GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-14 16:27:12 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD1600BEVS-60RST0 rev.04.01G04 Running: 5oxgxxoh.exe; Driver: C:\Users\rozma\AppData\Local\Temp\uglorpoc.sys ---- System - GMER 1.0.15 ---- SSDT 89ABDFE6 ZwCreateSection SSDT 89ABDFEB ZwSetContextThread SSDT 89ABDF87 ZwTerminateProcess INT 0x51 ? 85323F00 INT 0x62 ? 85323F00 INT 0x72 ? 85323F00 INT 0x94 ? 86EEFF00 INT 0xA4 ? 86EEFF00 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 215 82CEF998 4 Bytes [E6, DF, AB, 89] .text ntkrnlpa.exe!KeSetEvent + 56D 82CEFCF0 4 Bytes [EB, DF, AB, 89] .text ntkrnlpa.exe!KeSetEvent + 621 82CEFDA4 4 Bytes [87, DF, AB, 89] .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x806FFB2E] .text USBPORT.SYS!DllUnload 83B8541B 5 Bytes JMP 86EEF410 .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8C609340, 0x3FA057, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[844] ntdll.dll!LdrLoadDll 775F9378 5 Bytes JMP 676EFA35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[844] kernel32.dll!MapViewOfFile 77226B10 5 Bytes JMP 6799079E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[844] kernel32.dll!VirtualAlloc 7722AF75 5 Bytes JMP 679907C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[844] USER32.dll!GetWindowInfo 76B6428E 5 Bytes JMP 678729CB C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[844] GDI32.dll!CreateDIBSection 76AE7461 5 Bytes JMP 67990728 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Windows\Explorer.EXE[3244] SHELL32.dll!SHFileOperationW 760068E8 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUchar] [8060AF12] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortUlong] [8060B232] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUchar] [8060A730] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortWritePortBufferUshort] [8060B0F0] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortUshort] [8060A856] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\drivers\atapi.sys[ataport.SYS!AtaPortReadPortBufferUshort] [8060A914] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) IAT \SystemRoot\system32\DRIVERS\i8042prt.sys[HAL.dll!READ_PORT_UCHAR] [8061EEB0] \SystemRoot\System32\Drivers\sptd.sys (SCSI Pass Through Direct Host/Duplex Secure Ltd.) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74347817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7439A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7434BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7433F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [743475E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7433E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74378395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7434DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7433FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7433FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [743371CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [743CCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7436C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7433D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74336853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7433687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3244] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74342AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 8546B1E8 Device \Driver\netbt \Device\NetBT_Tcpip_{F66748A8-A96E-4E6E-B16D-92FCC6F51893} 881221E8 Device \Driver\netbt \Device\NetBT_Tcpip_{7FD1CD10-1486-41D0-9802-2893D1F44BFB} 881221E8 Device \Driver\netbt \Device\NetBT_Tcpip_{EDFCD456-C514-4EF0-8D14-90408DF7F837} 881221E8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) Device \Driver\usbohci \Device\USBPDO-0 8700C1E8 Device \Driver\usbehci \Device\USBPDO-1 8700E1E8 Device \Driver\USBSTOR \Device\00000114 881241E8 Device \Driver\USBSTOR \Device\00000116 881241E8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 8546A1E8 Device \Driver\atapi \Device\Ide\IdePort0 8546A1E8 Device \Driver\atapi \Device\Ide\IdePort1 8546A1E8 Device \Driver\atapi \Device\Ide\IdePort2 8546A1E8 Device \Driver\atapi \Device\Ide\IdePort3 8546A1E8 Device \Driver\netbt \Device\NetBt_Wins_Export 881221E8 Device \Driver\Smb \Device\NetbiosSmb 880DF1E8 Device \Driver\BTHUSB \Device\0000010c bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \Driver\BTHUSB \Device\0000010e bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \Driver\iScsiPrt \Device\RaidPort0 870561E8 Device \Driver\usbohci \Device\USBFDO-0 8700C1E8 Device \Driver\usbehci \Device\USBFDO-1 8700E1E8 Device \Driver\netbt \Device\NetBT_Tcpip_{243C4B1F-772F-4704-9F2F-B2999F80C708} 881221E8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6beebf03 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6beebf03@0022fc344e44 0xC9 0xF9 0x78 0x15 ... Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6beebf03@0026694a46dc 0xB7 0x36 0xB1 0x46 ... Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6beebf03@0017e4e22e76 0xC6 0x2A 0xBF 0x9F ... Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6beebf03@1886ac1e4adb 0x53 0xC9 0x52 0x31 ... Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6beebf03@002483725006 0xFE 0xAB 0x82 0xF0 ... Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6beebf03@002186be3280 0x01 0xB1 0x6B 0x05 ... Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001a6beebf03@0024912f5409 0x7A 0x79 0x66 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6beebf03 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6beebf03@0022fc344e44 0xC9 0xF9 0x78 0x15 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6beebf03@0026694a46dc 0xB7 0x36 0xB1 0x46 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6beebf03@0017e4e22e76 0xC6 0x2A 0xBF 0x9F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6beebf03@1886ac1e4adb 0x53 0xC9 0x52 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6beebf03@002483725006 0xFE 0xAB 0x82 0xF0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6beebf03@002186be3280 0x01 0xB1 0x6B 0x05 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6beebf03@0024912f5409 0x7A 0x79 0x66 0x80 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6beebf03 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6beebf03@0022fc344e44 0xC9 0xF9 0x78 0x15 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6beebf03@0026694a46dc 0xB7 0x36 0xB1 0x46 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6beebf03@0017e4e22e76 0xC6 0x2A 0xBF 0x9F ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6beebf03@1886ac1e4adb 0x53 0xC9 0x52 0x31 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6beebf03@002483725006 0xFE 0xAB 0x82 0xF0 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6beebf03@002186be3280 0x01 0xB1 0x6B 0x05 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001a6beebf03@0024912f5409 0x7A 0x79 0x66 0x80 ... ---- EOF - GMER 1.0.15 ----