GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-10 18:27:56 Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FB4O 298,09GB Running: gmer.exe; Driver: C:\Users\Darek\AppData\Local\Temp\kxliypod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAdjustPrivilegesToken [0x8F97A418] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcConnectPort [0x8F97A824] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwAlpcCreatePort [0x8F97A7D2] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwConnectPort [0x8F97965E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateEvent [0x8F978734] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateEventPair [0x8F97878C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateFile [0x8F97A046] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateMutant [0x8F9786DE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreatePort [0x8F978686] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSection [0x8F979D62] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSemaphore [0x8F9787DE] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateSymbolicLinkObject [0x8F97B3E4] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThread [0x8F979008] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwLoadDriver [0x8F97ADEA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwMakeTemporaryObject [0x8F979936] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenFile [0x8F97A23E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwOpenSection [0x8F979BEA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetInformationProcess [0x8F97A60C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSetSystemInformation [0x8F97B0EA] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwShutdownSystem [0x8F9798AC] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwSystemDebugControl [0x8F979AD6] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateProcess [0x8F97943E] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwTerminateThread [0x8F97920C] SSDT \SystemRoot\system32\DRIVERS\cmdguard.sys ZwCreateThreadEx [0x8F97AA6E] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!KeInsertQueue + 309 82C778D0 4 Bytes [18, A4, 97, 8F] .text ntoskrnl.exe!KeInsertQueue + 32D 82C778F4 8 Bytes [24, A8, 97, 8F, D2, A7, 97, ...] .text ntoskrnl.exe!KeInsertQueue + 3B1 82C77978 4 Bytes [5E, 96, 97, 8F] .text ntoskrnl.exe!KeInsertQueue + 3C1 82C77988 12 Bytes [34, 87, 97, 8F, 8C, 87, 97, ...] .text ntoskrnl.exe!KeInsertQueue + 3E5 82C779AC 4 Bytes [DE, 86, 97, 8F] .text ... .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8E800340, 0x3E9407, 0xE8000020] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x8B0BA300, 0x3AE88, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x907FB300, 0x1B7E, 0xE8000020] ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 84A5B910 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0002787923ce Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001167d2c78b Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe1f5d89c Reg HKLM\SYSTEM\CurrentControlSet\Services\cmdAgent\Mode\Configurations@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\cmdAgent\Mode\Data@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\cmdAgent\Mode\Options@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0002787923ce (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001167d2c78b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe1f5d89c (not active ControlSet) Reg HKLM\SYSTEM\Software\COMODO\Cam@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... Reg HKLM\SYSTEM\Software\COMODO\Firewall Pro@SymbolicLinkValue 0x5C 0x00 0x52 0x00 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----