204] ws2_32.dll!getsockname 71A53D10 6 Bytes JMP 00F70000 .text C:\Documents and Settings\Administrator\vhdeez.exe[2204] ws2_32.dll!connect 71A54A07 6 Bytes JMP 00F60000 .text C:\Documents and Settings\Administrator\vhdeez.exe[2204] ws2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 00EF0000 .text C:\Documents and Settings\Administrator\vhdeez.exe[2204] ws2_32.dll!getpeername 71A60B68 6 Bytes JMP 00F80000 .text C:\Documents and Settings\Administrator\vhdeez.exe[2204] ws2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 00F00000 .text C:\Documents and Settings\Administrator\Pulpit\gmer.exe[2556] ws2_32.dll!getsockname 71A53D10 6 Bytes JMP 00C10000 .text C:\Documents and Settings\Administrator\Pulpit\gmer.exe[2556] ws2_32.dll!connect 71A54A07 6 Bytes JMP 00C00000 .text C:\Documents and Settings\Administrator\Pulpit\gmer.exe[2556] ws2_32.dll!WSAStartup 71A56A55 6 Bytes JMP 00B90000 .text C:\Documents and Settings\Administrator\Pulpit\gmer.exe[2556] ws2_32.dll!getpeername 71A60B68 6 Bytes JMP 00C20000 .text C:\Documents and Settings\Administrator\Pulpit\gmer.exe[2556] ws2_32.dll!WSAConnect 71A60C81 6 Bytes JMP 00BF0000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Fastfat \Fat A8275D20 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Processes - GMER 1.0.15 ---- Library c:\windows\system32\n (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1116] 0x45670000 Library c:\windows\system32\n (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1788] 0x45670000 ---- Registry - GMER 1.0.15 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Run@vhdeez C:\Documents and Settings\Administrator\vhdeez.exe /h ---- Files - GMER 1.0.15 ---- File C:\WINDOWS\Temp\TMP0000029C0622FE9C5E916937 0 bytes File C:\WINDOWS\Temp\TMP0000029D9B57AD1313014E24 0 bytes ---- EOF - GMER 1.0.15 ----