GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-19 20:02:30 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 Running: gmer.exe; Driver: C:\Users\Damien\AppData\Local\Temp\fwpcrpoc.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 82E43369 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E7CD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[304] kernel32.dll!SetUnhandledExceptionFilter 7791F4FB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[6216] ntdll.dll!LdrLoadDll 77DC223E 5 Bytes JMP 5BAE9720 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[6216] kernel32.dll!MapViewOfFile 779193DB 5 Bytes JMP 5BD1E1F4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[6216] kernel32.dll!VirtualAlloc 7791C43A 5 Bytes JMP 5BD1E21B C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[6216] GDI32.dll!CreateDIBSection 77EA8850 5 Bytes JMP 5BD1E17E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[10300] kernel32.dll!SetUnhandledExceptionFilter 7791F4FB 5 Bytes JMP 57BD50B8 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation) .text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[10300] ole32.dll!OleLoadFromStream 77A66143 5 Bytes JMP 5869EAC8 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[10560] USER32.dll!SetWindowLongA 76478BA3 5 Bytes JMP 5BE875F7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[10560] USER32.dll!SetWindowLongW 76484449 5 Bytes JMP 5BE87589 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[10560] USER32.dll!GetWindowInfo 76484B5E 5 Bytes JMP 5BC5FE0A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[10560] USER32.dll!TrackPopupMenu 76492228 5 Bytes JMP 5BC603C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\RunDll32.exe[2820] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75E2FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\RunDll32.exe[2820] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75E2FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\RunDll32.exe[2820] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75E2FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\RunDll32.exe[2820] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75E2FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\RunDll32.exe[2820] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75E2FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\RunDll32.exe[2820] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [75E2FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[10300] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [75E2FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[10300] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [75E2FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[10300] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [75E2FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[10300] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [75E2FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[10300] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [75E2FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[10300] @ C:\Windows\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [75E2FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000053 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe2f1d8c1 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe2f1d8c1@f40b93870a31 0xFA 0x9B 0xCF 0x20 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe2f1d8c1@0022fdb761bf 0x18 0xB6 0xF2 0xC8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001fe2f1d8c1@d023db2832a5 0x76 0xAC 0xAE 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\4c-17-eb-5c-6d-05@ClientLocalPort 61439 Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Teredo\PreviousState\4c-17-eb-5c-6d-05@TeredoAddress 2001:0:5ef5:73b8:1865:1000:a1f4:c217 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 7041 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 3339 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe2f1d8c1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe2f1d8c1@f40b93870a31 0xFA 0x9B 0xCF 0x20 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe2f1d8c1@0022fdb761bf 0x18 0xB6 0xF2 0xC8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001fe2f1d8c1@d023db2832a5 0x76 0xAC 0xAE 0xAC ... ---- EOF - GMER 1.0.15 ----