GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-30 09:22:11 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BPVT-22JJ5T0 rev.01.01A01 298,09GB Running: zfqx6pkc.exe; Driver: C:\Users\Acer\AppData\Local\Temp\aftcqaob.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Windows\system32\Drivers\omwd.sys ZwCreateFile [0x92D8CCF8] SSDT \??\C:\Windows\system32\Drivers\omwd.sys ZwCreateKey [0x92D8D594] SSDT \??\C:\Windows\system32\Drivers\omwd.sys ZwDeleteFile [0x92D8CC8C] SSDT \??\C:\Windows\system32\Drivers\omwd.sys ZwDeleteValueKey [0x92D8D8A0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x8C6C56E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x8C6C5800] SSDT \??\C:\Windows\system32\Drivers\omwd.sys ZwOpenFile [0x92D8CDCE] SSDT \??\C:\Windows\system32\Drivers\omwd.sys ZwOpenKey [0x92D8D70C] SSDT \??\C:\Windows\system32\Drivers\omwd.sys ZwOpenKeyEx [0x92D8D684] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x8C6C5010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x8C6C54D0] SSDT \??\C:\Windows\system32\Drivers\omwd.sys ZwQueryDirectoryFile [0x92D8D034] SSDT \??\C:\Windows\system32\Drivers\omwd.sys ZwSetInformationFile [0x92D8CAC6] SSDT \??\C:\Windows\system32\Drivers\omwd.sys ZwSetValueKey [0x92D8D790] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x8C6C5300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x8C6C53E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x8C6C5120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x8C6C5210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x8C6C55E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 1495 82E499E5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E83312 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11AF 82E8A634 4 Bytes [F8, CC, D8, 92] .text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 82E8A644 4 Bytes [94, D5, D8, 92] {XCHG ESP, EAX; AAD 0xd8; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 123F 82E8A6C4 4 Bytes [8C, CC, D8, 92] .text ntkrnlpa.exe!KeRemoveQueueEx + 124F 82E8A6D4 4 Bytes [A0, D8, D8, 92] .text ntkrnlpa.exe!KeRemoveQueueEx + 1357 82E8A7DC 8 Bytes [E0, 56, 6C, 8C, 00, 58, 6C, ...] .text ... ? C:\Windows\system32\Drivers\omwd.sys Nie można odnaleźć określonego pliku. ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Plus Internet\Plus Internet.exe[1316] ntdll.dll!NtWriteVirtualMemory 77886AD8 5 Bytes JMP 67221000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1496] ntdll.dll!NtWriteVirtualMemory 77886AD8 5 Bytes JMP 67221000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Windows Sidebar\sidebar.exe[1852] ntdll.dll!NtWriteVirtualMemory 77886AD8 5 Bytes JMP 67221000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Users\Acer\AppData\Local\SmartWeb\SmartWebHelper.exe[3420] ntdll.dll!NtWriteVirtualMemory 77886AD8 5 Bytes JMP 67221000 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Bluetooth Suite\AthBtTray.exe[3672] ntdll.dll!NtWriteVirtualMemory 77886AD8 5 Bytes JMP 67221000 C:\Program Files\AVG\AVG2015\avghookx.dll .text ... ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [734E249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [734C5652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [734C5710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [734E251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [734D857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [734D4D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [734D50D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [734D51AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [734D66DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [734D82D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [734D8824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [734D9085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [734DE228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [734D4C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp pfnfd_1_10_0_8.sys AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys AttachedDevice \Driver\tdx \Device\Udp pfnfd_1_10_0_8.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----