GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-06-24 21:09:06 Windows 5.1.2600 Dodatek Service Pack 2 Running: l3j00uv4.exe; Driver: C:\DOCUME~1\Michalek\USTAWI~1\Temp\awldrpog.sys ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2336] USER32.dll!TrackPopupMenu 77D84EDE 5 Bytes JMP 10450501 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 004013F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\PSAPI.DLL [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\WS2_32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINDOWSY\Explorer.EXE[1188] @ C:\WINDOWSY\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWSY\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x58 0x4B 0x05 0x8A ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x58 0x4B 0x05 0x8A ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x58 0x4B 0x05 0x8A ... Reg HKLM\SOFTWARE\Classes\CLSID\{28931719-23b9-400f-acd6-967968a86054}@Model 89 Reg HKLM\SOFTWARE\Classes\CLSID\{28931719-23b9-400f-acd6-967968a86054}@Therad 21 Reg HKLM\SOFTWARE\Classes\CLSID\{28931719-23b9-400f-acd6-967968a86054}@MData 0x73 0xD5 0xCF 0xB8 ... Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x11 0x64 0x63 0xB4 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7B8E9164-324D-4A2E-A46D-0165FB2000EC}@scansk 0xBA 0x06 0x79 0xCF ... Reg HKLM\SOFTWARE\Classes\CLSID\{d1e6a65e-1b85-4fac-8d1a-e29f6e8d35f8}@Model 22 Reg HKLM\SOFTWARE\Classes\CLSID\{d1e6a65e-1b85-4fac-8d1a-e29f6e8d35f8}@Therad 20 ---- EOF - GMER 1.0.15 ----