GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-02 17:15:54 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST9320320AS rev.HP07 298,09GB Running: ohyh0d7o.exe; Driver: C:\Users\Dom\AppData\Local\Temp\pxliypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x910726E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x91072800] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x91072010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x910724D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x91072300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x910723E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x91072120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x91072210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x910725E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83076A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830B0212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1357 830B76EC 8 Bytes [E0, 26, 07, 91, 00, 28, 07, ...] {LOOPNZ 0x28; POP ES; XCHG ECX, EAX; ADD [EAX], CH; POP ES; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 139F 830B7734 4 Bytes [10, 20, 07, 91] {ADC [EAX], AH; POP ES; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 13BF 830B7754 4 Bytes [D0, 24, 07, 91] {SHL BYTE [EDI+EAX], 0x1; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 165F 830B79F4 8 Bytes [00, 23, 07, 91, E0, 23, 07, ...] {ADD [EBX], AH; POP ES; XCHG ECX, EAX; LOOPNZ 0x29; POP ES; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 830B7A04 8 Bytes [20, 21, 07, 91, 10, 22, 07, ...] {AND [ECX], AH; POP ES; XCHG ECX, EAX; ADC [EDX], AH; POP ES; XCHG ECX, EAX} .text ... .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x8B6F0774] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x92C0F000, 0x2BFBF0, 0xE8000020] ? C:\Users\Dom\AppData\Local\Temp\ALSysIO.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] ntdll.dll!NtCreateFile 771E5608 5 Bytes JMP 58BCA790 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] ntdll.dll!NtFlushBuffersFile 771E5998 5 Bytes JMP 58BAEF64 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] ntdll.dll!NtQueryFullAttributesFile 771E6028 5 Bytes JMP 58BAEC80 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] ntdll.dll!NtReadFile 771E62F8 5 Bytes JMP 58BAEE60 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] ntdll.dll!NtReadFileScatter 771E6308 2 Bytes JMP 594F64C0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] ntdll.dll!NtReadFileScatter + 3 771E630B 2 Bytes [31, E2] {XOR EDX, ESP} .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] ntdll.dll!NtWriteFile 771E6AA8 5 Bytes JMP 58BCB690 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] ntdll.dll!NtWriteFileGather 771E6AB8 5 Bytes JMP 594F646F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] ntdll.dll!LdrLoadDll 772022AE 5 Bytes JMP 5EAB1F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 762F94E6 7 Bytes JMP 5945D001 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] kernel32.dll!QueryPerformanceCounter + 13 762FC4E5 7 Bytes JMP 5945D024 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] kernel32.dll!LoadAppInitDlls + 355 762FF5A6 7 Bytes JMP 58BC7374 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] USER32.dll!GetWindowInfo 76076A82 5 Bytes JMP 59363388 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3476] GDI32.dll!GetViewportOrgEx + 26C 7613884B 7 Bytes JMP 5945CF82 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 85B6F1F8 Device \FileSystem\fastfat \FatCdrom 87DA01F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{50AA08FE-A1A7-4E19-B755-F19468F122D3} 86D371F8 Device \Driver\usbohci \Device\USBPDO-0 86DE5440 Device \Driver\usbohci \Device\USBPDO-1 86DE5440 Device \Driver\usbehci \Device\USBPDO-2 86E13440 Device \Driver\usbohci \Device\USBPDO-3 86DE5440 Device \Driver\usbohci \Device\USBPDO-4 86DE5440 Device \Driver\usbehci \Device\USBPDO-5 86E13440 Device \Driver\cdrom \Device\CdRom0 86C3E1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 85B6C1F8 Device \Driver\atapi \Device\Ide\IdePort0 85B6C1F8 Device \Driver\atapi \Device\Ide\IdePort1 85B6C1F8 Device \Driver\atapi \Device\Ide\IdePort2 85B6C1F8 Device \Driver\atapi \Device\Ide\IdePort3 85B6C1F8 Device \Driver\atapi \Device\Ide\IdePort4 85B6C1F8 Device \Driver\msahci \Device\Ide\PciIde1Channel0 85B6D1F8 Device \Driver\msahci \Device\Ide\PciIde1Channel1 85B6D1F8 Device \Driver\msahci \Device\Ide\PciIde1Channel2 85B6D1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-5 85B6C1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86D371F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{FB3B56BA-9678-4417-9595-2A304282F7EB} 86D371F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{36BC4B80-2E7D-477A-BE13-601062DAEC64} 86D371F8 AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys Device \Driver\usbohci \Device\USBFDO-0 86DE5440 Device \Driver\usbohci \Device\USBFDO-1 86DE5440 Device \Driver\usbehci \Device\USBFDO-2 86E13440 Device \Driver\usbohci \Device\USBFDO-3 86DE5440 Device \Driver\usbohci \Device\USBFDO-4 86DE5440 Device \Driver\usbehci \Device\USBFDO-5 86E13440 Device \FileSystem\fastfat \Fat 87DA01F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys halmacpi.dll >>UNKNOWN [0x85b6c1f8]<< 85b6c1f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x869ec030] 869ec030 Trace 3 CLASSPNP.SYS[8bdb359e] -> nt!IofCallDriver -> [0x869eb718] 869eb718 Trace 5 hpdskflt.sys[8be1a090] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x868ed908] 868ed908 Trace \Driver\atapi[0x868c5590] -> IRP_MJ_CREATE -> 0x85b6c1f8 85b6c1f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b1000245d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b1000245d@5cb524ca7a66 0x14 0x9B 0x6B 0xD1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b1000245d@40b0fa397887 0xAD 0xED 0x0B 0xEC ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b1000245d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b1000245d@5cb524ca7a66 0x14 0x9B 0x6B 0xD1 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b1000245d@40b0fa397887 0xAD 0xED 0x0B 0xEC ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) ---- EOF - GMER 2.1 ----