GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-06 16:46:02 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD800BB-00FJA0 rev.13.03G13 74,53GB Running: jjr92q9z.exe; Driver: C:\Users\Michau\AppData\Local\Temp\pxldapow.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Windows\system32\drivers\kisknl.sys ZwCreateUserProcess [0x959628DA] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackTransaction + 124C 82E5C69C 5 Bytes CALL 9596EE3E \??\C:\Windows\system32\drivers\kisknl.sys .text ntkrnlpa.exe!ZwRollbackTransaction + 13E9 82E5C839 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E813F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 364 82E88CF4 4 Bytes [DA, 28, 96, 95] {FISUBR DWORD [EAX]; XCHG ESI, EAX; XCHG EBP, EAX} .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x94A1A000, 0x153F4A, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text F:\Program Files\Opera\opera.exe[1568] ntdll.dll!NtCreateProcess 77544780 5 Bytes JMP 01A42DB0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] ntdll.dll!NtCreateProcessEx 77544790 5 Bytes JMP 01A42D20 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!CreateProcessW 76BE202D 5 Bytes JMP 01A45780 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!CreateProcessA 76BE2062 5 Bytes JMP 01A456E0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!CopyFileW 76C18CF7 5 Bytes JMP 01A43630 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!CopyFileExW 76C2082B 7 Bytes JMP 01A43400 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!LoadLibraryExW 76C2B697 5 Bytes JMP 01A43A10 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!LoadLibraryExA 76C2BC63 5 Bytes JMP 01A43900 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!CloseHandle 76C30597 5 Bytes JMP 01A729B0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!CreateFileW 76C30B3D 5 Bytes JMP 01A72B20 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!LoadLibraryA 76C32844 5 Bytes JMP 01A436F0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!LoadLibraryW 76C32892 5 Bytes JMP 01A43880 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!CreateProcessInternalW 76C3428E 5 Bytes JMP 01A440E0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!CreateProcessInternalA 76C3F546 5 Bytes JMP 01A444E0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!CopyFileA 76C47CCC 5 Bytes JMP 01A434C0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!CopyFileExA 76C6BB89 5 Bytes JMP 01A43280 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] kernel32.dll!WinExec + 5 76C6E682 6 Bytes JMP 01A43EC0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] SHELL32.dll!ShellExecuteEx 75E09FCA 5 Bytes JMP 01A446D0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] ole32.dll!CoGetClassObject 773DA394 5 Bytes JMP 01A6E640 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] WININET.dll!HttpOpenRequestA 769D0352 5 Bytes JMP 01A42E40 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] WININET.dll!InternetConnectW 769D03AA 5 Bytes JMP 01A43010 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] WININET.dll!HttpOpenRequestW 769D052B 5 Bytes JMP 01A42F70 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] WININET.dll!InternetOpenUrlA 769DDB98 2 Bytes JMP 01A430B0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] WININET.dll!InternetOpenUrlA + 3 769DDB9B 2 Bytes [06, 8B] .text F:\Program Files\Opera\opera.exe[1568] WININET.dll!InternetOpenUrlW 76A2E19C 5 Bytes JMP 01A431E0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] WS2_32.dll!closesocket 76AB3BED 5 Bytes JMP 01A72B00 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] WS2_32.dll!recv 76AB47DF 5 Bytes JMP 01A72AD0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] WS2_32.dll!WSASend 76AB68A7 5 Bytes JMP 01A41650 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] WS2_32.dll!WSARecv 76ABC29F 5 Bytes JMP 01A72A10 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] WS2_32.dll!send 76ABC4C8 5 Bytes JMP 01A41470 D:\Program Files\kingsoft antivirus\kswebshield.dll .text F:\Program Files\Opera\opera.exe[1568] WS2_32.dll!WSAGetOverlappedResult 76ABE860 5 Bytes JMP 01A72A40 D:\Program Files\kingsoft antivirus\kswebshield.dll .text D:\Program Files\kingsoft antivirus\kxetray.exe[2460] SHELL32.dll!ShellExecuteW 75BD4228 5 Bytes JMP 00408C04 D:\Program Files\kingsoft antivirus\kxetray.exe .text C:\Windows\Explorer.EXE[2640] kernel32.dll!CreateProcessW 76BE202D 5 Bytes JMP 03335840 D:\Program Files\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2640] kernel32.dll!CreateProcessInternalW 76C3428E 5 Bytes JMP 033340E0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2640] kernel32.dll!CreateProcessInternalA 76C3F546 5 Bytes JMP 033344E0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2640] ADVAPI32.dll!RegSetValueExA 76B51B96 5 Bytes JMP 03336FA0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2640] ADVAPI32.dll!RegQueryValueExA 76B5BC25 5 Bytes JMP 03335030 D:\Program Files\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2640] ADVAPI32.dll!RegQueryValueExW 76B5BCD5 5 Bytes JMP 033353F0 D:\Program Files\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2640] SHLWAPI.dll!SHRegGetUSValueW 769620B5 5 Bytes JMP 03334E90 D:\Program Files\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2640] SHELL32.dll!ShellExecuteW + DCC 75BD4FF4 5 Bytes JMP 03330790 D:\Program Files\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2640] SHELL32.dll!ShellExecuteExW 75BE1B8C 5 Bytes JMP 03333F80 D:\Program Files\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[2640] SHELL32.dll!SHGetItemFromDataObject + 3DF 75C0DB6C 4 Bytes [04, 00, 0E, 03] .text C:\Windows\Explorer.EXE[2640] SHELL32.dll!SHEnumerateUnreadMailAccountsW + F9E 75DE8659 5 Bytes JMP 03362E10 D:\Program Files\kingsoft antivirus\kswebshield.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [748C24FA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [748A565B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [748A5719] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [748C2575] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [748B85D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [748B4D8D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [748B5134] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [748B5209] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [748B6736] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [748B8330] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [748B887F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [748B90E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [748BE283] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll IAT C:\Windows\Explorer.EXE[2640] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [748B4CBF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.17007_none_72f44f3186198a88\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs kisknl.sys AttachedDevice \Driver\tdx \Device\Tcp kdhacker.sys AttachedDevice \Driver\tdx \Device\Udp kdhacker.sys ---- EOF - GMER 2.1 ----