GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-19 09:03:39 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS543225L9A300 rev.FBEOC40C 232,89GB Running: 99q6htp5.exe; Driver: C:\DOCUME~1\Piotr\USTAWI~1\Temp\kwlcrpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\drivers\pxrts.sys ZwAllocateVirtualMemory [0xA164EF60] SSDT \SystemRoot\System32\drivers\pxrts.sys ZwAssignProcessToJobObject [0xA164EAF0] SSDT 9F5A6434 ZwClose SSDT 9F5A63EE ZwCreateKey SSDT 9F5A643E ZwCreateSection SSDT 9F5A63E4 ZwCreateThread SSDT \SystemRoot\System32\drivers\pxrts.sys ZwDebugActiveProcess [0xA164EF10] SSDT 9F5A63F3 ZwDeleteKey SSDT 9F5A63FD ZwDeleteValueKey SSDT 9F5A642F ZwDuplicateObject SSDT 9F5A6402 ZwLoadKey SSDT 9F5A63D0 ZwOpenProcess SSDT \SystemRoot\System32\drivers\pxrts.sys ZwOpenSection [0xA164ECD0] SSDT 9F5A63D5 ZwOpenThread SSDT \SystemRoot\System32\drivers\pxrts.sys ZwProtectVirtualMemory [0xA164EBE0] SSDT 9F5A6457 ZwQueryValueKey SSDT 9F5A640C ZwReplaceKey SSDT 9F5A6448 ZwRequestWaitReplyPort SSDT 9F5A6407 ZwRestoreKey SSDT 9F5A6443 ZwSetContextThread SSDT 9F5A644D ZwSetSecurityObject SSDT 9F5A63F8 ZwSetValueKey SSDT 9F5A6452 ZwSystemDebugControl SSDT 9F5A63DF ZwTerminateProcess SSDT \SystemRoot\System32\drivers\pxrts.sys ZwTerminateThread [0xA164EC80] SSDT \SystemRoot\System32\drivers\pxrts.sys ZwWriteVirtualMemory [0xA164F000] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2CD4 805045BC 4 Bytes [F0, EA, 64, A1] .text ntkrnlpa.exe!ZwCallbackReturn + 2D50 80504638 2 Bytes [3E, 64] .text ntkrnlpa.exe!ZwCallbackReturn + 2D6C 80504654 2 Bytes [10, EF] {ADC BH, CH} .text ntkrnlpa.exe!ZwCallbackReturn + 2FA8 80504890 2 Bytes [48, 64] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1612] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 016EDFF0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1612] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01E79796 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1612] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01E79773 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1612] kernel32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 016F5F1A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1612] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01E796F4 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINNT\Explorer.EXE[2020] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Tcp pxrts.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 106591 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC8 0x6D 0x9F 0x89 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63B597C0-5DAB-4215-BD85-FDD0E9C8AB12}@LeaseObtainedTime 1382145603 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63B597C0-5DAB-4215-BD85-FDD0E9C8AB12}@T1 1382149203 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63B597C0-5DAB-4215-BD85-FDD0E9C8AB12}@T2 1382151903 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63B597C0-5DAB-4215-BD85-FDD0E9C8AB12}@LeaseTerminatesTime 1382152803 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{63B597C0-5DAB-4215-BD85-FDD0E9C8AB12}@DhcpRetryTime 3597 Reg HKLM\SYSTEM\CurrentControlSet\Services\{63B597C0-5DAB-4215-BD85-FDD0E9C8AB12}\Parameters\Tcpip@LeaseObtainedTime 1382145603 Reg HKLM\SYSTEM\CurrentControlSet\Services\{63B597C0-5DAB-4215-BD85-FDD0E9C8AB12}\Parameters\Tcpip@T1 1382149203 Reg HKLM\SYSTEM\CurrentControlSet\Services\{63B597C0-5DAB-4215-BD85-FDD0E9C8AB12}\Parameters\Tcpip@T2 1382151903 Reg HKLM\SYSTEM\CurrentControlSet\Services\{63B597C0-5DAB-4215-BD85-FDD0E9C8AB12}\Parameters\Tcpip@LeaseTerminatesTime 1382152803 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC8 0x6D 0x9F 0x89 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC8 0x6D 0x9F 0x89 ... ---- EOF - GMER 2.1 ----