GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-05 20:59:27 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 SAMSUNG_HD502HI rev.1AG01118 465,76GB Running: 44pbegx6.exe; Driver: C:\DOCUME~1\Admin\USTAWI~1\Temp\uflyyuow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwAssignProcessToJobObject [0xB41E9C40] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0xB41E9F80] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDebugActiveProcess [0xB41EA240] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDuplicateObject [0xB41E9D60] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0xB41EA040] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenProcess [0xB41E9AE0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenThread [0xB41E9BA0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwProtectVirtualMemory [0xB41E9D00] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwQueueApcThread [0xB41E9DC0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwReplaceKey [0xB41EA400] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwRestoreKey [0xB41EA3C0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetContextThread [0xB41E9CC0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetInformationThread [0xB41E9C80] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSecurityObject [0xB41E9E00] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0xB41EA000] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendProcess [0xB41E9B40] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendThread [0xB41E9BC0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0xB41E9FC0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateProcess [0xB41E9B00] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateThread [0xB41E9C00] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwWriteVirtualMemory [0xB41E9D80] INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys B39BE16D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys B39BDFC2 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [40, 9B, 1E, B4, C0, 9B, 1E, ...] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB72A4360, 0x3CEED5, 0xE8000020] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB362B400, 0x87EE2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB36CF620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB36CF620] .protect˙˙˙˙hardlockunknown last code section [0xB36CF400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB36CF400, 0x5126, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[604] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 4 Bytes [C2, 04, 00, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [18, 10, C4, 01] {SBB [EAX], DL; LES EAX, [ECX]} .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1212] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, F0, 70, 00] {SUB AL, DH; JO 0x4} .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, F3, 70, 00] {SUB BL, DH; JO 0x4} .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, F0, 70, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, F1, 70, 00] {TEST AL, 0xf1; JO 0x4} .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91470A .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, F2, 70, 00] {TEST AL, 0xf2; JO 0x4} .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, F1, 70, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, F2, 70, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B91477B .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, F0, 70, 00] {TEST AL, 0xf0; JO 0x4} .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9148A9 .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, F1, 70, 00] {SUB CL, DH; JO 0x4} .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, F2, 70, 00] {SUB DL, DH; JO 0x4} .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, F3, 70, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1364] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys AttachedDevice \FileSystem\Fastfat \Fat eamon.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Counter 22080 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Perflib@Last Help 22081 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D27CDB6E-AE6D-11CF-96B8-444553540000}\iexplore@Count 4 ---- EOF - GMER 2.1 ----