GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-23 15:24:33 Windows 6.2.9200 \Device\Harddisk0\DR0 -> \Device\0000002c WDC_WD2500AAKX-00U6AA0 rev.15.01H15 232,89GB Running: gekwysey.exe; Driver: C:\Users\lekarz\AppData\Local\Temp\uwlcyaob.sys ---- System - GMER 2.2 ---- SSDT \??\C:\WINDOWS\System32\drivers\zamguard32.sys ZwTerminateProcess [0x8EC8124A] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x832F71C0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x832F71E0] SSDT \??\C:\WINDOWS\System32\drivers\zamguard32.sys ZwOpenProcess [0x8EC810FC] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x832F7200] ---- Kernel code sections - GMER 2.2 ---- .text ntoskrnl.exe!ExfUnblockPushLock + 1547 825418DD 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 622 82546082 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.2 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1212] KERNEL32.DLL!SetUnhandledExceptionFilter 7701FB30 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[2960] ntdll.dll!LdrLoadDll 7710E230 5 Bytes JMP 6F1D1980 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2960] KERNEL32.DLL!K32GetProcessImageFileNameW + 1B 7701AB8B 7 Bytes JMP 51B55949 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2960] KERNEL32.DLL!GetLocaleInfoA + 1B 7701DC3B 7 Bytes JMP 51B54BDC C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2960] KERNEL32.DLL!PowerClearRequest + 7B 7701FB2B 7 Bytes JMP 518A72D1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2960] USER32.dll!CreateWindowExA 75D6D590 5 Bytes JMP 51C417E3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2960] USER32.dll!CreateWindowExW 75D6F2F0 5 Bytes JMP 518806F3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2960] USER32.dll!GetAppCompatFlags2 + 6EB 75D7C14B 7 Bytes JMP 526A59B1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2960] GDI32.dll!SetDIBitsToDevice + 23B 760C058B 7 Bytes JMP 51B544C6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\WINDOWS\Explorer.EXE[3716] SHELL32.dll!SHPropStgWriteMultiple 749027D0 4 Bytes [E0, 10, 29, 61] .text C:\WINDOWS\Explorer.EXE[3716] SHELL32.dll!SHPropStgWriteMultiple 749027D5 3 Bytes [11, 29, 61] {ADC [ECX], EBP; POPA } ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x88 0x3F 0xF0 0x4E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x17 0x8B 0xDF 0x29 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFStartTime 0x88 0x3F 0xF0 0x4E ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@CMFLastStartTime 0x0C 0x83 0xE7 0x29 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 21 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\PHLC0AFUKC1248054566_30_07DC_2F^11D833A01BD775445D190C3C5422827A@Timestamp 0xFE 0xD5 0x32 0x4F ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 656 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 4108579 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 2098933476 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 22 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 476931166 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 7352 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID ae6410c1-f26d-4c15-963b-cafdddc Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{9e3e2654-f122-4c0d-8f5e-92dbeeb83033}@LastProbeTime 1466691932 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?czw.?, ?cze ?23 ?16, 02:26:42?????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1383 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 165 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 20 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4111151b-574d-400a-bd49-4578bb80fa6e}@LeaseObtainedTime 1466684726 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4111151b-574d-400a-bd49-4578bb80fa6e}@T1 1466727926 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4111151b-574d-400a-bd49-4578bb80fa6e}@T2 1466760326 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{4111151b-574d-400a-bd49-4578bb80fa6e}@LeaseTerminatesTime 1466771126 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x1C 0x5B 0x1F 0x60 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x1C 0xC3 0xE3 0xC1 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x1C 0xF3 0x5A 0xFE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x67 0x93 0x0D 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SOFTWARE\Microsoft\Windows\Configuration\CfgClient\ControlSet@LastPullTime 0x79 0xA8 0x0C 0x72 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Authentication\LogonUI@IdleTime 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing@SessionIdHigh 30526795 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing@SessionIdLow 884689655 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@LaunchCount 0x14 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@DiagTrackStatus 0 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@LastHeartBeatTime 0x66 0x1F 0x46 0x59 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@EventDroppedConsumer 0x64 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@EventDroppedDecoding 1 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@MaxInUseScenarios 2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@VortexHttpAttempts 7 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack@EventsUploaded 267 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests@LastNormalDownloadAttempt 0xA9 0xD2 0xB6 0x71 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests@LastCriticalDownloadAttempt 0x85 0x82 0x01 0xC6 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\telemetry.ASM-WindowsDefault@LastDownloadTime 0x7D 0xAB 0x1E 0xE3 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\utc.app@LastDownloadTime 0x7D 0xAB 0x1E 0xE3 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Diagnostics\DiagTrack\SettingsRequests\WINDOWS.DIAGNOSTICS@LastDownloadTime 0x79 0xC3 0xB0 0xFC ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo 1384831261 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30526794 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo 1385456262 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\Machine\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30526794 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-275134807-4007656991-3357232484-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeLo 1562302337 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-275134807-4007656991-3357232484-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@StartTimeHi 30526794 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-275134807-4007656991-3357232484-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeLo 1562302337 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Group Policy\State\S-1-5-21-275134807-4007656991-3357232484-1000\Extension-List\{00000000-0000-0000-0000-000000000000}@EndTimeHi 30526794 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\1110F57186925394F8073301C8A6D43E\Usage@MarketResearch 1222050545 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SystemProtectedUserData\S-1-5-21-275134807-4007656991-3357232484-1000\AnyoneRead\Colors@StartColor -6728704 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\ThemeManager@ServerChangeNumber 21 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate@LastTaskOperationHandle 43 Reg HKLM\SOFTWARE\Microsoft\Windows\DWM@DwmInitSessionActivityId_00000001 4B58ED8F-CD4A-0000-A3ED-584B4ACDD101 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\HP\HPLaserJetService\HPLaserJetService.exe 0x6E 0x23 0x2F 0x58 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0x4D 0xF7 0x94 0x73 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\HP\HP UT LEDM\bin\hppusg.exe 0x3F 0x3C 0x27 0x71 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xA2 0xF6 0x43 0x7B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\wbem\WmiPrvSE.exe 0xB5 0xC6 0x19 0x73 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe 0x3B 0xFA 0x00 0x59 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\$WINDOWS.~BT\Sources\setupplatform.exe 0xB0 0xC5 0x54 0x33 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\backgroundTaskHost.exe 0x7D 0xB1 0x54 0x6C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0x67 0xEA 0xD5 0x50 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\taskhostw.exe 0x06 0xD7 0xC8 0xCD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe 0xF1 0x05 0xF9 0xDA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0xA8 0x7C 0x8F 0x6B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x7E 0xAC 0x7E 0xD0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 0x98 0xB7 0x3B 0x52 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0x8E 0x64 0xFF 0xFF ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\tzsync.exe 0x36 0x98 0xFF 0xEE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\mmc.exe 0x07 0xA6 0x81 0x04 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\System32/mrt100.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\System32/mrt100.dll@\Device\HarddiskVolume1\Windows\System32\backgroundTaskHost.exe 0xEF 0x4D 0x71 0x6C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-21-275134807-4007656991-3357232484-1000@RefCount 0 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@NewClientID 259 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{1E8FAEC2-7B4C-11E2-BE80-806E6F6E6963} 2288971560 ---- EOF - GMER 2.2 ----