GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-27 18:56:34 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST980811AS rev.3.ALB 74,53GB Running: gmer.exe; Driver: C:\DOCUME~1\User\USTAWI~1\Temp\pwrdypog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0xF79556F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0xF7955820] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0xF7955010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0xF79554E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0xF7955300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0xF79553F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0xF7955120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0xF7955210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0xF79555F0] INT 0x62 ? 86392CB8 INT 0x63 ? 86392CB8 INT 0x63 ? 86392CB8 INT 0x63 ? 86254CF8 INT 0x63 ? 86392CB8 INT 0x74 ? 86254CF8 INT 0x84 ? 86254CF8 ---- Kernel code sections - GMER 2.1 ---- .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF75C6FEE] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\SearchIndexer.exe[3636] kernel32.dll!WriteFile 7C8112FF 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 863911F8 AttachedDevice \Driver\Tcpip \Device\Ip avgtdix.sys Device \Driver\usbuhci \Device\USBPDO-0 861781F8 Device \Driver\usbuhci \Device\USBPDO-1 861781F8 Device \Driver\usbehci \Device\USBPDO-2 8624D440 Device \Driver\usbuhci \Device\USBPDO-3 861781F8 Device \Driver\usbuhci \Device\USBPDO-4 861781F8 AttachedDevice \Driver\Tcpip \Device\Tcp avgtdix.sys Device \Driver\Cdrom \Device\CdRom0 8619F1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7466B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F7466B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7466B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [F7466B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F7466B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBT_Tcpip_{C9BDE1F9-2312-479B-BFE6-B8653274055A} 8617B1F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 8617B1F8 Device \Driver\NetBT \Device\NetbiosSmb 8617B1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{5A90B3C3-24BB-4CF1-A90A-113AF67C057B} 8617B1F8 AttachedDevice \Driver\Tcpip \Device\Udp avgtdix.sys AttachedDevice \Driver\Tcpip \Device\RawIp avgtdix.sys Device \Driver\usbuhci \Device\USBFDO-0 861781F8 Device \Driver\usbuhci \Device\USBFDO-1 861781F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 860E01F8 Device \Driver\usbuhci \Device\USBFDO-2 861781F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 860E01F8 Device \Driver\usbuhci \Device\USBFDO-3 861781F8 Device \Driver\usbehci \Device\USBFDO-4 8624D440 Device \FileSystem\Cdfs \Cdfs 8628F440 ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Classes\Microsoft.PowerShellScript.1\shell\Uruchom za pomocą programu PowerShell Reg HKLM\SOFTWARE\Classes\Microsoft.PowerShellScript.1\shell\Uruchom za pomocą programu PowerShell\command Reg HKLM\SOFTWARE\Classes\Microsoft.PowerShellScript.1\shell\Uruchom za pomocą programu PowerShell\command@ "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" "-file" "%1" Reg HKLM\SOFTWARE\Classes\SOFTWARE\Classes\CLSID\{41B21542-2055-4212-A6F2-395CD109B14B}@MarketingHeaders TRIAL+1-CID174E4+1-CID189+2-C188T+62-C188F+1-C378S+9-CID242+1-CID242T+1-PIP16+0-C457+0