GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-11-04 18:57:28 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HD502HJ rev.1AJ100E4 Running: gcvrehnm.exe; Driver: C:\DOCUME~1\UKASZ~1\USTAWI~1\Temp\kgldifod.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB3142380, 0x8D6CD5, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xAF55C300, 0x3B6D8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB83D8300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text F:\Program Files (x86)\Mozilla Firefox\firefox.exe[2444] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01495B00 F:\Program Files (x86)\Mozilla Firefox\xul.dll (Mozilla Foundation) .text F:\Program Files (x86)\Mozilla Firefox\firefox.exe[2444] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 016D7B58 F:\Program Files (x86)\Mozilla Firefox\xul.dll (Mozilla Foundation) .text F:\Program Files (x86)\Mozilla Firefox\firefox.exe[2444] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 016D7B35 F:\Program Files (x86)\Mozilla Firefox\xul.dll (Mozilla Foundation) .text F:\Program Files (x86)\Mozilla Firefox\firefox.exe[2444] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 0149EF12 F:\Program Files (x86)\Mozilla Firefox\xul.dll (Mozilla Foundation) .text F:\Program Files (x86)\Mozilla Firefox\firefox.exe[2444] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 016D7AB6 F:\Program Files (x86)\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Tcp idmtdi.sys (Internet Download Manager TDI Driver/Tonec Inc.) Device \Driver\prodrv06 \Device\ProDrv06 E1B57A18 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort0 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort1 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort2 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdePort3 prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-e prosync1.sys (StarForce Protection Synchronization Driver/Protection Technology) Device \Driver\prohlp02 \Device\ProHlp02 E101C398 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDF 0x6A 0x5E 0x0C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xFE 0xE6 0x2D 0xAF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCE 0x5B 0x0D 0xDD ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDF 0x6A 0x5E 0x0C ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xFE 0xE6 0x2D 0xAF ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xCE 0x5B 0x0D 0xDD ... Reg HKLM\SOFTWARE\Classes\CLSID\{228a7b33-6ee0-4b78-bc60-1d214c551970}@Model 279 Reg HKLM\SOFTWARE\Classes\CLSID\{228a7b33-6ee0-4b78-bc60-1d214c551970}@Therad 21 Reg HKLM\SOFTWARE\Classes\CLSID\{228a7b33-6ee0-4b78-bc60-1d214c551970}@MData 0x73 0xD5 0xCF 0xB8 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0xD9 0xE9 0x2B 0xD1 ... ---- EOF - GMER 1.0.15 ----