GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-09 19:31:28 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.ESBO 232,89GB Running: 63i0d7on.exe; Driver: C:\Users\Tomasz\AppData\Local\Temp\ugrdipoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x8A5FE14A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x8A5FE21A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x8A5FDD7C] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x8A5FDF6A] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x8A5FE000] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x8A5FDE32] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x8A5FDECE] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x8A5FE09C] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 81E46A09 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81E801F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1357 81E874AC 8 Bytes [4A, E1, 5F, 8A, 1A, E2, 5F, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 139F 81E874F4 4 Bytes [7C, DD, 5F, 8A] .text ntkrnlpa.exe!KeRemoveQueueEx + 165F 81E877B4 8 Bytes [6A, DF, 5F, 8A, 00, E0, 5F, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 81E877C4 8 Bytes [32, DE, 5F, 8A, CE, DE, 5F, ...] {XOR BL, DH; POP EDI; MOV CL, DH; FICOMP WORD [EDI-0x76]} .text ntkrnlpa.exe!KeRemoveQueueEx + 16E3 81E87838 4 Bytes [9C, E0, 5F, 8A] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[4708] ntdll.dll!LdrGetProcedureAddress + 26 77A92239 7 Bytes JMP 69D76D70 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4708] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 7574941E 7 Bytes JMP 6A0CD713 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4708] kernel32.dll!QueryPerformanceCounter + 13 7574C435 7 Bytes JMP 6A0CD736 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4708] kernel32.dll!LoadAppInitDlls + 355 7574F4F6 7 Bytes JMP 69D91C62 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4708] USER32.dll!GetWindowInfo 76F34B5E 5 Bytes JMP 69F56045 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4708] GDI32.dll!GetViewportOrgEx + 26C 766E884B 7 Bytes JMP 6A0CD694 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73DB24CB] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73D9562E] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73D956EC] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [73DB2546] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73DA85AA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73DA4D5E] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73DA5105] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73DA51DA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73DA6707] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73DA8301] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73DA8850] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73DA90B1] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73DAE254] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\windows\Explorer.EXE[2012] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73DA4C90] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde6a7914 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de6f90a5 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\90a4de6f90a5@ccf9e83b220e 0xF7 0x03 0x85 0x2C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\dca97100692c Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde6a7914 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de6f90a5 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\90a4de6f90a5@ccf9e83b220e 0xF7 0x03 0x85 0x2C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\dca97100692c (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----