GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-16 08:48:46 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST9320325AS rev.0003SDM1 298,09GB Running: btzrrv2q.exe; Driver: C:\Users\admin\AppData\Local\Temp\pxldapob.sys ---- System - GMER 2.0 ---- SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwAllocateVirtualMemory [0x83BDF560] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwCreateThread [0x83BE1CEC] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwCreateThreadEx [0x83BE1E28] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwFreeVirtualMemory [0x83BDF8DE] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwQueueApcThread [0x83BE1E7E] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwQueueApcThreadEx [0x83BE1ECE] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwSetContextThread [0x83BE1F1E] SSDT \SystemRoot\system32\drivers\dwprot.sys (Dr.Web Protection for Windows/Doctor Web, Ltd.) ZwWriteVirtualMemory [0x83BDFA22] ---- Kernel code sections - GMER 2.0 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E88579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EACF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 23C 82EB473C 3 Bytes [60, F5, BD] .text ntkrnlpa.exe!RtlSidHashLookup + 34C 82EB484C 3 Bytes [EC, 1C, BE] {IN AL, DX; SBB AL, 0xbe} .text ntkrnlpa.exe!RtlSidHashLookup + 350 82EB4850 3 Bytes [28, 1E, BE] .text ntkrnlpa.exe!RtlSidHashLookup + 3FC 82EB48FC 4 Bytes [DE, F8, BD, 83] .text ntkrnlpa.exe!RtlSidHashLookup + 624 82EB4B24 3 Bytes [7E, 1E, BE] .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F01C000, 0x38E905, 0xE8000020] ? C:\Windows\TEMP\5B29D05A.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.0 ---- .text C:\Program Files\DrWeb\dwservice.exe[2096] USER32.dll!NotifyWinEvent + 48B 7673F724 4 Bytes [E7, 12, 02, 00] {OUT 0x12, EAX; ADD AL, [EAX]} .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[2684] USER32.dll!NotifyWinEvent + 48B 7673F724 4 Bytes [E7, 12, 02, 00] {OUT 0x12, EAX; ADD AL, [EAX]} .text C:\Program Files\DrWeb\spideragent.exe[2724] kernel32.dll!SetUnhandledExceptionFilter 75383142 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\DrWeb\spideragent.exe[2724] USER32.dll!NotifyWinEvent + 48B 7673F724 4 Bytes [E7, 12, 02, 00] {OUT 0x12, EAX; ADD AL, [EAX]} .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3464] ntdll.dll!KiUserApcDispatcher 76E26398 5 Bytes JMP 00021395 .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwengine.exe[3464] USER32.dll!NotifyWinEvent + 48B 7673F724 4 Bytes [E7, 12, 02, 00] {OUT 0x12, EAX; ADD AL, [EAX]} .text C:\Program Files\DrWeb\dwnetfilter.exe[3736] kernel32.dll!SetUnhandledExceptionFilter 75383142 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\DrWeb\dwnetfilter.exe[3736] USER32.dll!NotifyWinEvent + 48B 7673F724 4 Bytes [E7, 12, 02, 00] {OUT 0x12, EAX; ADD AL, [EAX]} .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwarkdaemon.exe[4016] ntdll.dll!KiUserApcDispatcher 76E26398 5 Bytes JMP 00161395 .text C:\Program Files\Common Files\Doctor Web\Scanning Engine\dwarkdaemon.exe[4016] USER32.dll!NotifyWinEvent + 48B 7673F724 4 Bytes [E7, 12, 16, 00] ---- Registry - GMER 2.0 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Media Center\Service\Scheduler@Heartbeat 0xF2 0xA3 0x63 0x36 ... ---- Files - GMER 2.0 ---- File C:\ProgramData\Microsoft\eHome\RecoveryTasks\mcglobal_13c4231d2c4_000990_01.rrtl 1312 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-browserballot_31bf3856ad364e35_6.1.7600.16526_none_62283b15ce321cd0.manifest 1790 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-browserballot_31bf3856ad364e35_6.1.7600.20641_none_62973696e76475c9.manifest 1790 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-s..g-jscript.resources_31bf3856ad364e35_9.4.8112.16421_en-us_6c762e19a0b0b38b.manifest 2893 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-scripting-jscript_31bf3856ad364e35_9.4.8112.16457_none_9b451d4d117d945f.manifest 26048 bytes File C:\Windows\winsxs\Manifests\x86_8212bafdedda5f2f5a1ee547feb62b31_31bf3856ad364e35_6.1.7600.16526_none_210960c438241adc.manifest 712 bytes File C:\Windows\winsxs\Manifests\x86_1eb9e8f27c82f32a3dd1fe250c432850_31bf3856ad364e35_6.1.7600.20641_none_36d13743fa365b69.manifest 701 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-b..erballot-runonce-01_31bf3856ad364e35_6.1.7600.16526_none_dfb82f6954cd6cb1.manifest 715 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-b..erballot-runonce-01_31bf3856ad364e35_6.1.7600.20641_none_e0272aea6dffc5aa.manifest 715 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-scripting-vbscript_31bf3856ad364e35_9.4.8112.16457_none_60bf38054840409b.manifest 32312 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-winsockautodialstub_31bf3856ad364e35_9.4.8112.16457_none_089005fc78239de2.manifest 2092 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-ielowutil.resources_31bf3856ad364e35_9.4.8112.16421_en-us_ea8b678c7236f23d.manifest 2251 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-ielowutil.resources_31bf3856ad364e35_9.4.8112.16421_pl-pl_e9d3b36ce0615bf8.manifest 2251 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-ielowutil_31bf3856ad364e35_9.4.8112.16421_none_1ef5aee48b810ba0.manifest 3035 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-ieproxy-legacy_31bf3856ad364e35_9.4.8112.16421_none_c4cc056576e77688.manifest 38477 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-extcompat_31bf3856ad364e35_9.4.8112.16457_none_5514e0b8f0f3436c.manifest 68112 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-extensionmanager_31bf3856ad364e35_9.4.8112.16421_none_66a5364391ad6066.manifest 1463 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-htmlactivexcompat_31bf3856ad364e35_9.4.8112.16421_none_2fef10052a0fb3e3.manifest 119837 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-htmlapplication_31bf3856ad364e35_9.4.8112.16421_none_71d991ff23a3e055.manifest 6365 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-htmlconverter_31bf3856ad364e35_9.4.8112.16421_none_839852a2a1a15795.manifest 2414 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ieframe-optional_31bf3856ad364e35_9.4.8112.16421_none_fdb2cec5c032455b.manifest 27539 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ieframe.resources_31bf3856ad364e35_9.4.8112.16421_en-us_a845eaeee7f4a85d.manifest 3043 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ieframe.resources_31bf3856ad364e35_9.4.8112.16421_pl-pl_a78e36cf561f1218.manifest 3043 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-runtimeutilities_31bf3856ad364e35_9.4.8112.16457_none_6008df0fa6dd6d95.manifest 4525 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..ersandsecurityzones_31bf3856ad364e35_9.4.8112.16457_none_cd484c91f12328a5.manifest 246244 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-i..tocolimplementation_31bf3856ad364e35_9.4.8112.16457_none_1a4e2833bc2c4f38.manifest 41086 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-jscriptdebugui_31bf3856ad364e35_9.4.8112.16457_none_d2d18393e7fe7a21.manifest 2712 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-jsprofilercore_31bf3856ad364e35_9.4.8112.16421_none_23273f2d4ba58c6b.manifest 4348 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-jsprofilerui_31bf3856ad364e35_9.4.8112.16421_none_0b7e9c65e8794902.manifest 2714 bytes File C:\Windows\winsxs\Manifests\x86_b94a9e8c0086d136fe102abe8d66d543_31bf3856ad364e35_6.1.7600.20641_none_ad51e9f1bd106969.manifest 712 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-htmlrendering_31bf3856ad364e35_9.4.8112.16457_none_2ba847523c82b86e.manifest 1171897 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-ieadvpack.resources_31bf3856ad364e35_9.4.8112.16421_en-us_f621d8f7313fb36f.manifest 2155 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-ie-ieadvpack.resources_31bf3856ad364e35_9.4.8112.16421_pl-pl_f56a24d79f6a1d2a.manifest 2155 bytes File C:\Windows\winsxs\Manifests\x86_c9a711f59e20297bda80f37efc925bde_31bf3856ad364e35_6.1.7600.16526_none_cd7e2d2de9fac0a4.manifest 701 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-inetres-adm.resources_31bf3856ad364e35_9.4.8112.16421_en-us_881d853a97c25a15.manifest 2447 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-inetres-adm.resources_31bf3856ad364e35_9.4.8112.16421_pl-pl_8765d11b05ecc3d0.manifest 2447 bytes File C:\Windows\winsxs\Manifests\x86_microsoft-windows-inetres-adm_31bf3856ad364e35_9.4.8112.16421_none_070efd16b219ccb4.manifest 2747 bytes File C:\Windows\winsxs\x86_microsoft-windows-browserballot_31bf3856ad364e35_6.1.7600.16526_none_62283b15ce321cd0 0 bytes File C:\Windows\winsxs\x86_microsoft-windows-browserballot_31bf3856ad364e35_6.1.7600.16526_none_62283b15ce321cd0\browserchoice.exe 293376 bytes executable File C:\Windows\winsxs\x86_microsoft-windows-browserballot_31bf3856ad364e35_6.1.7600.20641_none_62973696e76475c9 0 bytes File C:\Windows\winsxs\x86_microsoft-windows-browserballot_31bf3856ad364e35_6.1.7600.20641_none_62973696e76475c9\browserchoice.exe 293376 bytes executable File C:\Windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7600.16734_none_12f7e2974c7cac8a 0 bytes File C:\Windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7600.16734_none_12f7e2974c7cac8a\XpsGdiConverter.dll 288256 bytes executable File C:\Windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7600.20875_none_13573ffc65b9d56f 0 bytes File C:\Windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7600.20875_none_13573ffc65b9d56f\XpsGdiConverter.dll 288256 bytes executable File C:\Windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7601.17537_none_14e1407b49a0647b 0 bytes File C:\Windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7601.17537_none_14e1407b49a0647b\XpsGdiConverter.dll 288256 bytes executable File C:\Windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7601.21636_none_1569dcfc62beeaee 0 bytes File C:\Windows\winsxs\x86_microsoft-windows-c..ent-xpsgdiconverter_31bf3856ad364e35_6.1.7601.21636_none_1569dcfc62beeaee\XpsGdiConverter.dll 288256 bytes executable File C:\Windows\winsxs\x86_microsoft-windows-coreos_31bf3856ad364e35_6.1.7600.16970_none_252e76489fa130ee 0 bytes ---- EOF - GMER 2.0 ----