GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-13 12:28:00 Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 298,09GB Running: mkv4llz3.exe; Driver: C:\Users\Radzio\AppData\Local\Temp\pxldapow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x8FF806F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x8FF80820] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x8FF80010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x8FF804E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x8FF80300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x8FF803F0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x8FF80120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x8FF80210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x8FF805F0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetTimerEx + 5F0 82703C44 8 Bytes [F0, 06, F8, 8F, 20, 08, F8, ...] .text ntkrnlpa.exe!KeSetTimerEx + 624 82703C78 4 Bytes [10, 00, F8, 8F] .text ntkrnlpa.exe!KeSetTimerEx + 641 82703C95 3 Bytes [04, F8, 8F] .text ntkrnlpa.exe!KeSetTimerEx + 844 82703E98 8 Bytes [00, 03, F8, 8F, F0, 03, F8, ...] .text ntkrnlpa.exe!KeSetTimerEx + 854 82703EA8 8 Bytes [20, 01, F8, 8F, 10, 02, F8, ...] .text ... ? System32\drivers\drrqhvqk.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8CA0D340, 0x3D7A87, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\rundll32.exe[1276] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\System32\rundll32.exe[1276] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\System32\rundll32.exe[1276] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\ehome\ehmsas.exe[1640] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\ehome\ehmsas.exe[1640] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\ehome\ehmsas.exe[1640] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\taskeng.exe[1720] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\taskeng.exe[1720] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\taskeng.exe[1720] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1800] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1800] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\ProgramData\DatacardService\DCSHelper.exe[1800] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text F:\Program Files\RocketDock\RocketDock.exe[2488] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text F:\Program Files\RocketDock\RocketDock.exe[2488] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text F:\Program Files\RocketDock\RocketDock.exe[2488] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\Dwm.exe[3356] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\Dwm.exe[3356] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\Dwm.exe[3356] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\Explorer.EXE[3384] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\Explorer.EXE[3384] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\Explorer.EXE[3384] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgui.exe[3736] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgui.exe[3736] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\AVG\AVG2015\avgui.exe[3736] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3784] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3784] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[3784] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\ctfmon.exe[3796] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\ctfmon.exe[3796] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\ctfmon.exe[3796] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3868] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3868] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3868] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3892] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3892] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Intel\Intel Matrix Storage Manager\IAAnotif.exe[3892] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\RtHDVCpl.exe[3984] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\RtHDVCpl.exe[3984] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\RtHDVCpl.exe[3984] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Users\Radzio\AppData\Local\Temp\RtkBtMnt.exe[4024] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Users\Radzio\AppData\Local\Temp\RtkBtMnt.exe[4024] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Users\Radzio\AppData\Local\Temp\RtkBtMnt.exe[4024] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\PLFSetI.exe[4032] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\PLFSetI.exe[4032] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\PLFSetI.exe[4032] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4040] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4040] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[4040] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text F:\Program Files\NetWorx\networx.exe[4048] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text F:\Program Files\NetWorx\networx.exe[4048] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text F:\Program Files\NetWorx\networx.exe[4048] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\ehome\ehtray.exe[4084] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\ehome\ehtray.exe[4084] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\ehome\ehtray.exe[4084] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4388] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4388] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[4388] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\conime.exe[5320] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\conime.exe[5320] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text C:\Windows\system32\conime.exe[5320] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll .text F:\Programosy\2015\mkv4llz3.exe[5568] ntdll.dll!NtMapViewOfSection 77C78758 5 Bytes JMP 715F1460 C:\Program Files\AVG\AVG2015\avghookx.dll .text F:\Programosy\2015\mkv4llz3.exe[5568] ntdll.dll!NtWriteVirtualMemory 77C792A8 5 Bytes JMP 715F1120 C:\Program Files\AVG\AVG2015\avghookx.dll .text F:\Programosy\2015\mkv4llz3.exe[5568] kernel32.dll!CreateProcessInternalW 755F98DD 5 Bytes JMP 715F1260 C:\Program Files\AVG\AVG2015\avghookx.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp networx.sys AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys AttachedDevice \Driver\tdx \Device\Udp networx.sys AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC0 0xEF 0xE8 0x08 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB5 0x6F 0x09 0x53 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{54EF9B09-3609-4DFA-A782-F69399BDC7F4}@LeaseObtainedTime 1434183924 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{54EF9B09-3609-4DFA-A782-F69399BDC7F4}@T1 1434183954 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{54EF9B09-3609-4DFA-A782-F69399BDC7F4}@T2 1434183976 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{54EF9B09-3609-4DFA-A782-F69399BDC7F4}@LeaseTerminatesTime 1434183984 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xC0 0xEF 0xE8 0x08 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xB5 0x6F 0x09 0x53 ... ---- EOF - GMER 2.1 ----