GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-15 22:50:36 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000060 HP______ rev.0.00 465,73GB Running: 4qbt7tl5.exe; Driver: C:\Users\GRAD\AppData\Local\Temp\ufldypob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8DC017F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8DC018B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8DC01870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8DC01830] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 14A5 82A8EA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AC8372 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 82ACF6F8 4 Bytes [F0, 17, C0, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 82ACF808 4 Bytes [B0, 18, C0, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 161F 82ACFB14 4 Bytes [70, 18, C0, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 82ACFB5C 4 Bytes [30, 18, C0, 8D] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Endpoint Security\ekrn.exe[1608] kernel32.dll!SetUnhandledExceptionFilter 75D7F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[5156] ntdll.dll!NtCreateFile 77255608 5 Bytes JMP 62BF9870 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5156] ntdll.dll!NtFlushBuffersFile 77255998 5 Bytes JMP 628ED335 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5156] ntdll.dll!NtQueryFullAttributesFile 77256028 5 Bytes JMP 628ED5B0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5156] ntdll.dll!NtReadFile 772562F8 5 Bytes JMP 628ED390 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5156] ntdll.dll!NtReadFileScatter 77256308 5 Bytes JMP 63558330 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5156] ntdll.dll!NtWriteFile 77256AA8 5 Bytes JMP 62BFA7F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5156] ntdll.dll!NtWriteFileGather 77256AB8 5 Bytes JMP 635582DF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5156] ntdll.dll!LdrLoadDll 772722AE 5 Bytes JMP 66691F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5156] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75D794E6 7 Bytes JMP 63499960 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5156] kernel32.dll!QueryPerformanceCounter + 13 75D7C4E5 7 Bytes JMP 63499983 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5156] kernel32.dll!LoadAppInitDlls + 355 75D7F5A6 7 Bytes JMP 62BF6164 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5156] USER32.dll!GetWindowInfo 760F4B5E 5 Bytes JMP 6339B65E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5156] GDI32.dll!GetViewportOrgEx + 26C 75FD884B 7 Bytes JMP 634998E1 C:\Program Files\Mozilla Firefox\xul.dll ---- Threads - GMER 2.1 ---- Thread System [4:680] 86CD8DF0 ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\Users\GRAD\AppData\Local\Microsoft\Windows\WER\ReportArchive\AppCrash_gu37uevg.exe_b358fae354358ff8c53cbdcf84964dcbc5235_0649feb8 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@84C9F681 460 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{4A7A3586-A130-11E0-BE87-806E6F6E6963} 8341028496 ---- Files - GMER 2.1 ---- File C:\PENTAGON\52_SATURN_CONNECT\01_SATURN_CONNECT_GALERIA_KATOWICKA\03_DATA_IN\01_JN_MSHP\130713_PAKIET_NAJMECY\130712 pakiet najemcy!\130712 pakiet najemcy!\121217_GK_rev3_-__dla_najemcw_CD(9)\Odstepstwo od swiatla\100415_Odstepstwo od swiatla_uzupelnienie nr 1\100525_Decyzja_strona 1.pdf 538350 bytes File C:\PENTAGON\52_SATURN_CONNECT\01_SATURN_CONNECT_GALERIA_KATOWICKA\03_DATA_IN\01_JN_MSHP\130713_PAKIET_NAJMECY\130712 pakiet najemcy!\130712 pakiet najemcy!\121217_GK_rev3_-__dla_najemcw_CD(9)\Odstepstwo od swiatla\100415_Odstepstwo od swiatla_uzupelnienie nr 1\100525_Decyzja_strona 2.pdf 622794 bytes File C:\PENTAGON\52_SATURN_CONNECT\01_SATURN_CONNECT_GALERIA_KATOWICKA\03_DATA_IN\01_JN_MSHP\130713_PAKIET_NAJMECY\130712 pakiet najemcy!\130712 pakiet najemcy!\121217_GK_rev3_-__dla_najemcw_CD(9)\Odstepstwo od swiatla\100415_Odstepstwo od swiatla_uzupelnienie nr 1\Thumbs.db 43008 bytes ---- EOF - GMER 2.1 ----