GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-11 21:20:18 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.LH01 298,09GB Running: gmer.exe; Driver: C:\Users\moj\AppData\Local\Temp\fxldypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwAlpcConnectPort [0x91EE9914] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwAlpcCreatePort [0x91EEA1E2] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwConnectPort [0x91EE936A] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateFile [0x91EE2CA2] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateKey [0x91F045F2] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreatePort [0x91EE9E74] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateProcess [0x91EFE4D0] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateProcessEx [0x91EFE8F8] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateSection [0x91F08C8A] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8C1AB7F0] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateUserProcess [0x91EFED6C] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwCreateWaitablePort [0x91EE9FD2] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwDeleteFile [0x91EE39DE] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwDeleteKey [0x91F06048] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwDeleteValueKey [0x91F0595E] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwDuplicateObject [0x91EFD2B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8C1AB8B0] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwLoadKey [0x91F06A16] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwLoadKey2 [0x91F06C54] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwLoadKeyEx [0x91F07106] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwMapViewOfSection [0x91F09048] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwOpenFile [0x91EE3590] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwOpenProcess [0x91F009EC] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwOpenThread [0x91F005DA] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwRenameKey [0x91F07AEE] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwReplaceKey [0x91F073D0] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwRequestWaitReplyPort [0x91EE8F0E] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwRestoreKey [0x91F08554] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSecureConnectPort [0x91EE9636] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSetInformationFile [0x91EE3DEA] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSetSecurityObject [0x91F08078] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8C1AB870] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSetValueKey [0x91F050B8] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwSystemDebugControl [0x91EFF5F6] SSDT \SystemRoot\system32\DRIVERS\vsdatant.sys ZwTerminateProcess [0x91EFF326] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83646A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83680212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 83687494 8 Bytes [14, 99, EE, 91, E2, A1, EE, ...] {ADC AL, 0x99; OUT DX, AL; XCHG ECX, EAX; LOOP 0xffffffa7; OUT DX, AL; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 83687528 4 Bytes [6A, 93, EE, 91] {PUSH -0x6d; OUT DX, AL; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 11AF 83687544 4 Bytes [A2, 2C, EE, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 83687554 4 Bytes [F2, 45, F0, 91] {INC EBP; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 11DB 83687570 4 Bytes [74, 9E, EE, 91] {JZ 0xffffffa0; OUT DX, AL; XCHG ECX, EAX} .text ... ? C:\windows\System32\Drivers\SafeBoot.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92634000, 0x2FC146, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[864] ntdll.dll!NtAccessCheckByType 77C15218 5 Bytes JMP 20CB8791 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[864] ntdll.dll!NtAlpcImpersonateClientOfPort 77C153F8 5 Bytes JMP 20CB8DD9 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[864] ntdll.dll!NtImpersonateClientOfPort 77C15B08 5 Bytes JMP 20CB8D58 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[864] ntdll.dll!NtSetInformationProcess 77C166B8 5 Bytes JMP 20CB89AB C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[864] kernel32.dll!OpenProcess 77D654E7 5 Bytes JMP 20CB846C C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[864] kernel32.dll!SetUnhandledExceptionFilter 77D6F4EB 5 Bytes JMP 209F37DD C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWDMP.dll .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[864] ADVAPI32.dll!SetThreadToken 7748C76E 5 Bytes JMP 20CB9036 C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll .text C:\Program Files\CheckPoint\ZAForceField\ForceField.exe[864] ADVAPI32.dll!ImpersonateNamedPipeClient 774C3475 5 Bytes JMP 20CB8E5D C:\Program Files\CheckPoint\ZAForceField\Plugins\ISWSHEX.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[2364] kernel32.dll!SetUnhandledExceptionFilter 77D6F4EB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Autodesk\Autodesk Sync\AdSync.exe[4740] kernel32.dll!SetUnhandledExceptionFilter 77D6F4EB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp mfetdik.sys AttachedDevice \Driver\tdx \Device\Udp mfetdik.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\70f39522908f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0D 0x09 0xFB 0x5D ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x0C 0xCF 0xE5 0xC6 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x07 0xF0 0xCC 0x9A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f39522908f Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\70f39522908f (not active ControlSet) ---- EOF - GMER 2.1 ----