GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-12-25 13:33:31 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500DM002-1BD142 rev.KC45 Running: uc82niwp.exe; Driver: C:\Users\xxx\AppData\Local\Temp\uxriqpow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0xA4FB4004] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0xA4FB40D4] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0xA4FB3D76] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0xA4FB3E1E] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0xA4FB3EBA] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0xA4FB3F56] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackTransaction + 13E9 8325E599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83283092 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 4A0 8328AAF0 8 Bytes [04, 40, FB, A4, D4, 40, FB, ...] {ADD AL, 0x40; STI ; MOVSB ; AAM 0x40; STI ; MOVSB } .text ntkrnlpa.exe!RtlSidHashLookup + 4E8 8328AB38 4 Bytes [76, 3D, FB, A4] {JBE 0x3f; STI ; MOVSB } .text ntkrnlpa.exe!RtlSidHashLookup + 7B8 8328AE08 8 Bytes [1E, 3E, FB, A4, BA, 3E, FB, ...] .text ntkrnlpa.exe!RtlSidHashLookup + 82C 8328AE7C 4 Bytes [56, 3F, FB, A4] {PUSH ESI; AAS ; STI ; MOVSB } .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA4FB6300, 0x1BCE, 0xE8000020] ? C:\Users\xxx\AppData\Local\Temp\ALSysIO.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!CharToOemA + 3A 76CEB1DE 7 Bytes JMP 5FF732C0 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!AdjustWindowRectEx + 117 76CF660F 7 Bytes JMP 5FF7324F C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!GetWindowInfo 76CF6A82 5 Bytes JMP 5FDBA8A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2100] USER32.dll!MenuItemFromPoint + F 76D14B36 7 Bytes JMP 5FDBAED5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3828] ntdll.dll!wcsncmp + 33B 7771F420 7 Bytes JMP 5FC54470 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3828] kernel32.dll!K32GetDeviceDriverBaseNameW + 16F 7544C057 7 Bytes JMP 5FEA0459 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3828] kernel32.dll!CloseHandle + 38 7545058F 7 Bytes JMP 5FEA047C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3828] kernel32.dll!GetExitCodeProcess + 2C 754530DD 1 Byte [E9] .text C:\Program Files\Mozilla Firefox\firefox.exe[3828] kernel32.dll!GetExitCodeProcess + 2C 754530DD 7 Bytes JMP 5FC5F972 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3828] USER32.dll!GetWindowInfo 76CF6A82 5 Bytes JMP 5FDC2157 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3828] GDI32.dll!GetViewportOrgEx + 21C 76B785EB 7 Bytes JMP 5FEA03DA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\system32\HPSIsvc.exe[2080] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2080] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2080] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2080] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2080] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\HPSIsvc.exe[2080] @ C:\Windows\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2252] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2252] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2252] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2252] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2252] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3472] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3472] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3472] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3472] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[3472] @ C:\Windows\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4232] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4232] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4232] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[4232] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74E55E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [73C224FA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [73C0565B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [73C05719] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [73C22575] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73C185D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [73C14D8D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [73C15134] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [73C15209] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73C16736] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73C18330] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73C1887F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73C190E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73C1E283] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[4516] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [73C14CBF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. ) Device \Driver\usbehci \Device\USBPDO-0 hcmon.sys Device \Driver\usbehci \Device\USBPDO-1 hcmon.sys Device \Driver\usbhub \Device\USBPDO-2 hcmon.sys Device \Driver\usbhub \Device\USBPDO-3 hcmon.sys AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbhub \Device\USBPDO-5 hcmon.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbhub \Device\USBPDO-7 hcmon.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\0000005c halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) Device \Driver\usbhub \Device\00000088 hcmon.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\usbehci \Device\USBFDO-0 hcmon.sys Device \Driver\usbehci \Device\USBFDO-1 hcmon.sys Device \Driver\usbhub \Device\0000007c hcmon.sys Device \Driver\usbhub \Device\0000007d hcmon.sys Device \Driver\usbhub \Device\0000008d hcmon.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat avgidsfilterx.sys (IDS Application Activity Monitor Filter Driver./AVG Technologies CZ, s.r.o. ) ---- Files - GMER 1.0.15 ---- File C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4IWWUYTX\fwlink[2].htm 0 bytes File C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4IWWUYTX\footer_650x190[3] 0 bytes File C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\4IWWUYTX\avatarCAMQK70A.jpg 937 bytes File C:\Users\xxx\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\FI0YBJ55\skypehome%2Findex[4] 0 bytes ---- EOF - GMER 1.0.15 ----