GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-10 12:04:58 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 SAMSUNG_HD321KJ rev.CP100-12 298,09GB Running: yfdbxhem.exe; Driver: C:\DOCUME~1\Maciek\USTAWI~1\Temp\pxxcraod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwAssignProcessToJobObject [0xB1F6AF20] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0xB1F6B260] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDebugActiveProcess [0xB1F6B520] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDuplicateObject [0xB1F6B040] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0xB1F6B320] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenProcess [0xB1F6ADC0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenThread [0xB1F6AE80] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwProtectVirtualMemory [0xB1F6AFE0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwQueueApcThread [0xB1F6B0A0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwReplaceKey [0xB1F6B6E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwRestoreKey [0xB1F6B6A0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetContextThread [0xB1F6AFA0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetInformationThread [0xB1F6AF60] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSecurityObject [0xB1F6B0E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0xB1F6B2E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendProcess [0xB1F6AE20] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendThread [0xB1F6AEA0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0xB1F6B2A0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateProcess [0xB1F6ADE0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateThread [0xB1F6AEE0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwWriteVirtualMemory [0xB1F6B060] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [20, AE, F6, B1, A0, AE, F6, ...] {AND [ESI-0x515f4e0a], CH; DIV BYTE [ECX-0x4e094d60]} .text C:\WINNT\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6B273C0, 0x9B091A, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1892] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01869AE0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 0184C434 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 0184C150 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 0184C330 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 0226F60F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0186A9F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 0226F5BE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 10001F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 02194AC3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 2 Bytes JMP 02194AA0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] kernel32.dll!MapViewOfFileEx + 6D 7C80B9A3 4 Bytes [98, 85, EB, F9] {CWDE ; TEST EBX, EBP; STC } .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] kernel32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 018663D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 02194A21 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2212] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 0208B991 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINNT\Explorer.EXE[1828] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Ip wpnfd_1_10_0_4.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp wpnfd_1_10_0_4.sys AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Udp wpnfd_1_10_0_4.sys AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp wpnfd_1_10_0_4.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Threads - GMER 2.1 ---- Thread System [4:1116] FEE18250 ---- Processes - GMER 2.1 ---- Library C:\Program Files\OpenOffice.org (*** hidden *** ) @ C:\WINNT\Explorer.EXE [1828] 0x28DD0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Classes\{057C7771-F320-4C2A-A2EA-747945FA82F2} Reg HKLM\SOFTWARE\Classes\{057C7771-F320-4C2A-A2EA-747945FA82F2}@ 0x62 0x7E 0xEC 0x91 ... Reg HKLM\SOFTWARE\Classes\{47BF077C-44C6-42B1-8F88-ADE2585DD2ED} Reg HKLM\SOFTWARE\Classes\{47BF077C-44C6-42B1-8F88-ADE2585DD2ED}@ 0x5E 0x27 0x97 0x5B ... Reg HKLM\SOFTWARE\Classes\{97A98033-9FA1-4E80-A339-59787B43CC89} Reg HKLM\SOFTWARE\Classes\{97A98033-9FA1-4E80-A339-59787B43CC89}@ 0x6E 0x85 0xF6 0x5B ... Reg HKLM\SOFTWARE\Classes\{A82EB336-567D-4F41-A63E-8113AD8B6903} Reg HKLM\SOFTWARE\Classes\{A82EB336-567D-4F41-A63E-8113AD8B6903}@ 0xFC 0xE8 0x33 0x5A ... Reg HKLM\SOFTWARE\Classes\{C4B20040-7D5A-4558-9E19-B7DF94366F97} Reg HKLM\SOFTWARE\Classes\{C4B20040-7D5A-4558-9E19-B7DF94366F97}@ 0xFA 0x0B 0x3E 0x5C ... ---- EOF - GMER 2.1 ----