GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-11 12:58:10 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\00000065 Hitachi_ rev.ES2O 298,09GB Running: ktulnjow.exe; Driver: C:\Users\Demon\AppData\Local\Temp\uwddikod.sys ---- System - GMER 2.0 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0x9006F14A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0x9006F21A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x9006ED7C] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwSuspendProcess [0x9006EF6A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwSuspendThread [0x9006F000] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x9006EE32] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x9006EECE] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9006F09C] ---- Kernel code sections - GMER 2.0 ---- .text ntkrnlpa.exe!ZwRollbackTransaction + 13E9 82A5B839 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A803F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 4A0 82A87E30 8 Bytes [4A, F1, 06, 90, 1A, F2, 06, ...] {DEC EDX; INT1 ; PUSH ES; NOP ; SBB DH, DL; PUSH ES; NOP } .text ntkrnlpa.exe!RtlSidHashLookup + 4E8 82A87E78 4 Bytes [7C, ED, 06, 90] {JL 0xffffffef; PUSH ES; NOP } .text ntkrnlpa.exe!RtlSidHashLookup + 7A8 82A88138 8 Bytes [6A, EF, 06, 90, 00, F0, 06, ...] {PUSH -0x11; PUSH ES; NOP ; ADD AL, DH; PUSH ES; NOP } .text ntkrnlpa.exe!RtlSidHashLookup + 7B8 82A88148 8 Bytes [32, EE, 06, 90, CE, EE, 06, ...] {XOR CH, DH; PUSH ES; NOP ; INTO ; OUT DX, AL; PUSH ES; NOP } .text ntkrnlpa.exe!RtlSidHashLookup + 82C 82A881BC 4 Bytes [9C, F0, 06, 90] {PUSHF ; PUSH ES; NOP } .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9123D000, 0x3AB565, 0xE8000020] ---- User code sections - GMER 2.0 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1964] ntdll.dll!wcsncmp + 33B 7710F420 7 Bytes JMP 658E4470 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1964] kernel32.dll!K32GetDeviceDriverBaseNameW + 16F 757FC0A7 7 Bytes JMP 65B30459 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1964] kernel32.dll!CloseHandle + 38 758005CF 7 Bytes JMP 65B3047C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1964] kernel32.dll!GetExitCodeProcess + 2C 7580311D 7 Bytes JMP 658EF972 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1964] GDI32.dll!GetViewportOrgEx + 21C 764985EB 7 Bytes JMP 65B303DA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Users\Demon\AppData\Local\GG\Application\ggapp.exe[3616] ntdll.dll!LdrLoadDll 7710F425 5 Bytes JMP 6AE0C859 C:\Users\Demon\AppData\Local\GG\Application\xulrunner\xul.dll (GG application/GG Network S.A.) .text C:\Users\Demon\AppData\Local\GG\Application\ggapp.exe[3616] kernel32.dll!MapViewOfFile 757FC0AC 5 Bytes JMP 6B5FED8E C:\Users\Demon\AppData\Local\GG\Application\xulrunner\xul.dll (GG application/GG Network S.A.) .text C:\Users\Demon\AppData\Local\GG\Application\ggapp.exe[3616] kernel32.dll!VirtualAlloc 758005D4 5 Bytes JMP 6B5FED48 C:\Users\Demon\AppData\Local\GG\Application\xulrunner\xul.dll (GG application/GG Network S.A.) .text C:\Users\Demon\AppData\Local\GG\Application\ggapp.exe[3616] GDI32.dll!CreateDIBSection 764985F0 5 Bytes JMP 6B5FEDB5 C:\Users\Demon\AppData\Local\GG\Application\xulrunner\xul.dll (GG application/GG Network S.A.) ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Windows\System32\rundll32.exe[2692] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74735E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2692] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74735E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2692] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74735E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[2692] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74735E25] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Registry - GMER 2.0 ---- Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Events\{F8642196-B91D-4860-854D-B817E8DFE139} ---- EOF - GMER 2.0 ----