GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-12-31 09:21:07 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST320DM000-1BD14C rev.KC44 298,09GB Running: 45pfs7r0.exe; Driver: C:\DOCUME~1\Lectra\USTAWI~1\Temp\pxtdrpoc.sys ---- System - GMER 2.1 ---- SSDT \WINDOWS\system32\ntkrnlpa.exe ZwCreateKey [0x804D7FEC] SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FEC] ZwCreateKey [0x804D7FEC] SSDT \WINDOWS\system32\ntkrnlpa.exe ZwOpenKey [0x804D7FF1] SSDT \WINDOWS\system32\ntkrnlpa.exe[unknown section] [804D7FF1] ZwOpenKey [0x804D7FF1] INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D7FF6 INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys A789816D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys A7897FC2 ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0xA7515000, 0x47E35, 0xE0000020] .init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0xA7569224] .init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0xA7569000, 0x4000, 0xE20000E0] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xA740C400, 0x6E6E2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA7496820] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA7496820] .protect˙˙˙˙hardlockunknown last code section [0xA7496600, 0x512A, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xA7496600, 0x512A, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC14 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A79B7 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78E9 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A7954 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A77BA C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A781C C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A7A1A C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2088] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A787E C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9B81 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D1BD C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC14 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 406146A6 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A79B7 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78E9 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A7954 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A77BA C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A781C C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A7A1A C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A787E C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] ole32.dll!CoCreateInstance 774EF1D4 5 Bytes JMP 406ADC70 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2836] ole32.dll!OleLoadFromStream 7751988B 5 Bytes JMP 407A7D1F C:\WINDOWS\system32\IEFRAME.dll .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9 .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[3544] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[3684] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 01445605 C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[3684] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01F33805 C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[3684] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01F3384D C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[3684] kernel32.dll!ValidateLocale + B1C8 7C8449C8 7 Bytes JMP 0145577B C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[3684] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01F33874 C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9 .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00] .text C:\Documents and Settings\Lectra\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4044] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] ---- Devices - GMER 2.1 ---- Device \Driver\aksusb \Device\00000079 AKSCLASS.SYS Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys Device \Driver\Disk \Device\Harddisk1\DR1 aksfridge.sys Device \Driver\aksusb \Device\0000006c AKSCLASS.SYS Device mrxsmb.sys Device Fastfat.SYS AttachedDevice fltMgr.sys ---- EOF - GMER 2.1 ----