GMER 2.1.19081 - http://www.gmer.net Rootkit scan 2013-02-24 14:39:09 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 TOSHIBA_MK1234GSX rev.AH001H 111,79GB Running: 8i2p28p0.exe; Driver: C:\Users\Darek\AppData\Local\Temp\kwddikog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeKey [0x9244114A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwNotifyChangeMultipleKeys [0x9244121A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwOpenProcess [0x92440D7C] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwSuspendProcess [0x92440F6A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwSuspendThread [0x92441000] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateProcess [0x92440E32] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwTerminateThread [0x92440ECE] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (IDS Application Activity Monitor Loader Driver./AVG Technologies CZ, s.r.o. ) ZwWriteVirtualMemory [0x9244109C] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82C549E9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C8E1C2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1357 82C9546C 8 Bytes [4A, 11, 44, 92, 1A, 12, 44, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 139F 82C954B4 4 Bytes [7C, 0D, 44, 92] {JL 0xf; INC ESP; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 165F 82C95774 8 Bytes [6A, 0F, 44, 92, 00, 10, 44, ...] {PUSH 0xf; INC ESP; XCHG EDX, EAX; ADD [EAX], DL; INC ESP; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 82C95784 8 Bytes [32, 0E, 44, 92, CE, 0E, 44, ...] {XOR CL, [ESI]; INC ESP; XCHG EDX, EAX; INTO ; PUSH CS; INC ESP; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 16E3 82C957F8 4 Bytes [9C, 10, 44, 92] .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x93014340, 0x3EE217, 0xE8000020] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\rundll32.exe[1172] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74EAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1172] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74EAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1172] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74EAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1172] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74EAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[1480] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74EAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[1480] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74EAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[1480] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74EAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\System32\rundll32.exe[1480] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74EAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1520] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [74EAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1520] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [74EAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1520] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [74EAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Windows\system32\rundll32.exe[1520] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [74EAFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 2.1 ---- Device \Driver\BTHUSB \Device\0000008e bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\BTHUSB \Device\0000008c bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001a6b2a9a38 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001a6b2a9a38 (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5C065EBE-A3C1-7001-75FE-40CA90216426} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5C065EBE-A3C1-7001-75FE-40CA90216426}@iampcilphfdcgffbcl 0x6B 0x61 0x69 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5C065EBE-A3C1-7001-75FE-40CA90216426}@hacomfjmnaoojhlj 0x6B 0x61 0x69 0x65 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5C065EBE-A3C1-7001-75FE-40CA90216426}@haiokodboajgmnmp 0x62 0x61 0x6A 0x70 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{5C065EBE-A3C1-7001-75FE-40CA90216426}@jalopojkiidimpjbmkpb 0x64 0x62 0x6F 0x63 ... ---- EOF - GMER 2.1 ----