GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-18 05:16:55 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 HITACHI_ rev.PB3Z 298,09GB Running: cxs5eelj.exe; Driver: C:\Users\brunon\AppData\Local\Temp\pxldqpoc.sys ---- System - GMER 2.2 ---- INT 0x51 ? A30D6558 INT 0x52 ? A1E9E058 INT 0x61 ? A30D62D8 INT 0x62 ? A1E9E2D8 INT 0x72 ? A325C2D8 INT 0x82 ? A1E9EA58 INT 0x92 ? A30D6CD8 INT 0xA0 ? A325C558 INT 0xA1 ? A30D67D8 INT 0xB0 ? A325CA58 INT 0xB1 ? A1E9ECD8 INT 0xB2 ? A1E9E7D8 INT 0xB3 ? A325C7D8 ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD E324C579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 E3270F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} PAGE ntkrnlpa.exe!RtlSetSaclSecurityDescriptor + B3E E33AC723 5 Bytes JMP A79D9176 \SystemRoot\system32\drivers\fortiloader.sys ? system32\drivers\08109185.sys System nie może odnaleźć określonej ścieżki. ! ? System32\Drivers\8d0875c6e76948ad.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Fortinet\FortiClient\FortiTray.exe[1908] USER32.dll!SetScrollRange 7540AE3C 5 Bytes JMP 6F1323F0 C:\Program Files\Fortinet\FortiClient\FortiSkin.dll .text C:\Program Files\Fortinet\FortiClient\FortiTray.exe[1908] USER32.dll!GetSysColorBrush 75412949 5 Bytes JMP 6F1351A0 C:\Program Files\Fortinet\FortiClient\FortiSkin.dll .text C:\Program Files\Fortinet\FortiClient\FortiTray.exe[1908] USER32.dll!GetScrollInfo 75415151 7 Bytes JMP 6F132280 C:\Program Files\Fortinet\FortiClient\FortiSkin.dll .text C:\Program Files\Fortinet\FortiClient\FortiTray.exe[1908] USER32.dll!SetWindowLongW 75416614 5 Bytes JMP 6F13A2A0 C:\Program Files\Fortinet\FortiClient\FortiSkin.dll .text C:\Program Files\Fortinet\FortiClient\FortiTray.exe[1908] USER32.dll!SetScrollInfo 75416632 7 Bytes JMP 6F132370 C:\Program Files\Fortinet\FortiClient\FortiSkin.dll .text C:\Program Files\Fortinet\FortiClient\FortiTray.exe[1908] USER32.dll!GetWindowLongW 754183A9 7 Bytes JMP 6F13A260 C:\Program Files\Fortinet\FortiClient\FortiSkin.dll .text C:\Program Files\Fortinet\FortiClient\FortiTray.exe[1908] USER32.dll!GetSysColor 7541FA99 5 Bytes JMP 6F135140 C:\Program Files\Fortinet\FortiClient\FortiSkin.dll .text C:\Program Files\Fortinet\FortiClient\FortiTray.exe[1908] USER32.dll!GetScrollRange 75431B6C 5 Bytes JMP 6F132330 C:\Program Files\Fortinet\FortiClient\FortiSkin.dll .text C:\Program Files\Fortinet\FortiClient\FortiTray.exe[1908] USER32.dll!SetScrollPos 75431BD0 5 Bytes JMP 6F1323B0 C:\Program Files\Fortinet\FortiClient\FortiSkin.dll .text C:\Program Files\Fortinet\FortiClient\FortiTray.exe[1908] USER32.dll!GetScrollPos 7543252B 5 Bytes JMP 6F1322C0 C:\Program Files\Fortinet\FortiClient\FortiSkin.dll .text C:\Program Files\Fortinet\FortiClient\FortiTray.exe[1908] USER32.dll!EnableScrollBar 7543386D 7 Bytes JMP 6F132240 C:\Program Files\Fortinet\FortiClient\FortiSkin.dll .text C:\Program Files\Fortinet\FortiClient\FortiTray.exe[1908] USER32.dll!ShowScrollBar 75435785 5 Bytes JMP 6F132430 C:\Program Files\Fortinet\FortiClient\FortiSkin.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] ntdll.dll!LdrLoadDll 76EAF585 5 Bytes JMP 6595A784 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] kernel32.dll!K32GetDeviceDriverBaseNameW + 16F 76FEC0CF 7 Bytes JMP 619450C2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] kernel32.dll!CloseHandle + 38 76FF05EF 7 Bytes JMP 61945ABC C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] kernel32.dll!GetExitCodeProcess + 2C 76FF313D 7 Bytes JMP 616B5747 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] USER32.dll!CreateWindowExA 7540E18A 4 Bytes JMP 61A2B40F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] USER32.dll!CreateWindowExW 75410E51 4 Bytes JMP 616932C7 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] USER32.dll!GetWindowInfo 75416A82 5 Bytes JMP 62453F44 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] GDI32.dll!GetViewportOrgEx + 21C 755185EB 7 Bytes JMP 619449EB C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.2 ---- Device \FileSystem\66218137 \Device\KLMD16112015_02120001_B 08109185.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys Device \Driver\BTHUSB \Device\0000009e bthport.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \Driver\BTHUSB \Device\000000a0 bthport.sys Device \Driver\00000778 \Device\KLMD16112015_02120001 08109185.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269ec2d88 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076b6d846 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002269ec2d88 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076b6d846 (not active ControlSet) ---- EOF - GMER 2.2 ----