GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-09 16:14:57 Windows 6.1.7601 Service Pack 1 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-1 ST3500320AS rev.SD15 465,76GB Running: z1kocj34.exe; Driver: C:\Users\KT\AppData\Local\Temp\pxldqpoc.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwAddBootEntry [0x92AC36CA] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwAlpcConnectPort [0x92AC3C2C] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwAlpcSendWaitReceivePort [0x92AC5EA4] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwConnectPort [0x92AC4EC2] SSDT \SystemRoot\system32\drivers\PCTCore.sys ZwCreateProcess [0x8CC6ECDC] SSDT \SystemRoot\system32\drivers\PCTCore.sys ZwCreateProcessEx [0x8CC6EECE] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwCreateSection [0x92AC4B42] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x92B9D260] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwCreateThreadEx [0x92AC4092] SSDT \SystemRoot\system32\drivers\PCTCore.sys ZwCreateUserProcess [0x8CC6F0D6] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwDeleteBootEntry [0x92AC3736] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwDeleteFile [0x92AC3E04] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwDeviceIoControlFile [0x92AC300A] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwDuplicateObject [0x92AC336E] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwFsControlFile [0x92AC3DA4] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwImpersonateClientOfPort [0x92AC3D6A] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwImpersonateThread [0x92AC3D28] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x92B9D320] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwMapViewOfSection [0x92AC5832] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwModifyBootEntry [0x92AC3700] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwOpenProcess [0x92AC4CD0] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwOpenSection [0x92AC46C8] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwOpenThread [0x92AC4DB6] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwProtectVirtualMemory [0x92AC478C] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwQueueApcThread [0x92AC30C8] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwReplaceKey [0x92AC3858] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwRequestWaitReplyPort [0x92AC5D74] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwRestoreKey [0x92AC37A2] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwSecureConnectPort [0x92AC4FAC] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwSetBootOptions [0x92AC376C] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwSetContextThread [0x92AC312C] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwSetInformationFile [0x92AC3E68] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x92B9D2E0] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwShutdownSystem [0x92AC3682] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x92B9D2A0] SSDT \SystemRoot\system32\drivers\PCTCore.sys ZwTerminateProcess [0x8CC6E982] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwTerminateThread [0x92ABB023] SSDT \??\C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys ZwWriteVirtualMemory [0x92AC5A88] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 83C53A35 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83C8D392 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 83C945B0 4 Bytes [CA, 36, AC, 92] {RETF 0xac36; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 83C945E4 4 Bytes [2C, 3C, AC, 92] {SUB AL, 0x3c; LODSB ; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1143 83C94628 4 Bytes [A4, 5E, AC, 92] {MOVSB ; POP ESI; LODSB ; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1193 83C94678 4 Bytes [C2, 4E, AC, 92] {RET 0xac4e; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 11E3 83C946C8 8 Bytes [DC, EC, C6, 8C, CE, EE, C6, ...] .text ... .hgjhgj1˙˙˙˙SpySheltentry point in ".hgjhgj1˙˙˙˙SpySheltentry point in "" section [0x92B6EB4C] C:\Program Files\_do_syst_i_komputera\SpyShelter Personal Free\SpyShelter.sys entry point in ".hgjhgj1˙˙˙˙SpySheltentry point in "" section [0x92B6EB4C] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x94E17000, 0x2D5378, 0xE8000020] ? C:\Windows\system32\Drivers\rikvm_B91CB6D3.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[1344] kernel32.dll!SetUnhandledExceptionFilter 7703F5AB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[2004] kernel32.dll!SetUnhandledExceptionFilter 7703F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\firefox.exe[8132] ntdll.dll!NtCreateFile 76EE5608 5 Bytes JMP 10269440 C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\xul.dll .text C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\firefox.exe[8132] ntdll.dll!NtFlushBuffersFile 76EE5998 5 Bytes JMP 0FF57CC9 C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\xul.dll .text C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\firefox.exe[8132] ntdll.dll!NtQueryFullAttributesFile 76EE6028 5 Bytes JMP 0FF57F40 C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\xul.dll .text C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\firefox.exe[8132] ntdll.dll!NtReadFile 76EE62F8 5 Bytes JMP 0FF57D20 C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\xul.dll .text C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\firefox.exe[8132] ntdll.dll!NtReadFileScatter 76EE6308 5 Bytes JMP 10BC7D51 C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\xul.dll .text C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\firefox.exe[8132] ntdll.dll!NtWriteFile 76EE6AA8 5 Bytes JMP 1026A3D0 C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\xul.dll .text C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\firefox.exe[8132] ntdll.dll!NtWriteFileGather 76EE6AB8 5 Bytes JMP 10BC7D00 C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\xul.dll .text C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\firefox.exe[8132] ntdll.dll!LdrLoadDll 76F022AE 5 Bytes JMP 74331F42 C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\mozglue.dll .text C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\firefox.exe[8132] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 770394E6 7 Bytes JMP 10B0923C C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\xul.dll .text C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\firefox.exe[8132] kernel32.dll!QueryPerformanceCounter + 13 7703C4E5 7 Bytes JMP 10B0925F C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\xul.dll .text C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\firefox.exe[8132] kernel32.dll!LoadAppInitDlls + 355 7703F5A6 7 Bytes JMP 10265E74 C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\xul.dll .text C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\firefox.exe[8132] GDI32.dll!GetViewportOrgEx + 26C 766B884B 7 Bytes JMP 10B091BD C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\xul.dll .text C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\firefox.exe[8132] USER32.dll!GetWindowInfo 76AF4B5E 5 Bytes JMP 10A0AF4C C:\Program Files\_do_syst_i_komputera\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- Device \Driver\CLKMDRV10_B91CB6D3 \Device\CLRKM#B91CB6D3 rikvm_B91CB6D3.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Threads - GMER 2.1 ---- Thread System [4:1044] 88A32950 ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch@VirtualStoreSize 1560 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{95ED66A2-51A2-11DE-AC9E-806E6F6E6963} 48764611360 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0xC8 0x28 0x51 0xAF ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x25 0xDA 0xEC 0x7E ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x86 0x8C 0x21 0x01 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xF5 0x1D 0x4D 0x73 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0x31 0x77 0xE1 0xBA ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0x01 0x3A 0x48 0xFC ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0x2A 0xB7 0xCC 0xB5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\Windows\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x05 0x73 0x21 0xDD ... ---- Files - GMER 2.1 ---- File C:\Windows\Temp\NODA5AF.tmp 0 bytes ---- EOF - GMER 2.1 ----