GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-16 19:29:15 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 FUJITSU_MHV2080AH_PL rev.000000A0 74,53GB Running: gsoodqei.exe; Driver: C:\DOCUME~1\RODZIN~1\USTAWI~1\Temp\pxldrpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA8E17300, 0x3B6D8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF884A300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[136] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004720 c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll .text C:\WINDOWS\Explorer.EXE[244] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004720 c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll .text C:\WINDOWS\system32\spoolsv.exe[300] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004720 c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll .text C:\Documents and Settings\All Users\Dane aplikacji\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.exe[672] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004720 C:\Documents and Settings\All Users\Dane aplikacji\BrowserProtect\2.6.1249.132\{c16c1ccb-7046-4e5c-a2f3-533ad2fec8e8}\BrowserProtect.dll .text C:\Documents and Settings\All Users\Dane aplikacji\DatacardService\HWDeviceService.exe[924] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004720 c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll .text ... .text C:\Program Files\Mozilla Firefox\firefox.exe[4048] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 01976D70 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4048] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 01CCD736 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4048] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 01CCD713 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4048] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 01991C62 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4048] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004720 c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4048] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 01CCD694 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\Explorer.EXE[244] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\Explorer.EXE[244] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryW] [10009FA0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[1152] @ C:\WINDOWS\system32\winlogon.exe [KERNEL32.dll!LoadLibraryW] [10009FA0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[1152] @ C:\WINDOWS\system32\winlogon.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[1152] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtOpenFile] [1000A110] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[1152] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[1152] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtQueryValueKey] [1000DDF0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[1152] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[1152] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtSetValueKey] [1000DE60] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[1152] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtCreateKey] [1000DED0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!LoadLibraryW] [10009FA0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtCreateKey] [1000DED0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryValueKey] [1000DDF0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtSetValueKey] [1000DE60] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteValueKey] [1000E0D0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtEnumerateKey] [1000DD10] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteKey] [1000E080] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtSetInformationFile] [1000A2C0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryInformationFile] [10009990] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteFile] [1000A270] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtOpenFile] [1000A110] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryKey] [10009950] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[1196] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1380] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1380] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1380] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1428] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1428] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1428] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1572] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1572] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1572] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1716] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1716] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1716] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1780] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1780] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1780] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1892] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1892] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1892] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys Device \Driver\prodrv06 \Device\ProDrv06 E1ADD1F8 Device \Driver\prohlp02 \Device\ProHlp02 E1001B68 ---- EOF - GMER 2.1 ----