GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-10 18:37:08 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST925031 rev.0001 232,89GB Running: ggo1f6pc.exe; Driver: C:\Users\Samsung\AppData\Local\Temp\pgeiqkob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[4564] GDI32.dll!GetViewportOrgEx + 26C 75FE884B 7 Bytes JMP 6350C315 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4564] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75A9952E 7 Bytes JMP 6350DDA1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4564] kernel32.dll!LoadAppInitDlls + 355 75A9F5F6 7 Bytes JMP 632B1FD5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4564] kernel32.dll!QueryPerformanceCounter + 13 75A9C535 7 Bytes JMP 6350FD1D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4564] ntdll.dll!LdrLoadDll 771724C6 5 Bytes JMP 6F0A908C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4564] ntdll.dll!NtCreateFile 77155620 5 Bytes JMP 62F7F912 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4564] ntdll.dll!NtFlushBuffersFile 771559B0 5 Bytes JMP 62F7F652 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4564] ntdll.dll!NtQueryFullAttributesFile 77156040 5 Bytes JMP 62F7F78A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4564] ntdll.dll!NtReadFile 77156310 5 Bytes JMP 62F7F68C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4564] ntdll.dll!NtReadFileScatter 77156320 5 Bytes JMP 635243A6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4564] ntdll.dll!NtWriteFile 77156AC0 5 Bytes JMP 62F7FAB6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4564] ntdll.dll!NtWriteFileGather 77156AD0 5 Bytes JMP 635243F6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4564] USER32.dll!GetWindowInfo 761E4B5E 5 Bytes JMP 63EFBF0A C:\Program Files\Mozilla Firefox\xul.dll ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 83CA4E62 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!ZwRequestPort + 14CD 83C84B55 1 Byte [06] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdipAlloc] [73BE249F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [73BD4C64] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73BD66DB] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [73BD82D5] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [73BD857E] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [73BD4D32] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [73BDE228] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdipFree] [73BE251A] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [73BD51AE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [73BD50D9] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [73BC5710] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [73BC5652] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [73BD8824] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll IAT C:\windows\Explorer.exe[3308] @ C:\windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [73BD9085] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18834_none_72d38c5186679d48\gdiplus.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@9837570C 564 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\00002109A10051400000000000F01FEC\Usage@OutlookMAPI2Intl_1045 1189792956 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{A769808F-BF58-44CF-8AA5-3A4773821DF1}@LeaseObtainedTime 1436543748 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{A769808F-BF58-44CF-8AA5-3A4773821DF1}@LeaseTerminatesTime 1436630148 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{A769808F-BF58-44CF-8AA5-3A4773821DF1}@T1 1436586948 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{A769808F-BF58-44CF-8AA5-3A4773821DF1}@T2 1436619348 ---- Services - GMER 2.1 ---- Service C:\windows\servicing\TrustedInstaller.exe (*** hidden *** ) [AUTO] TrustedInstaller <-- ROOTKIT !!! ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----