GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-01 18:24:56 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 ST9320421ASG rev.SD13 298,09GB Running: w9xnz8hm.exe; Driver: C:\Users\666\AppData\Local\Temp\pxriqpow.sys ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRequestWaitReplyPort + 14B9 82C89A15 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82CA9C62 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[3748] ntdll.dll!NtCreateFile 77CD55B8 5 Bytes JMP 66C69BE7 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3748] ntdll.dll!NtFlushBuffersFile 77CD5948 5 Bytes JMP 66C699A6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3748] ntdll.dll!NtQueryFullAttributesFile 77CD5FD8 5 Bytes JMP 66C69ADA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3748] ntdll.dll!NtReadFile 77CD62A8 5 Bytes JMP 66C699E0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3748] ntdll.dll!NtReadFileScatter 77CD62B8 5 Bytes JMP 66F79DF5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3748] ntdll.dll!NtWriteFile 77CD6A58 5 Bytes JMP 66C69D33 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3748] ntdll.dll!NtWriteFileGather 77CD6A68 5 Bytes JMP 66F79E45 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3748] ntdll.dll!LdrLoadDll 77CF245E 5 Bytes JMP 6907901C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3748] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 764F94E6 7 Bytes JMP 66F6526B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3748] kernel32.dll!QueryPerformanceCounter + 13 764FC4E5 7 Bytes JMP 66F66A29 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3748] kernel32.dll!LoadAppInitDlls + 355 764FF5A6 7 Bytes JMP 66D14308 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3748] USER32.dll!GetWindowInfo 76614B5E 5 Bytes JMP 66CE1E07 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3748] GDI32.dll!GetViewportOrgEx + 26C 77A2884B 7 Bytes JMP 66F63A49 C:\Program Files\Mozilla Firefox\xul.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001f3ad2e695 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001f3ad2e695 (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x7A 0xA0 0xEC 0xA8 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0x5A 0xCA 0x9C 0xCE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0x05 0x62 0xE8 0xCF ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\mmc.exe 0x2D 0x84 0x77 0x2F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xE5 0x44 0x5C 0xB6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0xBF 0x5D 0x5F 0x94 ... ---- EOF - GMER 2.1 ----