GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-27 23:56:29 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS723232A7A364 rev.EC2OA60W Running: eiw0vml4.exe; Driver: C:\Users\Admin\AppData\Local\Temp\pgddypog.sys ---- System - GMER 1.0.15 ---- SSDT 9705326E ZwCreateSection SSDT 97053278 ZwRequestWaitReplyPort SSDT 97053273 ZwSetContextThread SSDT 9705327D ZwSetSecurityObject SSDT 97053282 ZwSystemDebugControl SSDT 9705320F ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E4D3C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E86D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 82E8DEAC 4 Bytes [6E, 32, 05, 97] .text ntkrnlpa.exe!KeRemoveQueueEx + 1553 82E8E208 4 Bytes [78, 32, 05, 97] .text ntkrnlpa.exe!KeRemoveQueueEx + 1597 82E8E24C 4 Bytes [73, 32, 05, 97] .text ntkrnlpa.exe!KeRemoveQueueEx + 1613 82E8E2C8 4 Bytes [7D, 32, 05, 97] .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 82E8E31C 4 Bytes [82, 32, 05, 97] {XOR BYTE [EDX], 0x5; XCHG EDI, EAX} .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9560C000, 0x353030, 0xE8000020] .text peauth.sys 9E361C9D 28 Bytes [44, 4E, EA, DD, FA, E1, 67, ...] .text peauth.sys 9E361CC1 28 Bytes [44, 4E, EA, DD, FA, E1, 67, ...] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1660] ntdll.dll!LdrGetProcedureAddress + 26 77672239 7 Bytes JMP 676CB52A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1660] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76CC93D6 7 Bytes JMP 6797B6D2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1660] kernel32.dll!QueryPerformanceCounter + 13 76CCC435 7 Bytes JMP 6797B6F5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1660] GDI32.dll!GetViewportOrgEx + 26C 75D1884B 7 Bytes JMP 6797B653 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000004c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Threads - GMER 1.0.15 ---- Thread System [4:264] 8C77482E ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90004ea4551d Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90004ea4551d (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\542F5C3C-54C4-4478-B412-0C71BE6AD9E4@IPAddress 127.0.0.1 ---- EOF - GMER 1.0.15 ----