GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-24 12:38:51 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD5000BPVT-80HXZT1 rev.01.01A01 465,76GB Running: vzpgmtu5.exe; Driver: C:\Users\FAMILI~1\AppData\Local\Temp\kxlyaaod.sys ---- System - GMER 2.2 ---- SSDT 8DC882CE ZwCreateSection SSDT 8DC882A6 ZwCreateSymbolicLinkObject SSDT 8DC882AB ZwLoadDriver SSDT 8DC882A1 ZwOpenSection SSDT 8DC882D8 ZwRequestWaitReplyPort SSDT 8DC882D3 ZwSetContextThread SSDT 8DC882DD ZwSetSecurityObject SSDT 8DC882B0 ZwSetSystemInformation SSDT 8DC882E2 ZwSystemDebugControl SSDT 8DC8826F ZwTerminateProcess ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1549 81C56EC5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81C91272 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 81C9879C 4 Bytes [CE, 82, C8, 8D] {INTO ; OR AL, 0x8d} .text ntkrnlpa.exe!KeRemoveQueueEx + 11FF 81C987A4 4 Bytes [A6, 82, C8, 8D] {CMPSB ; OR AL, 0x8d} .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 81C988B8 4 Bytes [AB, 82, C8, 8D] {STOSD ; OR AL, 0x8d} .text ntkrnlpa.exe!KeRemoveQueueEx + 13AF 81C98954 1 Byte [A1] .text ntkrnlpa.exe!KeRemoveQueueEx + 13AF 81C98954 4 Bytes [A1, 82, C8, 8D] .text ... ? system32\DRIVERS\avkmgr.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F207000, 0x3C1465, 0xE8000020] ? C:\Windows\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[148] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75C895DE 7 Bytes JMP 53AD91E5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[148] kernel32.dll!QueryPerformanceCounter + 13 75C8C5E5 7 Bytes JMP 53ADA0E1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[148] kernel32.dll!LoadAppInitDlls + 355 75C8F6A6 7 Bytes JMP 537DA4B1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[148] USER32.dll!CreateWindowExA 76D7BF48 5 Bytes JMP 53C5CD30 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[148] USER32.dll!CreateWindowExW 76D7EC84 5 Bytes JMP 5378F0F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[148] USER32.dll!GetWindowInfo 76D84B66 5 Bytes JMP 5474AEA5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[148] GDI32.dll!GetViewportOrgEx + 26C 77B2884B 7 Bytes JMP 53AD8A6C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\CCleaner\CCleaner.exe[3020] USER32.dll!SetScrollRange 76D78ECD 5 Bytes JMP 013B1A4D C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3020] USER32.dll!GetScrollInfo 76D82DAB 5 Bytes JMP 013B19D4 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3020] USER32.dll!SetScrollInfo 76D848E2 5 Bytes JMP 013B1A8A C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3020] USER32.dll!GetScrollRange 76DA0472 5 Bytes JMP 013B196B C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3020] USER32.dll!SetScrollPos 76DA04D6 5 Bytes JMP 013B1940 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3020] USER32.dll!GetScrollPos 76DA0E5B 5 Bytes JMP 013B19A9 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3020] USER32.dll!EnableScrollBar 76DA19E6 5 Bytes JMP 013B1AC4 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3020] USER32.dll!ShowScrollBar 76DA3CA1 5 Bytes JMP 013B1A0D C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtCreateFile + 6 77975136 4 Bytes [28, EC, C8, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtCreateFile + B 7797513B 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenFile + 6 77975846 4 Bytes [68, EC, C8, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenFile + B 7797584B 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenProcess + 6 779758F6 4 Bytes [A8, ED, C8, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenProcess + B 779758FB 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenProcessToken + 6 77975906 4 Bytes CALL 769821F8 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenProcessToken + B 7797590B 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenProcessTokenEx + 6 77975916 4 Bytes [A8, EE, C8, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenProcessTokenEx + B 7797591B 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenThread + 6 77975976 4 Bytes [68, ED, C8, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenThread + B 7797597B 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenThreadToken + 6 77975986 4 Bytes [68, EE, C8, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenThreadToken + B 7797598B 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenThreadTokenEx + 6 77975996 4 Bytes CALL 76982289 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtOpenThreadTokenEx + B 7797599B 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtQueryAttributesFile + 6 77975AA6 4 Bytes [A8, EC, C8, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtQueryAttributesFile + B 77975AAB 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtQueryFullAttributesFile + 6 77975B56 4 Bytes CALL 76982447 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtQueryFullAttributesFile + B 77975B5B 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtSetInformationFile + 6 779761A6 4 Bytes [28, ED, C8, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtSetInformationFile + B 779761AB 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtSetInformationThread + 6 77976206 4 Bytes [28, EE, C8, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] ntdll.dll!NtSetInformationThread + B 7797620B 1 Byte [E2] .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75C895DE 7 Bytes JMP 53AD91E5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] kernel32.dll!QueryPerformanceCounter + 13 75C8C5E5 7 Bytes JMP 53ADA0E1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] USER32.dll!CreateWindowExA 76D7BF48 5 Bytes JMP 53C5CD30 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] USER32.dll!CreateWindowExW 76D7EC84 5 Bytes JMP 5378F0F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3668] GDI32.dll!GetViewportOrgEx + 26C 77B2884B 7 Bytes JMP 53AD8A6C C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.2 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe 0x76 0xF6 0x82 0xF1 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe 0xDA 0xF4 0x48 0xF9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 0x81 0xF1 0x2E 0x18 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x8B 0xF9 0x74 0x14 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\PROGRAMY\Malwarebytes' Anti-Malware\mbam.exe 0xF8 0x10 0xF2 0x63 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume3\PROGRAMY\Malwarebytes' Anti-Malware\mbamservice.exe 0xBC 0xBB 0xFA 0xDD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLI.exe 0xE4 0x96 0x1C 0x68 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\ehome\ehshell.exe 0x9C 0x88 0x44 0xED ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\ehome\ehexthost.exe 0xA8 0xA0 0x4D 0x5E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Program Files\Malwarebytes Anti-Malware\mbam.exe 0x19 0x11 0x93 0xE4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Program Files\Malwarebytes Anti-Malware\mbamservice.exe 0x39 0xD1 0x1B 0x1F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\mmc.exe 0x08 0x26 0x72 0x1B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\winsxs\x86_netfx-clrgc_b03f5f7f11d50a3a_6.1.7601.17514_none_f5276fe6b5adf276\clrgc.exe 0x27 0xCA 0x26 0x42 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Users\familia żuk\Desktop\FRST.exe 0x91 0x0C 0xDF 0x09 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\Avira\Launcher\Avira.ServiceHost.exe 0x45 0x20 0x6C 0xBB ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\Avira\Launcher\Avira.Systray.exe 0x73 0xDA 0xD5 0xEA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xEA 0xED 0x00 0xE8 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\csc.exe 0xFC 0x4A 0x76 0x1E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\msiexec.exe 0xA5 0x93 0xA0 0x98 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0x7E 0x83 0x82 0xA8 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\PROGRAMY\Malwarebytes' Anti-Malware\mbam.exe 0x40 0x0C 0xDD 0x51 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume3\PROGRAMY\Malwarebytes' Anti-Malware\mbamservice.exe 0x80 0x6F 0x78 0xB2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\Malwarebytes Anti-Malware\mbam.exe 0x8C 0x1E 0x8F 0xDD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\Malwarebytes Anti-Malware\mbamservice.exe 0x53 0xF3 0x37 0x85 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\winsxs\x86_netfx-clrgc_b03f5f7f11d50a3a_6.1.7601.17514_none_f5276fe6b5adf276\clrgc.exe 0xA8 0x4F 0x30 0x42 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\rundll32.exe 0x22 0xBC 0x86 0x97 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Users\familia żuk\Desktop\FRST.exe 0xF2 0x69 0x87 0x05 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\familia \xacuk\Downloads\ComboFix.exe 1 ---- EOF - GMER 2.2 ----