GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-12 02:52:15 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 SAMSUNG_HM250HI rev.2AC101C4 232,88GB Running: 1y4ncjk7.exe; Driver: C:\Users\ADMINH~1\AppData\Local\Temp\aftcaaob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x8F3B76E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x8F3B7800] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x8F3B7010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x8F3B74D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x8F3B7300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x8F3B73E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x8F3B7120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x8F3B7210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x8F3B75E0] SSDT \SystemRoot\system32\ntkrnlpa.exe ZwCreateKey [0x8361EFEC] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8361EFEC] ZwCreateKey [0x8361EFEC] SSDT \SystemRoot\system32\ntkrnlpa.exe ZwOpenKey [0x8361EFF1] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8361EFF1] ZwOpenKey [0x8361EFF1] INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 8361EFFB INT 0x06 \??\C:\Windows\system32\drivers\Haspnt.sys 9F07016D INT 0x0E \??\C:\Windows\system32\drivers\Haspnt.sys 9F06FFC2 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestPort + 14AD 8365BBB5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83695B92 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 8369D084 3 Bytes [EC, EF, 61] {IN AL, DX; OUT DX, EAX; POPA } .text ntkrnlpa.exe!KeRemoveQueueEx + 1357 8369D21C 8 Bytes [E0, 76, 3B, 8F, 00, 78, 3B, ...] {LOOPNZ 0x78; CMP ECX, [EDI-0x70c48800]} .text ntkrnlpa.exe!KeRemoveQueueEx + 137F 8369D244 3 Bytes [F1, EF, 61] {INT1 ; OUT DX, EAX; POPA } .text ntkrnlpa.exe!KeRemoveQueueEx + 139F 8369D264 4 Bytes [10, 70, 3B, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 13BF 8369D284 4 Bytes [D0, 74, 3B, 8F] {SAL BYTE [EBX+EDI-0x71], 0x1} .text ... ? System32\drivers\rfvvusj.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90837000, 0x2D5378, 0xE8000020] .text C:\Windows\system32\DRIVERS\aksfridge.sys section is writeable [0x9F092000, 0x47E35, 0xE0000020] .init C:\Windows\system32\DRIVERS\aksfridge.sys entry point in ".init" section [0x9F0E6224] .init C:\Windows\system32\DRIVERS\aksfridge.sys unknown last code section [0x9F0E6000, 0x4000, 0xE20000E0] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0x9F0EA400, 0x87EE2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9F18E620] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9F18E620] .protect˙˙˙˙hardlockunknown last code section [0x9F18E400, 0x5126, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0x9F18E400, 0x5126, 0xE0000020] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b10000e57 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@b0d09c0dc960 0x6F 0x9C 0x08 0x7E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@b8d9ce5a6987 0x4A 0x95 0xD0 0xEB ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@0023f10330e3 0x69 0xA7 0xC6 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@44f459d8fe79 0x3C 0xB8 0xB0 0xE0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@001df680cce1 0x65 0xCE 0x0C 0x4F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@5c3c271c92c9 0x63 0x3F 0x4D 0xAF ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@58170c92cec2 0xC1 0x23 0xA6 0x65 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b10000e57 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@b0d09c0dc960 0x6F 0x9C 0x08 0x7E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@b8d9ce5a6987 0x4A 0x95 0xD0 0xEB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@0023f10330e3 0x69 0xA7 0xC6 0x8F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@44f459d8fe79 0x3C 0xB8 0xB0 0xE0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@001df680cce1 0x65 0xCE 0x0C 0x4F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@5c3c271c92c9 0x63 0x3F 0x4D 0xAF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@58170c92cec2 0xC1 0x23 0xA6 0x65 ... Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{383BC6BF-293F-11E2-B605-806E6F6E6963} 8751462512 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{383BC6C0-293F-11E2-B605-806E6F6E6963} 89888488