GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-27 09:54:32 Windows 6.1.7601 Service Pack 1, v.721 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9160310AS rev.HP07 149,05GB Running: 9q721xqj.exe; Driver: C:\Users\Grzesiek\AppData\Local\Temp\fxryqpob.sys ---- System - GMER 2.1 ---- SSDT 86584750 ZwAlertResumeThread SSDT 865847E8 ZwAlertThread SSDT 86584DE8 ZwAllocateVirtualMemory SSDT 865182D0 ZwAlpcConnectPort SSDT 865841C8 ZwAssignProcessToJobObject SSDT 86584578 ZwCreateMutant SSDT 865B5FC0 ZwCreateSymbolicLinkObject SSDT 86582430 ZwCreateThread SSDT 86584068 ZwCreateThreadEx SSDT 86584260 ZwDebugActiveProcess SSDT 86584EB0 ZwDuplicateObject SSDT 86584CD8 ZwFreeVirtualMemory SSDT 86584620 ZwImpersonateAnonymousToken SSDT 865846B8 ZwImpersonateThread SSDT 8651D7E8 ZwLoadDriver SSDT 86584C20 ZwMapViewOfSection SSDT 865844E0 ZwOpenEvent SSDT 86584FC0 ZwOpenProcess SSDT 86580AD0 ZwOpenProcessToken SSDT 865843B0 ZwOpenSection SSDT 86584F38 ZwOpenThread SSDT 86584120 ZwProtectVirtualMemory SSDT 86584880 ZwResumeThread SSDT 86584A48 ZwSetContextThread SSDT 86584AE0 ZwSetInformationProcess SSDT 865842F8 ZwSetSystemInformation SSDT 86584448 ZwSuspendProcess SSDT 86584918 ZwSuspendThread SSDT 86361068 ZwTerminateProcess SSDT 865849B0 ZwTerminateThread SSDT 86584B88 ZwUnmapViewOfSection SSDT 86584D60 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 83046F89 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83081E12 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + B5E 830862E4 8 Bytes [50, 47, 58, 86, E8, 47, 58, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + B76 830862FC 4 Bytes [E8, 4D, 58, 86] .text ntkrnlpa.exe!KeRemoveQueueEx + B82 83086308 4 Bytes [D0, 82, 51, 86] .text ntkrnlpa.exe!KeRemoveQueueEx + BD6 8308635C 4 Bytes [C8, 41, 58, 86] {ENTER 0x5841, 0x86} .text ntkrnlpa.exe!KeRemoveQueueEx + C52 830863D8 4 Bytes [78, 45, 58, 86] .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0xA7839000, 0x2D50D6, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe[1648] ntdll.dll!NtTerminateThread 77286398 5 Bytes JMP 00020050 .text C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe[1648] USER32.dll!ChangeWindowMessageFilterEx + 93 764B26FD 7 Bytes JMP 00210A12 .text C:\Program Files\HP\HP LaserJet M1210 MFP Series\ReceiveFaxUtility.exe[1648] USER32.dll!RecordShutdownReason + 372 764F0562 7 Bytes JMP 00210930 .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!NtClose 77284F88 5 Bytes JMP 61A880A0 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!NtCreateFile 77285088 5 Bytes JMP 61A87EE0 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!NtFlushBuffersFile 77285418 5 Bytes JMP 61AA6E90 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!NtLockFile 77285658 5 Bytes JMP 61AA6F80 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!NtOpenFile 77285798 1 Byte [E9] .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!NtOpenFile 77285798 5 Bytes JMP 61A87E50 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!NtQueryInformationFile 77285AD8 5 Bytes JMP 61A88120 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!NtReadFile 77285D78 5 Bytes JMP 61A87F80 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!NtSetInformationFile 772860F8 5 Bytes JMP 61A881B0 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!NtSetInformationProcess 77286138 5 Bytes JMP 006D04B2 .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!NtUnlockFile 77286458 5 Bytes JMP 61AA7010 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!NtWriteFile 77286528 5 Bytes JMP 61A88010 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] ntdll.dll!RtlUnicodeStringToAnsiString + 691 772963FA 7 Bytes JMP 622B1FFD C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] kernel32.dll!K32GetPerformanceInfo + 1B6 7504602A 7 Bytes JMP 006D012A .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] kernel32.dll!ReadProcessMemory + B 7504C1D9 7 Bytes JMP 006D0048 .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] kernel32.dll!TerminateProcess + B 7505233C 7 Bytes JMP 006D02EE .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75058996 7 Bytes JMP 6011049D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] kernel32.dll!GetEnvironmentStringsA + 11 75062FB1 7 Bytes JMP 006D020C .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] kernel32.dll!BaseThreadInitThunk + C9 75063CFC 7 Bytes JMP 5FD25A06 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] kernel32.dll!SetUnhandledExceptionFilter + 19C 75063E9D 7 Bytes JMP 006D03D0 .text C:\Program Files\Mozilla Firefox\firefox.exe[1908] GDI32.dll!GetViewportOrgEx + 26C 74EC8A16 7 Bytes JMP 601104C4 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e439d1e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e439d1e@6ce9075a08fb 0x3C 0xDB 0x25 0xBC ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e439d1e@90c11504203b 0x2A 0x10 0xBB 0x13 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e439d1e@58c38b0087be 0x1A 0xDB 0xC2 0xA2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e439d1e@58a2b5476fcc 0xF6 0xD9 0xFF 0xFC ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e439d1e@e063e54229df 0x30 0x9C 0xB9 0x36 ... Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 11955 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 9671 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e439d1e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e439d1e@6ce9075a08fb 0x3C 0xDB 0x25 0xBC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e439d1e@90c11504203b 0x2A 0x10 0xBB 0x13 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e439d1e@58c38b0087be 0x1A 0xDB 0xC2 0xA2 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e439d1e@58a2b5476fcc 0xF6 0xD9 0xFF 0xFC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e439d1e@e063e54229df 0x30 0x9C 0xB9 0x36 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch@VirtualStoreSize 947 ---- EOF - GMER 2.1 ----