GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-08 07:46:29 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST3808110AS rev.3.ADH 74,51GB Running: 2qz64v42.exe; Driver: C:\DOCUME~1\admin\USTAWI~1\Temp\pxtdapob.sys ---- System - GMER 2.1 ---- SSDT sptd.sys ZwCreateKey [0xB9ECFA50] SSDT sptd.sys ZwEnumerateKey [0xB9F03FFE] SSDT sptd.sys ZwEnumerateValueKey [0xB9F0438C] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0xBA3716E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0xBA371800] SSDT sptd.sys ZwOpenKey [0xB9ECFA30] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0xBA371010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0xBA3714D0] SSDT sptd.sys ZwQueryKey [0xB9F04464] SSDT sptd.sys ZwQueryValueKey [0xB9F042E4] SSDT sptd.sys ZwSetValueKey [0xB9F044F6] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0xBA371300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0xBA3713E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0xBA371120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0xBA371210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0xBA3715E0] INT 0x62 ? 89E08CC8 INT 0x63 ? 89E08CC8 INT 0x84 ? 89C88F00 INT 0x94 ? 89C88F00 INT 0xA4 ? 89C88F00 INT 0xB4 ? 89C88F00 ---- Kernel code sections - GMER 2.1 ---- .text sptd.sys B9E95000 4 Bytes [A6, CB, 6E, 80] .text sptd.sys B9E95005 27 Bytes [79, 6E, 80, 30, 78, 6E, 80, ...] .text sptd.sys B9E95024 4 Bytes [74, 7F, E8, B9] .text sptd.sys B9E9502C 20 Bytes [0C, 1C, 5E, 80, 46, 8F, 5E, ...] .text sptd.sys B9E95041 99 Bytes [F2, 4E, 80, 90, F2, 4E, 80, ...] .text ... .sptd2 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd2" section [0xB9F8CD38] ? C:\WINDOWS\system32\drivers\sptd.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xB9063F80] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] ntdll.dll!NtCreateFile 7C90D0AE 3 Bytes JMP 0191C6E0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] ntdll.dll!NtCreateFile + 4 7C90D0B2 1 Byte [85] .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] ntdll.dll!NtFlushBuffersFile 7C90D32E 2 Bytes JMP 0161D3A3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] ntdll.dll!NtFlushBuffersFile + 3 7C90D331 2 Bytes [D1, 84] .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 0161D620 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 0161D400 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 02246F6A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] ntdll.dll!NtWriteFile 7C90DF7E 3 Bytes JMP 0191D5B0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] ntdll.dll!NtWriteFile + 4 7C90DF82 1 Byte [85] .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 02246F19 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10001F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 021AEAF5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 021AEAD2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] kernel32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 0191913E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 020B5F20 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3104] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 021AEA53 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3132] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 10577C8C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3132] USER32.dll!SetWindowLongA + 19 7E37C2B6 7 Bytes JMP 10577CFD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3132] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 1057BB64 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3132] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 105752C7 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3224] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 013D578A C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3224] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 02073804 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3224] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 0207384C C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3224] kernel32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 013E6538 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3224] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 01BF918D C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3224] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 02073873 C:\Program Files\Mozilla Thunderbird\xul.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 89E071F8 AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys Device \Driver\usbuhci \Device\USBPDO-0 89C851F8 Device \Driver\usbuhci \Device\USBPDO-1 89C851F8 Device \Driver\usbuhci \Device\USBPDO-2 89C851F8 Device \Driver\usbuhci \Device\USBPDO-3 89C851F8 Device \Driver\usbehci \Device\USBPDO-4 89C531F8 AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys Device \Driver\Cdrom \Device\CdRom0 89A641F8 Device \Driver\atapi \Device\Ide\IdePort0 [B9E0EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9E0EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9E0EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [B9E0EB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBT_Tcpip_{E3559496-1DC4-4E8E-93ED-98AF18AFDEA2} 89884430 Device \Driver\NetBT \Device\NetBt_Wins_Export 89884430 Device \Driver\NetBT \Device\NetbiosSmb 89884430 AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys Device \Driver\usbuhci \Device\USBFDO-0 89C851F8 Device \Driver\usbuhci \Device\USBFDO-1 89C851F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 896BC1F8 Device \Driver\usbuhci \Device\USBFDO-2 89C851F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 896BC1F8 Device \Driver\usbuhci \Device\USBFDO-3 89C851F8 Device \Driver\usbehci \Device\USBFDO-4 89C531F8 Device \FileSystem\Cdfs \Cdfs 89CAB430 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3F 0x94 0xFC 0x56 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x3F 0x94 0xFC 0x56 ... Reg HKLM\SOFTWARE\Classes\CLSID\{ff0021ad-2cc3-4e0d-8e3c-b4153a64a495}@ Internet Program Reg HKLM\SOFTWARE\Classes\CLSID\{ff0021ad-2cc3-4e0d-8e3c-b4153a64a495}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{ff0021ad-2cc3-4e0d-8e3c-b4153a64a495}\InprocServer32@ C:\Program Files\Internet Program\Extensions\ff0021ad-2cc3-4e0d-8e3c-b4153a64a495.dll Reg HKLM\SOFTWARE\Classes\CLSID\{ff0021ad-2cc3-4e0d-8e3c-b4153a64a495}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{ff0021ad-2cc3-4e0d-8e3c-b4153a64a495}\Programmable Reg HKLM\SOFTWARE\Classes\CLSID\{ff0021ad-2cc3-4e0d-8e3c-b4153a64a495}\TypeLib Reg HKLM\SOFTWARE\Classes\CLSID\{ff0021ad-2cc3-4e0d-8e3c-b4153a64a495}\TypeLib@ {91462ced-876d-4a7d-8528-2d7b463463f7} Reg HKLM\SOFTWARE\Classes\CLSID\{ff0021ad-2cc3-4e0d-8e3c-b4153a64a495}\Version Reg HKLM\SOFTWARE\Classes\CLSID\{ff0021ad-2cc3-4e0d-8e3c-b4153a64a495}\Version@ 1.0 Reg HKLM\SOFTWARE\Classes\Installer\Features\F6071111A6667304777712318267D401 Reg HKLM\SOFTWARE\Classes\Installer\Features\F6071111A6667304777712318267D401@fx Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401 Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401@ProductName JavaFX 2.1.1 Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401@PackageCode 9A3F5B5590AD6C043A4AF53AF5E8C3F9 Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401@Language 1033 Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401@Version 33619969 Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401@Assignment 1 Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401@AdvertiseFlags 388 Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401@ProductIcon C:\WINDOWS\Installer\{1111706F-666A-4037-7777-211328764D10}\javaIcon.ico Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401@InstanceType 0 Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401@AuthorizedLUAApp 0 Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401@Clients :? Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401\SourceList Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401\SourceList@PackageName fx2.0.msi Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401\SourceList@LastUsedSource n;1;C:\Documents and Settings\admin\Dane aplikacji\Oracle\Java\FX2.0\ Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401\SourceList\Media Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401\SourceList\Media@DiskPrompt [1] Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401\SourceList\Media@1 DISK1;1 Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401\SourceList\Net Reg HKLM\SOFTWARE\Classes\Installer\Products\F6071111A6667304777712318267D401\SourceList\Net@1 C:\Documents and Settings\admin\Dane aplikacji\Oracle\Java\FX2.0\ Reg HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\A5CC11110F5B69B4777712312266467C Reg HKLM\SOFTWARE\Classes\Installer\UpgradeCodes\A5CC11110F5B69B4777712312266467C@F6071111A6667304777712318267D401 Reg HKLM\SOFTWARE\Classes\Interface\{7251A919-9E21-4D7D-BA7B-18E31DFA83C0} Reg HKLM\SOFTWARE\Classes\Interface\{7251A919-9E21-4D7D-BA7B-18E31DFA83C0}@ IInternetProgramBHO Reg HKLM\SOFTWARE\Classes\Interface\{7251A919-9E21-4D7D-BA7B-18E31DFA83C0}\ProxyStubClsid Reg HKLM\SOFTWARE\Classes\Interface\{7251A919-9E21-4D7D-BA7B-18E31DFA83C0}\ProxyStubClsid@ {00020424-0000-0000-C000-000000000046} Reg HKLM\SOFTWARE\Classes\Interface\{7251A919-9E21-4D7D-BA7B-18E31DFA83C0}\ProxyStubClsid32 Reg HKLM\SOFTWARE\Classes\Interface\{7251A919-9E21-4D7D-BA7B-18E31DFA83C0}\ProxyStubClsid32@ {00020424-0000-0000-C000-000000000046} Reg HKLM\SOFTWARE\Classes\Interface\{7251A919-9E21-4D7D-BA7B-18E31DFA83C0}\TypeLib Reg HKLM\SOFTWARE\Classes\Interface\{7251A919-9E21-4D7D-BA7B-18E31DFA83C0}\TypeLib@ {91462CED-876D-4A7D-8528-2D7B463463F7} Reg HKLM\SOFTWARE\Classes\Interface\{7251A919-9E21-4D7D-BA7B-18E31DFA83C0}\TypeLib@Version 1.0 Reg HKLM\SOFTWARE\Classes\JavaWebStart.isInstalled@ isInstalled Class Reg HKLM\SOFTWARE\Classes\JavaWebStart.isInstalled\CLSID Reg HKLM\SOFTWARE\Classes\JavaWebStart.isInstalled\CLSID@ {5852F5ED-8BF4-11D4-A245-0080C6F74284} Reg HKLM\SOFTWARE\Classes\JavaWebStart.isInstalled\CurVer Reg HKLM\SOFTWARE\Classes\JavaWebStart.isInstalled\CurVer@ JavaWebStart.isInstalled.1.7.0.0 Reg HKLM\SOFTWARE\Classes\JavaWebStart.isInstalled.1.7.0.0@ isInstalled Class Reg HKLM\SOFTWARE\Classes\JavaWebStart.isInstalled.1.7.0.0\CLSID Reg HKLM\SOFTWARE\Classes\JavaWebStart.isInstalled.1.7.0.0\CLSID@ {5852F5ED-8BF4-11D4-A245-0080C6F74284} Reg HKLM\SOFTWARE\Classes\JNLPFile@EditFlags 65536 Reg HKLM\SOFTWARE\Classes\JNLPFile\Shell Reg HKLM\SOFTWARE\Classes\JNLPFile\Shell\Open Reg HKLM\SOFTWARE\Classes\JNLPFile\Shell\Open@ &Launch Reg HKLM\SOFTWARE\Classes\JNLPFile\Shell\Open\Command Reg HKLM\SOFTWARE\Classes\JNLPFile\Shell\Open\Command@ "C:\Program Files\Oracle\JavaFX 2.1 Runtime\bin\javaws.exe" "%1" Reg HKLM\SOFTWARE\Classes\TypeLib\{91462CED-876D-4A7D-8528-2D7B463463F7} Reg HKLM\SOFTWARE\Classes\TypeLib\{91462CED-876D-4A7D-8528-2D7B463463F7}\1.0 Reg HKLM\SOFTWARE\Classes\TypeLib\{91462CED-876D-4A7D-8528-2D7B463463F7}\1.0@ InternetProgramIEClientLib Reg HKLM\SOFTWARE\Classes\TypeLib\{91462CED-876D-4A7D-8528-2D7B463463F7}\1.0\0 Reg HKLM\SOFTWARE\Classes\TypeLib\{91462CED-876D-4A7D-8528-2D7B463463F7}\1.0\0\win32 Reg HKLM\SOFTWARE\Classes\TypeLib\{91462CED-876D-4A7D-8528-2D7B463463F7}\1.0\0\win32@ C:\Program Files\Internet Program\Extensions\ff0021ad-2cc3-4e0d-8e3c-b4153a64a495.dll Reg HKLM\SOFTWARE\Classes\TypeLib\{91462CED-876D-4A7D-8528-2D7B463463F7}\1.0\FLAGS Reg HKLM\SOFTWARE\Classes\TypeLib\{91462CED-876D-4A7D-8528-2D7B463463F7}\1.0\FLAGS@ 0 Reg HKLM\SOFTWARE\Classes\TypeLib\{91462CED-876D-4A7D-8528-2D7B463463F7}\1.0\HELPDIR Reg HKLM\SOFTWARE\Classes\TypeLib\{91462CED-876D-4A7D-8528-2D7B463463F7}\1.0\HELPDIR@ C:\Program Files\Internet Program\Extensions Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3\Shell@MinPos1680x1050(1).x -1 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\3\Shell@MinPos1680x1050(1).y -1 ---- EOF - GMER 2.1 ----