GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2002-01-01 00:48:44 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JB-00JJA0 rev.05.01C05 Running: prxi9o3e.exe; Driver: C:\DOCUME~1\AD\USTAWI~1\Temp\kfndrpog.sys ---- Kernel code sections - GMER 1.0.15 ---- .xreloc C:\WINDOWS\system32\drivers\sfsync04.sys unknown last section [0xF74F5000, 0xC0A, 0x40000040] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xBA05C360, 0x348C87, 0xE8000020] init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xB9E2B900] .text C:\WINDOWS\system32\drivers\ACEDRV07.sys section is writeable [0xB72F2000, 0x328BA, 0xE8000020] .pklstb C:\WINDOWS\system32\drivers\ACEDRV07.sys entry point in ".pklstb" section [0xB7336000] .relo2 C:\WINDOWS\system32\drivers\ACEDRV07.sys unknown last section [0xB7352000, 0x8E, 0x42000040] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1196] USER32.dll!CreateWindowExW 7E36FF30 5 Bytes JMP 406ADB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1196] USER32.dll!DialogBoxParamW 7E375F8F 5 Bytes JMP 405D54C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1196] USER32.dll!DialogBoxIndirectParamW 7E382062 5 Bytes JMP 407A480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1196] USER32.dll!MessageBoxIndirectA 7E38A06A 5 Bytes JMP 407A4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1196] USER32.dll!DialogBoxParamA 7E38B12C 5 Bytes JMP 407A47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1196] USER32.dll!MessageBoxExW 7E3A0750 5 Bytes JMP 407A4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1196] USER32.dll!MessageBoxExA 7E3A0774 5 Bytes JMP 407A4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1196] USER32.dll!DialogBoxIndirectParamA 7E3A6CD0 5 Bytes JMP 407A4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1196] USER32.dll!MessageBoxIndirectW 7E3B6425 5 Bytes JMP 407A46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] USER32.dll!CallNextHookEx 7E36EAE3 5 Bytes JMP 4069D0ED C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] USER32.dll!CreateWindowExW 7E36FF30 5 Bytes JMP 406ADB1C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] USER32.dll!UnhookWindowsHookEx 7E370DD3 5 Bytes JMP 4061467C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] USER32.dll!DialogBoxParamW 7E375F8F 5 Bytes JMP 405D54C5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] USER32.dll!SetWindowsHookExW 7E37E4BF 5 Bytes JMP 406A9AC9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] USER32.dll!DialogBoxIndirectParamW 7E382062 5 Bytes JMP 407A480F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] USER32.dll!MessageBoxIndirectA 7E38A06A 5 Bytes JMP 407A4741 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] USER32.dll!DialogBoxParamA 7E38B12C 5 Bytes JMP 407A47AC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] USER32.dll!MessageBoxExW 7E3A0750 5 Bytes JMP 407A4612 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] USER32.dll!MessageBoxExA 7E3A0774 5 Bytes JMP 407A4674 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] USER32.dll!DialogBoxIndirectParamA 7E3A6CD0 5 Bytes JMP 407A4872 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] USER32.dll!MessageBoxIndirectW 7E3B6425 5 Bytes JMP 407A46D6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] ole32.dll!CoCreateInstance 774F057E 5 Bytes JMP 406ADB78 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] ole32.dll!OleLoadFromStream 77519C85 5 Bytes JMP 407A4B77 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[1732] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-17 8A6CAB18 Device \Driver\atapi \Device\Ide\IdePort0 8A6CAB18 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 8A6CAB18 Device \Driver\atapi \Device\Ide\IdePort1 8A6CAB18 Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-f 8A6CAB18 Device \Driver\USBSTOR \Device\0000006d 8A673900 Device \Driver\USBSTOR \Device\0000006e 8A673900 AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEC 0x30 0x8E 0x67 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x23 0x2B 0x6A 0xB8 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x1E 0xF9 0x48 0x54 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFE 0x4A 0xF6 0xBA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x1E 0xF9 0x48 0x54 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFE 0x4A 0xF6 0xBA ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 E:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Classes\CLSID\{0a6ffa7e-187d-425a-9866-09956a0920ee}@Model 239 Reg HKLM\SOFTWARE\Classes\CLSID\{0a6ffa7e-187d-425a-9866-09956a0920ee}@Therad 30 Reg HKLM\SOFTWARE\Classes\CLSID\{0a6ffa7e-187d-425a-9866-09956a0920ee}@MData 0x2B 0x8F 0x78 0x29 ... Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0xB9 0x1D 0x55 0xE6 ... ---- EOF - GMER 1.0.15 ----