GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-05 03:13:51 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e SAMSUNG_HD250HJ rev.FH100-05 232,89GB Running: fv005fbo.exe; Driver: C:\DOCUME~1\Jarek\USTAWI~1\Temp\kwrdakog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1892] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 10001FFD C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1892] kernel32.dll!lstrlenW + 43 7C809A7C 7 Bytes JMP 01B10455 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1892] kernel32.dll!MapViewOfFileEx + 6A 7C80B788 7 Bytes JMP 01B1049D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1892] kernel32.dll!lstrcpyn + 70 7C810381 7 Bytes JMP 01725A06 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1892] GDI32.dll!SetWindowOrgEx + 15E 77F1960B 7 Bytes JMP 01B104C4 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\Explorer.EXE [msvcrt.dll!_itow] [77C0C392] C:\WINDOWS\system32\msvcrt.dll IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\Explorer.EXE [msvcrt.dll!free] [77C1C21B] C:\WINDOWS\system32\msvcrt.dll IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\Explorer.EXE [msvcrt.dll!memmove] [77C372B0] C:\WINDOWS\system32\msvcrt.dll IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\Explorer.EXE [msvcrt.dll!realloc] [77C1C437] C:\WINDOWS\system32\msvcrt.dll IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\Explorer.EXE [msvcrt.dll!_except_handler3] [77C25C94] C:\WINDOWS\system32\msvcrt.dll IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\Explorer.EXE [msvcrt.dll!malloc] [77C1C407] C:\WINDOWS\system32\msvcrt.dll IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\Explorer.EXE [msvcrt.dll!_ftol] [77C3FA10] C:\WINDOWS\system32\msvcrt.dll IAT C:\WINDOWS\Explorer.EXE[1560] @ C:\WINDOWS\Explorer.EXE [msvcrt.dll!_vsnwprintf] [77C2FFE7] C:\WINDOWS\system32\msvcrt.dll ---- Devices - GMER 2.1 ---- Device \Driver\ACPI \Device\00000050 ntoskrnl.exe Device \Driver\ACPI \Device\00000051 ntoskrnl.exe AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys Device \Driver\ACPI \Device\00000071 ntoskrnl.exe Device \Driver\ACPI \Device\00000064 ntoskrnl.exe Device \Driver\ACPI \Device\00000058 ntoskrnl.exe Device \Driver\ACPI \Device\00000072 ntoskrnl.exe Device \Driver\ACPI \Device\00000059 ntoskrnl.exe Device \Driver\ACPI \Device\00000073 ntoskrnl.exe Device \Driver\ACPI \Device\00000074 ntoskrnl.exe Device \Driver\ACPI \Device\00000077 ntoskrnl.exe Device \Driver\ACPI \Device\00000078 ntoskrnl.exe Device \Driver\ACPI \Device\0000005a ntoskrnl.exe Device \Driver\ACPI \Device\0000005b ntoskrnl.exe Device \Driver\ACPI \Device\0000005c ntoskrnl.exe Device \Driver\ACPI \Device\0000005d ntoskrnl.exe Device \Driver\ACPI \Device\0000006b ntoskrnl.exe ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA1 0x8F 0x8E 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x5D 0xBD 0x80 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB1 0x7C 0x36 0xAF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x22 0xA6 0x02 0x28 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xF2 0x8C 0xC3 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xE6 0x00 0xB3 0x9C ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xA1 0x8F 0x8E 0xD0 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Pro\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xD2 0x5D 0xBD 0x80 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xB1 0x7C 0x36 0xAF ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002@hdf12 0x22 0xA6 0x02 0x28 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq0@hdf12 0xF2 0x8C 0xC3 0xFB ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000002\gdq1@hdf12 0xE6 0x00 0xB3 0x9C ...