GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-01 13:31:04 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JD-75MSA1 rev.10.01E01 74,51GB Running: 7oeknrgf.exe; Driver: C:\DOCUME~1\User1\USTAWI~1\Temp\uxtdypow.sys ---- System - GMER 2.1 ---- SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwCreateKey [0xBA1EB948] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwDeleteKey [0xBA1EBC9C] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwDeleteValueKey [0xBA1EBCDC] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwOpenKey [0xBA1EBAEE] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwOpenProcess [0xBA1EA55E] SSDT \??\C:\WINDOWS\system32\drivers\HookCentre.sys ZwSetValueKey [0xBA1EBC40] ---- Kernel code sections - GMER 2.1 ---- init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9B35F80] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[476] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 109DECBA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[476] USER32.dll!SetWindowLongA + 19 7E37C2B6 7 Bytes JMP 109DEC49 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[476] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 107FC6FD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[476] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 107FCCF3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1824] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0171F140 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1824] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01D3FDF5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1824] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01D3FDD2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1824] kernel32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 01722942 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1824] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01D3FD53 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- Device \Driver\Tcpip \Device\Ip GDTdiIcpt.sys Device \Driver\Tcpip \Device\Tcp GDTdiIcpt.sys Device \Driver\Tcpip \Device\Udp GDTdiIcpt.sys Device \Driver\Tcpip \Device\RawIp GDTdiIcpt.sys Device \Driver\Tcpip \Device\IPMULTICAST GDTdiIcpt.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x99 0xC0 0xAC 0x35 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x99 0xC0 0xAC 0x35 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158307cac0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158307cac0@002108046d9e 0xD9 0xBA 0x79 0xDD ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015833d0a57@b8f93442e1dc 0xD2 0x39 0x8F 0xA3 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x99 0xC0 0xAC 0x35 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158307cac0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158307cac0@002108046d9e 0xD9 0xBA 0x79 0xDD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015833d0a57 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015833d0a57@b8f93442e1dc 0xD2 0x39 0x8F 0xA3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x99 0xC0 0xAC 0x35 ... Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\00158307cac0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\00158307cac0@002108046d9e 0xD9 0xBA 0x79 0xDD ... Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\BTHPORT\Parameters\Keys\0015833d0a57@b8f93442e1dc 0xD2 0x39 0x8F 0xA3 ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x99 0xC0 0xAC 0x35 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\AMCap.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Monitor.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Monitor.ini 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\P7302USD.dll 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PAC7302.sys 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PASnap.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PASnap.ico 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Pac7302.inf 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\SP7302.ax 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\SP7302.ds 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\SP7302.ini 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\pac7302.cat 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\WINDOWS\system32\SP7302.ax 2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\WINDOWS\system32\SP7302.ini 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\PixArt\Media-Tech Camera (0028.2010.0917.1042)\AMCap.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Frame\p00001m4.bmp 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Frame\p00001p4.bmp 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Frame\p00002m4.bmp 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Frame\p00002p4.bmp 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Frame\p00003m4.bmp 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Frame\p00003p4.bmp 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Frame\p00004m4.bmp 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Frame\p00004p4.bmp 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Frame\p00005m4.bmp 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Frame\p00005p4.bmp 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Frame\p00006m4.bmp 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\Frame\p00006p4.bmp 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\WINDOWS\PixArt\PAC7302\Monitor.exe 2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\WINDOWS\PixArt\PAC7302\Monitor.ini 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\WINDOWS\PixArt\PAC7302\PASnap.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\WINDOWS\PixArt\PAC7302\PASnap.ico 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST32\MFC71.dll 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST32\PixArt.dll 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST32\Remove.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST32\Remover.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST32\Remover.ini 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST32\Rescan.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST32\Update.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST32\XPSetup.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST32\difxapi.dll 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST32\msvcp71.dll 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST32\msvcr71.dll 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST64\MFC71.dll 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST64\Remove.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST64\Remover.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST64\Remover.ini 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST64\Rescan.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST64\Update.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST64\XPSetup.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST64\msvcp71.dll 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\PXIINST64\msvcr71.dll 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\WNT\CoInst_071029.dll 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\WNT\CtlStiSc.bat 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\WNT\PAC7302.sys 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\WXPAMD64\CoInst_071029.dll 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\WXPAMD64\CtlStiSc.bat 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\Program Files\Common Files\PAC7302\WXPAMD64\PAC7302.sys 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\WINDOWS\system32\Remover.ini 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDLLs@C:\WINDOWS\system32\Remove.exe 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE} Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@ModifyPath "C:\Program Files\InstallShield Installation Information\{B2920232-19DA-44FC-835F-68E427EAE2CE}\setup.exe" -runfromtemp -l0x0009 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@NoRepair 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@UninstallString "C:\Program Files\InstallShield Installation Information\{B2920232-19DA-44FC-835F-68E427EAE2CE}\setup.exe" -runfromtemp -l0x0009 -removeonly Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@LogFile C:\Program Files\InstallShield Installation Information\{B2920232-19DA-44FC-835F-68E427EAE2CE}\setup.ilg Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@InstallLocation C:\Program Files\PixArt\Media-Tech Camera (0028.2010.0917.1042) Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@ProductGuid {B2920232-19DA-44FC-835F-68E427EAE2CE} Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@InstallSource C:\DOCUME~1\User1\USTAWI~1\Temp\Rar$EX00.328\Media-Tech Camera (0028.2010.0917.1042).exe Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@DisplayName Media-Tech Camera (0028.2010.0917.1042) Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@Publisher PixArt Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@URLInfoAbout http://www.PixArt.com.tw Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@RegCompany Dell Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@RegOwner GX620 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@InstallDate 20130917 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@Language 9 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@DisplayVersion 0028.2010.0917.1042 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@Version 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@MajorVersion 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@MinorVersion 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{B2920232-19DA-44FC-835F-68E427EAE2CE}@LogMode 1 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 42 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 16 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\Samsung SCX-4x21 Series (Kopia 1)@ChangeID 490078 ---- EOF - GMER 2.1 ----