GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-09-05 17:05:53 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-2 ST3160815AS rev.3.AAD 149,05GB Running: 6byqxb08.exe; Driver: C:\Users\AS-BUD\AppData\Local\Temp\fgrdypoc.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82E87A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EC1212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Opera\opera.exe[2672] ntdll.dll!NtQueryInformationProcess 77026088 5 Bytes JMP 009F42F5 .text C:\Program Files\Opera\opera.exe[2672] USER32.dll!DrawTextExW 76AC5894 5 Bytes JMP 009F96DD .text C:\Program Files\Opera\opera.exe[2672] USER32.dll!DrawTextW 76AC5B6A 5 Bytes JMP 009F951B .text C:\Program Files\Opera\opera.exe[2672] USER32.dll!SetClipboardData 76AD2962 5 Bytes JMP 009F9191 .text C:\Program Files\Opera\opera.exe[2672] USER32.dll!DialogBoxParamW 76AD3B9B 5 Bytes JMP 009F8131 .text C:\Program Files\Opera\opera.exe[2672] USER32.dll!DrawTextA 76ADAE29 5 Bytes JMP 009F9440 .text C:\Program Files\Opera\opera.exe[2672] USER32.dll!DrawTextExA 76ADAE60 5 Bytes JMP 009F95F6 .text C:\Program Files\Opera\opera.exe[2672] GDI32.dll!ExtTextOutW 76F98192 5 Bytes JMP 009F98A8 .text C:\Program Files\Opera\opera.exe[2672] GDI32.dll!GetGlyphIndicesW 76F9B78F 5 Bytes JMP 009F9D35 .text C:\Program Files\Opera\opera.exe[2672] GDI32.dll!TextOutW 76F9FDE4 5 Bytes JMP 009F9374 .text C:\Program Files\Opera\opera.exe[2672] GDI32.dll!ExtTextOutA 76FA03F9 5 Bytes JMP 009F97C4 .text C:\Program Files\Opera\opera.exe[2672] GDI32.dll!TextOutA 76FA077D 5 Bytes JMP 009F92A8 .text C:\Program Files\Opera\opera.exe[2672] GDI32.dll!GetGlyphIndicesA 76FBBB6A 5 Bytes JMP 009F9C68 .text C:\Program Files\Opera\opera.exe[2672] WS2_32.dll!closesocket 76B93918 5 Bytes JMP 009F90D7 .text C:\Program Files\Opera\opera.exe[2672] WS2_32.dll!getaddrinfo 76B94296 5 Bytes JMP 009F7CA4 .text C:\Program Files\Opera\opera.exe[2672] WS2_32.dll!WSASend 76B94406 5 Bytes JMP 009F8D86 .text C:\Program Files\Opera\opera.exe[2672] WS2_32.dll!GetAddrInfoW 76B94889 5 Bytes JMP 009F7D84 .text C:\Program Files\Opera\opera.exe[2672] WS2_32.dll!recv 76B96B0E 5 Bytes JMP 009F8CC4 .text C:\Program Files\Opera\opera.exe[2672] WS2_32.dll!send 76B96F01 5 Bytes JMP 009F8C0B .text C:\Program Files\Opera\opera.exe[2672] WS2_32.dll!WSARecv 76B97089 5 Bytes JMP 009F8E5A .text C:\Program Files\Opera\opera.exe[2672] WS2_32.dll!WSAAsyncGetHostByName 76BA726A 5 Bytes JMP 009F8052 .text C:\Program Files\Opera\opera.exe[2672] WS2_32.dll!gethostbyname 76BA7673 5 Bytes JMP 009F7BE3 .text C:\Program Files\Opera\opera.exe[2672] WININET.dll!InternetCrackUrlW 7676AA91 5 Bytes JMP 009F9FFB .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[4464] USER32.dll!RegisterMessagePumpHook + 2F1 76AB8B9E 7 Bytes JMP 10053C10 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[4464] USER32.dll!PostMessageW + 43A 76AC48B5 7 Bytes JMP 10053AC0 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[4464] USER32.dll!SetDlgItemTextA + 25 76AD709F 7 Bytes JMP 10053BF0 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[4464] USER32.dll!MessageBoxIndirectA + F5 76B0E95E 7 Bytes JMP 10053C60 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[4464] USER32.dll!MessageBoxIndirectW + 61 76B0E9C4 7 Bytes JMP 10053D30 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[4464] USER32.dll!MessageBoxExA + 1F 76B0E9E8 7 Bytes JMP 10053CE0 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4668] ntdll.dll!LdrGetProcedureAddress + 26 770422A9 7 Bytes JMP 5909F70F C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4668] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 7717941E 7 Bytes JMP 59B4419C C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4668] kernel32.dll!QueryPerformanceCounter + 13 7717C435 7 Bytes JMP 59B44154 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4668] kernel32.dll!LoadAppInitDlls + 355 7717F4F6 7 Bytes JMP 590A1774 C:\Program Files\Mozilla Thunderbird\xul.dll .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[4668] GDI32.dll!GetViewportOrgEx + 26C 76F9884B 7 Bytes JMP 59B441C3 C:\Program Files\Mozilla Thunderbird\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[5680] @ C:\Windows\Explorer.EXE [KERNEL32.dll!GetProcAddress] [74F5FFF6] C:\Windows\system32\apphelp.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----