Nadchodzące zmiany w logowaniu

mario81

Użytkownicy

Pokaż profil Zobacz aktywność

Postów
1
Dołączył
7 Grudnia 2014
Ostatnia wizyta
10 Grudnia 2014

Asus n50vn rootkit

mario81 opublikował(a) temat w Dział pomocy doraźnej

Witam . Mam problem , mój laptop ASUS n50vn został zrootowany. Od dobrych kilku miesięcy próbuję sobie z tym poradzić , ale żaden z moich zabiegów nie działa . Zdecydowałem się poprosić o pomoc . Odkryłem to na początku tego roku , windows 7 , reset CMOS , twardy dysk wyzerowany i zainstalowany Linux Mint . Radość nie trwała długo , okazało się, że jest jak po staremu.Koncepcj rootkita dlatego że ma największe prawa wyłącza program lub np niebieski ekran śmierci, cofa czas systemowy i datę jeśli go czymś zaskoczę, bardo dużo zajętych portów(netstat), antywirus malwarebytes wyświetlił komunikat po skanie że rootkit i abym szukał pomocy.Dużo plików ukrytych, np plik w 15 folderach appdata . gmera muszę wkleić. Proszę przejrzeć dziennik ComboFix ComboFix 14-12-07.01 - Mariusz 2014-12-07 11:47:42.2.2 - x64 Microsoft Windows 7 Professional 6.1.7601.1.1250.48.1045.18.4095.2067 [GMT 1:00] Uruchomiony z: c:\users\Mariusz\Downloads\ComboFix.exe SP: Windows Defender *Enabled/Updated* {D68DDC3A-831F-4fae-9E44-DA132C1ACF46} . . ((((((((((((((((((((((((((((((((((((((( Usunięto ))))))))))))))))))))))))))))))))))))))))))))))))) . . C:\Recycler . . ((((((((((((((((((((((((( Pliki utworzone od 2014-11-07 do 2014-12-07 ))))))))))))))))))))))))))))))) . . 2014-12-07 10:53 . 2014-12-07 10:53 -------- d-----w- c:\users\Default\AppData\Local\temp 2014-12-07 10:41 . 2014-10-01 10:20 93400 ----a-w- c:\windows\system32\drivers\is-GJ4SP.tmp 2014-12-07 10:41 . 2014-12-07 10:41 -------- d-----w- C:\Program Files ) 2014-12-07 10:41 . 2014-10-01 10:20 25816 ----a-w- c:\windows\system32\drivers\is-HRU1D.tmp 2014-12-07 08:01 . 2014-12-07 08:01 -------- d-----w- c:\programdata\SUPERAntiSpyware.com 2014-12-07 07:48 . 2014-12-07 08:27 -------- d-----w- c:\programdata\Spybot - Search & Destroy 2014-12-07 07:44 . 2014-12-07 07:44 -------- d-----w- c:\programdata\HitmanPro 2014-12-07 03:23 . 2014-12-07 03:23 -------- d-----w- c:\program files\WinRAR 2014-12-06 19:43 . 2014-12-06 19:43 -------- d-----w- c:\program files (x86)\Mozilla Maintenance Service 2014-12-06 19:43 . 2014-12-06 19:43 -------- d-----w- c:\program files\Nightly 2014-12-06 17:44 . 2014-12-06 17:44 -------- d-----w- c:\programdata\GlassWire 2014-12-06 17:44 . 2014-11-05 05:41 33296 ----a-w- c:\windows\system32\drivers\gwdrv.sys 2014-12-06 17:44 . 2014-12-06 17:44 -------- d-----w- c:\program files (x86)\GlassWire 2014-12-06 17:33 . 2014-11-17 01:08 11632448 ----a-w- c:\programdata\Microsoft\Windows Defender\Definition Updates\{9840109A-ACB0-46A3-8ED1-C7A31D26BED5}\mpengine.dll 2014-12-06 17:15 . 2014-12-06 17:18 -------- d-----w- c:\windows\system32\catroot2 2014-12-06 16:26 . 2014-12-06 17:05 -------- d-----w- c:\windows\SysWow64\wbem\Performance 2014-12-06 16:18 . 2014-12-06 16:18 -------- d-----w- C:\RegBackup 2014-12-06 15:58 . 2014-12-06 15:58 -------- d-----w- c:\program files (x86)\WinDirStat 2014-12-06 15:49 . 2014-12-06 15:49 -------- d-----w- c:\program files (x86)\Secunia 2014-12-06 15:48 . 2014-12-06 15:48 -------- d-----w- c:\program files (x86)\Tweaking.com 2014-12-06 15:44 . 2014-12-07 10:40 -------- d-----w- c:\programdata\Malwarebytes' Anti-Malware (portable) 2014-12-06 15:36 . 2014-12-06 15:36 -------- d-----w- c:\program files (x86)\Zemana AntiLogger Free 2014-12-06 15:36 . 2014-12-06 15:36 -------- d-----w- c:\program files (x86)\KeyCryptSDK 2014-12-06 15:36 . 2014-11-28 11:15 71400 ----a-w- c:\windows\system32\drivers\KeyCrypt64.sys 2014-12-06 15:32 . 2014-12-06 15:32 -------- d-----w- c:\programdata\InstallMate 2014-12-06 15:32 . 2014-12-06 15:32 -------- d-----w- c:\program files (x86)\Ruiware 2014-12-06 15:21 . 2014-12-07 10:29 -------- d-----w- c:\programdata\Malwarebytes Anti-Exploit 2014-12-06 15:21 . 2014-12-06 15:21 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Exploit 2014-12-06 12:50 . 2014-12-06 12:50 129752 ----a-w- c:\windows\system32\drivers\06E03FF8.sys 2014-12-05 19:08 . 2014-12-06 17:21 -------- d-----w- c:\programdata\Skype 2014-11-28 12:02 . 2014-11-28 12:02 18456 ----a-w- c:\windows\system32\drivers\psi_mf_amd64.sys 2014-11-25 18:39 . 2014-05-14 16:23 44512 ----a-w- c:\windows\system32\wups2.dll 2014-11-25 18:39 . 2014-05-14 16:23 58336 ----a-w- c:\windows\system32\wuauclt.exe 2014-11-25 18:39 . 2014-05-14 16:23 2477536 ----a-w- c:\windows\system32\wuaueng.dll 2014-11-25 18:39 . 2014-05-14 16:21 2620928 ----a-w- c:\windows\system32\wucltux.dll 2014-11-25 18:39 . 2014-05-14 16:23 38880 ----a-w- c:\windows\system32\wups.dll 2014-11-25 18:39 . 2014-05-14 16:23 36320 ----a-w- c:\windows\SysWow64\wups.dll 2014-11-25 18:39 . 2014-05-14 16:23 700384 ----a-w- c:\windows\system32\wuapi.dll 2014-11-25 18:39 . 2014-05-14 16:23 581600 ----a-w- c:\windows\SysWow64\wuapi.dll 2014-11-25 18:39 . 2014-05-14 16:20 97792 ----a-w- c:\windows\system32\wudriver.dll 2014-11-25 18:39 . 2014-05-14 16:17 92672 ----a-w- c:\windows\SysWow64\wudriver.dll 2014-11-25 18:38 . 2014-05-14 08:23 198600 ----a-w- c:\windows\system32\wuwebv.dll 2014-11-25 18:38 . 2014-05-14 08:23 179656 ----a-w- c:\windows\SysWow64\wuwebv.dll 2014-11-25 18:38 . 2014-05-14 08:20 36864 ----a-w- c:\windows\system32\wuapp.exe 2014-11-25 18:38 . 2014-05-14 08:17 33792 ----a-w- c:\windows\SysWow64\wuapp.exe 2014-11-25 14:22 . 2014-11-25 14:22 -------- d-----w- c:\programdata\Package Cache 2014-11-25 14:21 . 2014-11-25 14:21 -------- d-----w- c:\program files (x86)\Seagate 2014-11-25 14:17 . 2014-11-25 14:17 -------- d-----w- c:\program files (x86)\Microsoft.NET 2014-11-25 14:08 . 2014-10-31 22:26 103374192 ----a-w- c:\windows\system32\MRT.exe 2014-11-25 13:51 . 2014-11-25 13:51 -------- d-----w- C:\TDSSKiller_Quarantine 2014-11-25 13:45 . 2014-12-06 20:11 71344 ----a-w- c:\windows\SysWow64\FlashPlayerCPLApp.cpl 2014-11-25 13:45 . 2014-12-06 20:11 701104 ----a-w- c:\windows\SysWow64\FlashPlayerApp.exe 2014-11-25 13:45 . 2014-11-25 13:45 -------- d-----w- c:\windows\SysWow64\Macromed 2014-11-25 13:45 . 2014-11-25 13:45 -------- d-----w- c:\windows\system32\Macromed 2014-11-25 13:26 . 2014-12-07 10:39 135384 ----a-w- c:\windows\system32\drivers\MBAMSwissArmy.sys 2014-11-25 13:26 . 2014-12-07 07:27 -------- d-----w- c:\programdata\Malwarebytes 2014-11-25 13:26 . 2014-12-06 17:29 96472 ----a-w- c:\windows\system32\drivers\mbamchameleon.sys 2014-11-25 13:26 . 2014-12-06 15:28 -------- d-----w- c:\program files (x86)\Malwarebytes Anti-Malware 2014-11-25 13:26 . 2014-11-21 05:14 25816 ----a-w- c:\windows\system32\drivers\mbam.sys 2014-11-25 13:26 . 2014-10-01 10:20 63704 ----a-w- c:\windows\system32\drivers\mwac.sys 2014-11-25 13:19 . 2014-12-06 13:21 -------- d-----w- c:\program files (x86)\Opera 2014-11-25 13:16 . 2009-06-25 23:38 57856 ----a-w- c:\windows\system32\drivers\rixdpx64.sys 2014-11-25 13:16 . 2007-07-25 19:48 172032 ----a-w- c:\windows\system32\rixdicon.dll 2014-11-25 13:16 . 2009-06-26 00:04 67584 ----a-w- c:\windows\system32\drivers\rimmpx64.sys 2014-11-25 13:16 . 2009-06-25 23:13 55296 ----a-w- c:\windows\system32\drivers\rimspx64.sys 2014-11-25 13:16 . 2004-09-04 10:00 90112 ----a-w- c:\windows\system32\snymsico.dll 2014-11-25 13:13 . 2014-11-25 13:14 -------- d-----w- c:\programdata\NVIDIA 2014-11-25 13:12 . 2009-05-11 10:49 81952 ----a-w- c:\windows\system32\drivers\nvhda64v.sys 2014-11-25 13:12 . 2009-05-11 10:49 62976 ----a-w- c:\windows\system32\nvapo64v.dll 2014-11-25 13:12 . 2009-05-11 10:48 22528 ----a-w- c:\windows\system32\nvhdap64.dll 2014-11-25 13:12 . 2009-05-08 14:50 159232 ----a-w- c:\windows\system32\nvcohda6.dll 2014-11-25 13:12 . 2009-05-08 14:50 506400 ----a-w- c:\windows\system32\nvuhda6.exe 2014-11-25 13:11 . 2009-06-11 09:09 508448 ----a-w- c:\windows\system32\nvudisp.exe 2014-11-25 13:11 . 2009-06-22 11:28 539168 ----a-w- c:\windows\system32\NVUNINST.EXE 2014-11-25 13:06 . 2009-07-20 16:29 15416 ----a-w- c:\windows\system32\drivers\kbfiltr.sys 2014-11-25 13:05 . 2009-08-23 04:24 5435904 ----a-w- c:\windows\system32\drivers\NETw5v64.sys 2014-11-25 13:04 . 2014-11-25 13:53 -------- d-----w- c:\program files\ATKGFNEX 2014-11-25 13:04 . 2014-11-25 13:04 -------- d-----w- c:\program files (x86)\InstallShield Installation Information 2014-11-25 13:03 . 2014-11-25 13:04 -------- d-----w- c:\program files (x86)\ASUS 2014-11-25 13:02 . 2014-12-05 19:08 -------- d-sh--w- c:\windows\Installer 2014-11-25 12:56 . 2014-11-25 12:57 -------- d-----w- c:\users\Mariusz 2014-11-25 12:49 . 2014-11-25 12:56 -------- d-----w- c:\windows\Panther . . . (((((((((((((((((((((((((((((((((((((((( Sekcja Find3M )))))))))))))))))))))))))))))))))))))))))))))))))))) . 2014-11-24 13:04 . 2010-11-21 03:27 275080 ------w- c:\windows\system32\MpSigStub.exe . . ((((((((((((((((((((((((((((((((((((( Wpisy startowe rejestru )))))))))))))))))))))))))))))))))))))))))))))))))) . . *Uwaga* puste wpisy oraz domyślne, prawidłowe wpisy nie są pokazane REGEDIT4 . [HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "HijackThis startup scan"="c:\users\Mariusz\Desktop\HijackThis\HijackThis.exe" [2011-04-11 1306624] "SUPERAntiSpyware"="c:\users\Mariusz\Desktop\SuperAntiSpyware\PROGRAM64.COM" [2011-10-17 5500800] "HW_OPENEYE_OUC_blueconnect"="c:\program files (x86)\blueconnect\UpdateDog\ouc.exe" [2011-03-26 116064] . [HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run] "Malwarebytes Anti-Exploit"="c:\program files (x86)\Malwarebytes Anti-Exploit\mbae.exe" [2014-12-04 2558776] . [HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system] "ConsentPromptBehaviorAdmin"= 5 (0x5) "ConsentPromptBehaviorUser"= 3 (0x3) "EnableUIADesktopToggle"= 0 (0x0) . [HKEY_LOCAL_MACHINE\software\wow6432node\microsoft\windows nt\currentversion\windows] "LoadAppInit_DLLs"=1 (0x1) . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BFE] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\BITS] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\MpsSvc] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\msiserver] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\SharedAccess] @="Service" . [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\vss] @="Service" . R2 clr_optimization_v4.0.30319_64;Microsoft .NET Framework NGEN v4.0.30319_X64;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe;c:\windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe [x] R3 dmvsc;dmvsc;c:\windows\system32\drivers\dmvsc.sys;c:\windows\SYSNATIVE\drivers\dmvsc.sys [x] R3 ew_hwusbdev;Huawei MobileBroadband USB PNP Device;c:\windows\system32\DRIVERS\ew_hwusbdev.sys;c:\windows\SYSNATIVE\DRIVERS\ew_hwusbdev.sys [x] R3 nmwcdnsux64;Nokia USB Flashing Phone Parent;c:\windows\system32\drivers\nmwcdnsux64.sys;c:\windows\SYSNATIVE\drivers\nmwcdnsux64.sys [x] R3 PSI;PSI;c:\windows\system32\DRIVERS\psi_mf_amd64.sys;c:\windows\SYSNATIVE\DRIVERS\psi_mf_amd64.sys [x] R3 TsUsbFlt;TsUsbFlt;c:\windows\system32\drivers\tsusbflt.sys;c:\windows\SYSNATIVE\drivers\tsusbflt.sys [x] R3 TsUsbGD;Remote Desktop Generic USB Device;c:\windows\system32\drivers\TsUsbGD.sys;c:\windows\SYSNATIVE\drivers\TsUsbGD.sys [x] R4 GlassWire;GlassWire Control Service;c:\program files (x86)\GlassWire\GWCtlSrv.exe;c:\program files (x86)\GlassWire\GWCtlSrv.exe [x] R4 HWDeviceService64.exe;HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe;c:\programdata\DatacardService\HWDeviceService64.exe [x] R4 Secunia PSI Agent;Secunia PSI Agent;c:\program files (x86)\Secunia\PSI\PSIA.exe;c:\program files (x86)\Secunia\PSI\PSIA.exe [x] R4 Secunia Update Agent;Secunia Update Agent;c:\program files (x86)\Secunia\PSI\sua.exe;c:\program files (x86)\Secunia\PSI\sua.exe [x] S1 ESProtectionDriver;Malwarebytes Anti-Exploit;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae64.sys [x] S1 gwdrv;GlassWire Driver;c:\windows\system32\DRIVERS\gwdrv.sys;c:\windows\SYSNATIVE\DRIVERS\gwdrv.sys [x] S1 mbamchameleon;mbamchameleon;c:\windows\system32\drivers\mbamchameleon.sys;c:\windows\SYSNATIVE\drivers\mbamchameleon.sys [x] S1 SASDIFSV;SASDIFSV;c:\users\Mariusz\Desktop\SuperAntiSpyware\SASDIFSV64.SYS;c:\users\Mariusz\Desktop\SuperAntiSpyware\SASDIFSV64.SYS [x] S1 SASKUTIL;SASKUTIL;c:\users\Mariusz\Desktop\SuperAntiSpyware\SASKUTIL64.SYS;c:\users\Mariusz\Desktop\SuperAntiSpyware\SASKUTIL64.SYS [x] S2 ASMMAP64;ASMMAP64;c:\program files\ATKGFNEX\ASMMAP64.sys;c:\program files\ATKGFNEX\ASMMAP64.sys [x] S2 MbaeSvc;Malwarebytes Anti-Exploit Service;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe;c:\program files (x86)\Malwarebytes Anti-Exploit\mbae-svc.exe [x] S3 huawei_cdcacm;huawei_cdcacm;c:\windows\system32\DRIVERS\ew_jucdcacm.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jucdcacm.sys [x] S3 huawei_enumerator;huawei_enumerator;c:\windows\system32\DRIVERS\ew_jubusenum.sys;c:\windows\SYSNATIVE\DRIVERS\ew_jubusenum.sys [x] S3 keycrypt;keycrypt;c:\windows\system32\DRIVERS\KeyCrypt64.sys;c:\windows\SYSNATIVE\DRIVERS\KeyCrypt64.sys [x] S3 MBAMSwissArmy;MBAMSwissArmy;c:\windows\system32\drivers\MBAMSwissArmy.sys;c:\windows\SYSNATIVE\drivers\MBAMSwissArmy.sys [x] S3 netw5v64;Intel® Wireless WiFi Link 5000 Series Adapter Driver for Windows Vista 64 Bit;c:\windows\system32\DRIVERS\netw5v64.sys;c:\windows\SYSNATIVE\DRIVERS\netw5v64.sys [x] S3 RTL8167;Sterownik Realtek 8167 NT Driver;c:\windows\system32\DRIVERS\Rt64win7.sys;c:\windows\SYSNATIVE\DRIVERS\Rt64win7.sys [x] . . --- Inne Usługi/Sterowniki w Pamięci --- . *NewlyCreated* - MBAMSWISSARMY . . --------- X64 Entries ----------- . . [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "WinPatrol"="c:\program files (x86)\Ruiware\WinPatrol\winpatrol.exe" [2014-07-21 1154112] . ------- Skan uzupełniający ------- . uLocal Page = c:\windows\system32\blank.htm uStart Page = hxxp://www.msn.com mLocal Page = c:\windows\SYSTEM32\blank.htm FF - ProfilePath - c:\users\Mariusz\AppData\Roaming\Mozilla\Firefox\Profiles\qq6gtik4.default\ . - - - - USUNIĘTO PUSTE WPISY - - - - . SafeBoot-41186125.sys . . . Czas ukończenia: 2014-12-07 11:55:17 ComboFix-quarantined-files.txt 2014-12-07 10:55 . Przed: 476 243 406 848 bajtów wolnych Po: 476 322 066 432 bajtów wolnych . - - End Of File - - 5D4B5A8100FE671EBB2AA40024FF2FCE A36C5E4F47E84449FF07ED3517B43A31 GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-12-07 17:19:04 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS545050KTA300 rev.BKFOC60G 465,76GB Running: m57g1hli.exe; Driver: C:\Users\Mariusz\AppData\Local\Temp\pwriafoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetSysColor 0000000076526c3c 5 bytes JMP 000000010045b9d0 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetSysColorBrush 00000000765335a4 5 bytes JMP 000000010045ba30 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetScrollInfo 0000000076534018 7 bytes JMP 000000010045b810 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!SetScrollInfo 00000000765340cf 7 bytes JMP 000000010045b8c0 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!ShowScrollBar 0000000076534162 5 bytes JMP 000000010045b990 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetScrollPos 0000000076534234 5 bytes JMP 000000010045b850 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!SetScrollPos 00000000765387a5 5 bytes JMP 000000010045b900 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!EnableScrollBar 0000000076538d3a 7 bytes JMP 000000010045b7d0 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!GetScrollRange 00000000765390c4 5 bytes JMP 000000010045b880 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\USER32.dll!SetScrollRange 000000007654d50b 5 bytes JMP 000000010045b940 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076851465 2 bytes [85, 76] .text C:\Program Files (x86)\blueconnect\blueconnect.exe[1728] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768514bb 2 bytes [85, 76] .text ... * 2 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!LdrLoadDll 00000000772b7a90 13 bytes {MOV R11, 0x7fef8a8b0c0; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReadFile 00000000772e1370 13 bytes {MOV R11, 0x7feea7f6a68; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFile 00000000772e1390 13 bytes {MOV R11, 0x7feea7f7c70; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1490 6 bytes {JMP QWORD [RIP+0x8e7eba0]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtWriteFileGather 00000000772e14c0 13 bytes {MOV R11, 0x7feeadfadf8; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtReadFileScatter 00000000772e15f0 13 bytes {MOV R11, 0x7feeadfad3c; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtFlushBuffersFile 00000000772e17c0 13 bytes {MOV R11, 0x7feea99338c; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e1810 6 bytes {JMP QWORD [RIP+0x8e9e820]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772e1860 13 bytes {MOV R11, 0x7feea7f785c; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772e2470 13 bytes {MOV R11, 0x7feea7f67e0; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CopyFileW 00000000770792d0 6 bytes JMP 8d4d2024 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000077089b70 13 bytes {MOV R11, 0x7feeab1ee50; JMP R11} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708e7b0 6 bytes JMP 0 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077091bb0 6 bytes JMP 60d0000 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 00000000770c0d10 6 bytes {JMP QWORD [RIP+0x907f320]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileW 00000000770ff7f0 6 bytes JMP 0 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!MoveFileA 00000000770ff950 6 bytes JMP 938 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CopyFileA 0000000077105620 6 bytes JMP 6 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 0000000077107b70 6 bytes JMP 8d0060 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077108840 6 bytes JMP 120 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\kernel32.dll!WinExec 0000000077108d80 6 bytes JMP 0 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd501950 6 bytes {JMP QWORD [RIP+0x189e6e0]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd50a058 3 bytes CALL 32f50000 .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd50b9a1 5 bytes {JMP QWORD [RIP+0x1934690]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd5131e0 6 bytes {JMP QWORD [RIP+0x18ace50]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd513210 6 bytes {JMP QWORD [RIP+0x18ece20]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd5330c0 6 bytes {JMP QWORD [RIP+0x18acf70]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd5330f0 6 bytes {JMP QWORD [RIP+0x18ecf40]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe824980 6 bytes {JMP QWORD [RIP+0x42b6b0]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\SHELL32.dll!ShellExecuteW 000007fefd99983c 6 bytes {JMP QWORD [RIP+0xf667f4]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefd863914 6 bytes {JMP QWORD [RIP+0x148c71c]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefd86ba68 6 bytes {JMP QWORD [RIP+0x14645c8]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefd873b6c 2 bytes [FF, 25] .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestW + 3 000007fefd873b6f 3 bytes [C4, 4B, 01] .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefd88355c 6 bytes {JMP QWORD [RIP+0x13ecad4]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefd883910 6 bytes {JMP QWORD [RIP+0x140c720]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefd8868d8 6 bytes {JMP QWORD [RIP+0x14e9758]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefd8b2c74 6 bytes {JMP QWORD [RIP+0x13fd3bc]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefd8b2dc1 5 bytes {JMP QWORD [RIP+0x145d270]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefd8cf600 6 bytes {JMP QWORD [RIP+0x1480a30]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefd8cf694 6 bytes {JMP QWORD [RIP+0x14c099c]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefd7695e4 6 bytes {JMP QWORD [RIP+0x11b6a4c]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefd7696c5 5 bytes {JMP QWORD [RIP+0x11f696c]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefd7698b0 6 bytes {JMP QWORD [RIP+0x14a6780]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefd76999c 6 bytes {JMP QWORD [RIP+0x1466694]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefd769b10 6 bytes {JMP QWORD [RIP+0x11d6520]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefd769ca1 5 bytes {JMP QWORD [RIP+0x1216390]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefd769e10 6 bytes {JMP QWORD [RIP+0x14c6220]} .text C:\Program Files\Nightly\firefox.exe[2676] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefd769f01 5 bytes {JMP QWORD [RIP+0x1486130]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000772e13e0 16 bytes [50, 48, B8, 54, BF, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtAllocateVirtualMemory 00000000772e1490 6 bytes JMP ec2b40b8 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000772e1550 16 bytes [50, 48, B8, 78, BF, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000772e1570 32 bytes [50, 48, B8, 40, C1, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000772e1600 32 bytes [50, 48, B8, 9C, BF, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000772e1640 16 bytes [50, 48, B8, 40, C0, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000772e16e0 16 bytes [50, 48, B8, 74, C0, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtProtectVirtualMemory 00000000772e1810 6 bytes JMP 73e16e0 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000772e1860 16 bytes [50, 48, B8, CC, BF, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000772e22d0 16 bytes [50, 48, B8, 64, C1, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000772e2320 16 bytes [50, 48, B8, 1C, C1, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000772e2470 16 bytes [50, 48, B8, 88, C0, 03, 3F, ...] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CopyFileW 00000000770792d0 6 bytes JMP 0 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 000000007708e7b0 6 bytes JMP ec2b0b70 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessW 0000000077091bb0 6 bytes JMP 0 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!GetThreadSelectorEntry 00000000770c0d10 6 bytes JMP 907e6f0 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!MoveFileW 00000000770ff7f0 6 bytes JMP 8f9ec80 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!MoveFileA 00000000770ff950 6 bytes JMP ec2b40b8 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CopyFileA 0000000077105620 6 bytes JMP 8ffaa28 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessInternalA 0000000077107b70 6 bytes JMP 6d0065 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!CreateProcessA 0000000077108840 6 bytes JMP 6d0075 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\kernel32.dll!WinExec 0000000077108d80 6 bytes JMP eccdfff8 .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualAlloc 000007fefd501950 6 bytes {JMP QWORD [RIP+0x189e6e0]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW + 408 000007fefd50a058 3 bytes [b2, 5F, 06] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!HeapCreate + 1 000007fefd50b9a1 5 bytes {JMP QWORD [RIP+0x1934690]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualProtect 000007fefd5131e0 6 bytes {JMP QWORD [RIP+0x18ace50]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualProtectEx 000007fefd513210 6 bytes {JMP QWORD [RIP+0x18ece20]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!VirtualAllocEx 000007fefd5330c0 6 bytes {JMP QWORD [RIP+0x18acf70]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\KERNELBASE.dll!WriteProcessMemory 000007fefd5330f0 6 bytes {JMP QWORD [RIP+0x18ecf40]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WS2_32.dll!WSAStartup 000007fefe824980 6 bytes {JMP QWORD [RIP+0x42b6b0]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetReadFile 000007fefd863914 6 bytes {JMP QWORD [RIP+0x148c71c]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetOpenUrlA 000007fefd86ba68 6 bytes {JMP QWORD [RIP+0x14645c8]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestW 000007fefd873b6c 2 bytes [FF, 25] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestW + 3 000007fefd873b6f 3 bytes [C4, 4B, 01] .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpOpenRequestW 000007fefd88355c 6 bytes {JMP QWORD [RIP+0x13ecad4]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpOpenRequestA 000007fefd883910 6 bytes {JMP QWORD [RIP+0x140c720]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestExW 000007fefd8868d8 6 bytes {JMP QWORD [RIP+0x14e9758]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetOpenUrlW 000007fefd8b2c74 6 bytes {JMP QWORD [RIP+0x13fd3bc]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!InternetReadFileExW + 1 000007fefd8b2dc1 5 bytes {JMP QWORD [RIP+0x145d270]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestA 000007fefd8cf600 6 bytes {JMP QWORD [RIP+0x1480a30]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\WININET.dll!HttpSendRequestExA 000007fefd8cf694 6 bytes {JMP QWORD [RIP+0x14c099c]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToFileW 000007fefd7695e4 6 bytes {JMP QWORD [RIP+0x11b6a4c]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileW + 1 000007fefd7696c5 5 bytes {JMP QWORD [RIP+0x11f696c]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamW 000007fefd7698b0 6 bytes {JMP QWORD [RIP+0x14a6780]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenStreamW 000007fefd76999c 6 bytes {JMP QWORD [RIP+0x1466694]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToFileA 000007fefd769b10 6 bytes {JMP QWORD [RIP+0x11d6520]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLDownloadToCacheFileA + 1 000007fefd769ca1 5 bytes {JMP QWORD [RIP+0x1216390]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenBlockingStreamA 000007fefd769e10 6 bytes {JMP QWORD [RIP+0x14c6220]} .text C:\Program Files\Nightly\plugin-container.exe[3852] C:\Windows\system32\urlmon.dll!URLOpenStreamA + 1 000007fefd769f01 5 bytes {JMP QWORD [RIP+0x1486130]} ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{30290E5E-2966-4B51-A598-09BC403E4AE1}\Connection@Name isatap.{8B89C5E6-5A1C-4B5B-AF23-768569CBDACB} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{438839EC-1992-453E-9190-63067853E229}?\Device\{30290E5E-2966-4B51-A598-09BC403E4AE1}?\Device\{8D5A3030-F062-46DD-BF61-3603F2F15F7F}?\Device\{B794C836-2181-4DD2-8B9B-B1357A4EF5F2}?\Device\{B3C15D4D-1BE4-47BF-884B-96463BFFC39F}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{438839EC-1992-453E-9190-63067853E229}"?"{30290E5E-2966-4B51-A598-09BC403E4AE1}"?"{8D5A3030-F062-46DD-BF61-3603F2F15F7F}"?"{B794C836-2181-4DD2-8B9B-B1357A4EF5F2}"?"{B3C15D4D-1BE4-47BF-884B-96463BFFC39F}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{438839EC-1992-453E-9190-63067853E229}?\Device\TCPIP6TUNNEL_{30290E5E-2966-4B51-A598-09BC403E4AE1}?\Device\TCPIP6TUNNEL_{8D5A3030-F062-46DD-BF61-3603F2F15F7F}?\Device\TCPIP6TUNNEL_{B794C836-2181-4DD2-8B9B-B1357A4EF5F2}?\Device\TCPIP6TUNNEL_{B3C15D4D-1BE4-47BF-884B-96463BFFC39F}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{30290E5E-2966-4B51-A598-09BC403E4AE1}@InterfaceName isatap.{8B89C5E6-5A1C-4B5B-AF23-768569CBDACB} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{30290E5E-2966-4B51-A598-09BC403E4AE1}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 391 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 104 ---- EOF - GMER 2.1 ---- FRST.txt Addition.txt Shortcut.txt OTL.Txt Extras.Txt
- 7 Grudnia 2014
- 2 odpowiedzi

Zaloguj się

mario81

Postów

Dołączył

Ostatnia wizyta

Asus n50vn rootkit

Przeglądaj

Cała aktywność