GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-02-18 10:48:18 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST932032 rev.0003 Running: ub6kcngn.exe; Driver: C:\Users\Ania\AppData\Local\Temp\aftcqaog.sys ---- System - GMER 1.0.15 ---- SSDT 91C20C66 ZwCreateSection SSDT 91C20C6B ZwSetContextThread SSDT 91C20C07 ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 8308A369 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830C3D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 830CAEAC 4 Bytes [66, 0C, C2, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 1597 830CB24C 4 Bytes [6B, 0C, C2, 91] {IMUL ECX, [EDX+EAX*8], 0x91} .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 830CB324 4 Bytes [07, 0C, C2, 91] {POP ES; OR AL, 0xc2; XCHG ECX, EAX} init C:\windows\system32\Drivers\OEM05Afx.sys entry point in "init" section [0x9501D310] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[2076] ntdll.dll!LdrLoadDll 76DF223E 5 Bytes JMP 62655B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2076] GDI32.dll!D3DKMTQueryAdapterInfo 760FCB76 5 Bytes JMP 665C19D0 C:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrap.dll (NVIDIA Compatible NVIDIA d3d9wrap dll, Version 257.43 /NVIDIA Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2076] GDI32.dll!D3DKMTGetDisplayModeList 760FF338 5 Bytes JMP 665C1950 C:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrap.dll (NVIDIA Compatible NVIDIA d3d9wrap dll, Version 257.43 /NVIDIA Corporation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4224] USER32.dll!GetWindowInfo 75804B5E 5 Bytes JMP 627D0924 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4224] USER32.dll!TrackPopupMenu 75812228 4 Bytes JMP 627D0ECF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4224] GDI32.dll!D3DKMTQueryAdapterInfo 760FCB76 5 Bytes JMP 665C19D0 C:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrap.dll (NVIDIA Compatible NVIDIA d3d9wrap dll, Version 257.43 /NVIDIA Corporation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4224] GDI32.dll!D3DKMTGetDisplayModeList 760FF338 5 Bytes JMP 665C1950 C:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrap.dll (NVIDIA Compatible NVIDIA d3d9wrap dll, Version 257.43 /NVIDIA Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000049 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\BTHUSB \Device\00000091 bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \Driver\BTHUSB \Device\00000093 bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c4bd612d43b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dc7ea17 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c4bd612d43b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dc7ea17 (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1 ---- EOF - GMER 1.0.15 ----