GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-15 16:41:40 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS542525K9SA00 rev.BBFOC31P 232,89GB Running: wnu7ogec.exe; Driver: C:\DOCUME~1\Daniel\USTAWI~1\Temp\ffwdifow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwAssignProcessToJobObject [0xB6F834B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0xB6F837F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDebugActiveProcess [0xB6F83AB0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDuplicateObject [0xB6F835D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0xB6F838B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenProcess [0xB6F83350] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenThread [0xB6F83410] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwProtectVirtualMemory [0xB6F83570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwQueueApcThread [0xB6F83630] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwReplaceKey [0xB6F83C70] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwRestoreKey [0xB6F83C30] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetContextThread [0xB6F83530] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetInformationThread [0xB6F834F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSecurityObject [0xB6F83670] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0xB6F83870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendProcess [0xB6F833B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendThread [0xB6F83430] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0xB6F83830] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateProcess [0xB6F83370] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateThread [0xB6F83470] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwWriteVirtualMemory [0xB6F835F0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [B0, 33, F8, B6, 30, 34, F8, ...] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8FDB360, 0x388DED, 0xE8000020] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB50F3400, 0x87EE2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB5197620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB5197620] .protect˙˙˙˙hardlockunknown last code section [0xB5197400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB5197400, 0x5126, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text D:\Program Files\ESET\ESET Smart Security\ekrn.exe[1096] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\CCleaner\CCleaner.exe[1960] USER32.dll!SetScrollInfo 7E369056 5 Bytes JMP 004F22B4 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1960] USER32.dll!GetScrollInfo 7E37DFE2 5 Bytes JMP 004F2210 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1960] USER32.dll!ShowScrollBar 7E37F2F2 5 Bytes JMP 004F2243 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1960] USER32.dll!GetScrollPos 7E37F704 5 Bytes JMP 004F21EB C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1960] USER32.dll!SetScrollPos 7E37F750 5 Bytes JMP 004F218E C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1960] USER32.dll!GetScrollRange 7E37F787 5 Bytes JMP 004F21B3 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1960] USER32.dll!SetScrollRange 7E37F99B 5 Bytes JMP 004F227D C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1960] USER32.dll!EnableScrollBar 7E3B8005 5 Bytes JMP 004F22E8 C:\Program Files\CCleaner\CCleaner.exe ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys AttachedDevice \FileSystem\Fastfat \Fat eamon.sys ---- Threads - GMER 2.1 ---- Thread System [4:1748] 8936E950 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015833d0a57 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0015833d0a57@001fb702978b 0x87 0xE2 0xDB 0x1C ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015833d0a57 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\0015833d0a57@001fb702978b 0x87 0xE2 0xDB 0x1C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 11 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 5 ---- EOF - GMER 2.1 ----