GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-05-20 02:02:03 Windows 5.1.2600 Service Pack 3 Running: gmer.exe; Driver: C:\DOCUME~1\Tony\LOCALS~1\Temp\kgliypob.sys ---- System - GMER 1.0.15 ---- SSDT spbl.sys ZwCreateKey [0xF73680E0] SSDT spbl.sys ZwEnumerateKey [0xF7386CA2] SSDT spbl.sys ZwEnumerateValueKey [0xF7387030] SSDT spbl.sys ZwOpenKey [0xF73680C0] SSDT spbl.sys ZwQueryKey [0xF7387108] SSDT spbl.sys ZwQueryValueKey [0xF7386F88] SSDT spbl.sys ZwSetValueKey [0xF738719A] INT 0x62 ? 85F8ABF8 INT 0x63 ? 85F2FBF8 INT 0x81 ? 85F8FBF8 INT 0x82 ? 85F8ABF8 INT 0xB4 ? 85F2FBF8 ---- Kernel code sections - GMER 1.0.15 ---- ? spbl.sys The system cannot find the file specified. ! .text USBPORT.SYS!DllUnload F71268AC 5 Bytes JMP 85F2F1D8 ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[268] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 03FA27A0 C:\Program Files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabKernel.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[268] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 03FA36F0 C:\Program Files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabKernel.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[268] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 03FA33B0 C:\Program Files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabKernel.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[268] WS2_32.dll!WSAConnect 71AC0C81 5 Bytes JMP 03FA28D0 C:\Program Files\Orbitdownloader\addons\OneClickYouTubeDownloader\components\GrabKernel.dll .text C:\WINDOWS\Explorer.EXE[776] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 018DFC69 C:\PROGRA~1\PDFCON~1\PDFCON~2.DLL .text C:\WINDOWS\Explorer.EXE[776] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 01332862 .text C:\WINDOWS\Explorer.EXE[776] WS2_32.dll!send 71AB4C27 5 Bytes JMP 013326EE .text C:\WINDOWS\Explorer.EXE[776] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 013327E0 .text C:\WINDOWS\Explorer.EXE[776] WS2_32.dll!recv 71AB676F 5 Bytes JMP 01332726 .text C:\WINDOWS\Explorer.EXE[776] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 0133275E .text C:\WINDOWS\Explorer.EXE[1864] WS2_32.dll!closesocket 71AB3E2B 5 Bytes JMP 00D22862 .text C:\WINDOWS\Explorer.EXE[1864] WS2_32.dll!send 71AB4C27 5 Bytes JMP 00D226EE .text C:\WINDOWS\Explorer.EXE[1864] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 00D227E0 .text C:\WINDOWS\Explorer.EXE[1864] WS2_32.dll!recv 71AB676F 5 Bytes JMP 00D22726 .text C:\WINDOWS\Explorer.EXE[1864] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 00D2275E ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs 85F881F8 AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\ACPI \Device\00000040 85C11AA8 Device \Driver\ACPI \Device\00000043 85C11AA8 Device \Driver\usbehci \Device\USBPDO-0 85EAD500 Device \Driver\usbohci \Device\USBPDO-1 85F2E1F8 Device \Driver\usbohci \Device\USBPDO-2 85F2E1F8 Device \Driver\ACPI \Device\00000054 85C11AA8 Device \Driver\ACPI \Device\00000047 85C11AA8 Device \Driver\ACPI \Device\00000048 85C11AA8 AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\ACPI \Device\00000049 85C11AA8 Device \Driver\Ftdisk \Device\HarddiskVolume1 85F8B1F8 Device \Driver\ACPI \Device\00000058 85C11AA8 Device \Driver\Ftdisk \Device\HarddiskVolume2 85F8B1F8 Device \Driver\Cdrom \Device\CdRom0 85F321F8 Device \Driver\ACPI \Device\00000059 85C11AA8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F72C4B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F72C4B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F72C4B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F72C4B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 85DB91F8 Device \Driver\ACPI \Device\0000004a 85C11AA8 Device \Driver\NetBT \Device\NetbiosSmb 85DB91F8 Device \Driver\ACPI \Device\0000005a 85C11AA8 Device \Driver\ACPI \Device\0000005b 85C11AA8 AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\NetBT \Device\NetBT_Tcpip_{DCE0AAE8-FC8C-4720-A82E-9BD83995B26D} 85DB91F8 Device \Driver\usbohci \Device\USBFDO-0 85F2E1F8 Device \Driver\ACPI \Device\0000006c 85C11AA8 Device \Driver\usbohci \Device\USBFDO-1 85F2E1F8 Device \Driver\ACPI \Device\0000006d 85C11AA8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 85DAA1F8 Device \Driver\usbehci \Device\USBFDO-2 85EAD500 Device \FileSystem\MRxSmb \Device\LanmanRedirector 85DAA1F8 Device \Driver\Ftdisk \Device\FtControl 85F8B1F8 Device \Driver\SMSCMS \Device\Scsi\SMSCMS1Port2Path0Target0Lun0 85EC51F8 Device \Driver\SMSCMS \Device\Scsi\SMSCMS1 85EC51F8 Device \FileSystem\Cdfs \Cdfs 85C761F8 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158300bac7 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158300bac7@001a75b5e18a 0x21 0x56 0x3C 0xF7 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBA 0x60 0xA4 0x6E ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBA 0x60 0xA4 0x6E ... Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\00158300bac7 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\BTHPORT\Parameters\Keys\00158300bac7@001a75b5e18a 0x21 0x56 0x3C 0xF7 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xBA 0x60 0xA4 0x6E ... ---- EOF - GMER 1.0.15 ----