GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-17 16:02:53 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKS-07V0A0 rev.05.01D05 465,76GB Running: gmer.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\uwdirfob.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8D300430] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8D300490] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8D300470] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8D300450] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1549 82E51F05 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E8C292 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 82E937C8 4 Bytes [30, 04, 30, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 82E938D8 4 Bytes [90, 04, 30, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 161F 82E93BE4 4 Bytes [70, 04, 30, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 82E93C2C 4 Bytes [50, 04, 30, 8D] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\ESET\ESET Endpoint Security\ekrn.exe[1708] kernel32.dll!SetUnhandledExceptionFilter 75EBF6AB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[5536] ntdll.dll!LdrLoadDll 77B92133 5 Bytes JMP 722A64A0 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5536] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75EB95DE 7 Bytes JMP 5FB887EB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5536] kernel32.dll!QueryPerformanceCounter + 13 75EBC5E5 7 Bytes JMP 5FB895DD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5536] kernel32.dll!LoadAppInitDlls + 355 75EBF6A6 2 Bytes JMP 5F8C870F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5536] kernel32.dll!LoadAppInitDlls + 358 75EBF6A9 4 Bytes JMP 0141F099 .text C:\Program Files\Mozilla Firefox\firefox.exe[5536] USER32.dll!CreateWindowExA 7638BF10 5 Bytes JMP 5FD0CAEA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5536] USER32.dll!CreateWindowExW 7638EC4C 5 Bytes JMP 5F87C7B8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5536] USER32.dll!GetWindowInfo 76394B36 5 Bytes JMP 6079D518 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5536] GDI32.dll!GetViewportOrgEx + 26C 7629876B 7 Bytes JMP 5FB88097 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5824] ntdll.dll!LdrLoadDll 77B92133 5 Bytes JMP 722A64A0 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5824] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75EB95DE 7 Bytes JMP 5FB887EB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5824] kernel32.dll!QueryPerformanceCounter + 13 75EBC5E5 7 Bytes JMP 5FB895DD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5824] USER32.dll!CreateWindowExA 7638BF10 5 Bytes JMP 5FD0CAEA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5824] USER32.dll!CreateWindowExW 7638EC4C 5 Bytes JMP 5F87C7B8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[5824] GDI32.dll!GetViewportOrgEx + 26C 7629876B 7 Bytes JMP 5FB88097 C:\Program Files\Mozilla Firefox\xul.dll ---- Threads - GMER 2.2 ---- Thread System [4:260] 861BA560 ---- Registry - GMER 2.2 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v1.1.4322/mscorsvr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v1.1.4322/mscorsvr.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0x7C 0x61 0x74 0x8F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v1.1.4322/mscorsvr.dll@\Device\HarddiskVolume1\Program Files\Malwarebytes Anti-Malware\mbam.exe 0xEB 0xD1 0x56 0x7A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v1.1.4322/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v1.1.4322/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v1.1.4322\RegSvcs.exe 0x25 0xBC 0xB8 0xAC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v1.1.4322/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v1.1.4322\ngen.exe 0xFD 0x5F 0xFD 0xCA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v1.1.4322/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v1.1.4322\MigPolWin.exe 0x52 0xC3 0x2C 0xCD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v1.1.4322/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0xC4 0x0D 0xE5 0x72 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v1.1.4322/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Dialtech\LPG\LPG.exe 0x85 0xA6 0xD8 0x10 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v1.1.4322/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v1.1.4322\csc.exe 0x6A 0x81 0x55 0x1A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v1.1.4322/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0x79 0xF7 0x5B 0x8F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v1.1.4322/mscorwks.dll@\Device\HarddiskVolume1\Users\Czubacka\Downloads\aktualizacja-lpg-2004\Aktualizacja LPG 2004\LPG.exe 0x43 0x7D 0x89 0x0F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v1.1.4322/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Malwarebytes Anti-Malware\mbam.exe 0x8D 0x7B 0x67 0x7A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x4F 0x0C 0x46 0xEB ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\GfxUI.exe 0x78 0xE8 0x47 0x49 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0xA8 0x5A 0xE4 0xC4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0x1A 0x95 0x95 0xC6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\mmc.exe 0x65 0xDE 0x2C 0xC4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Czubacka\AppData\Local\Temp\11749.exe 0x45 0x20 0xD4 0x22 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Czubacka\AppData\Local\Temp\22548.exe 0x12 0x50 0x09 0x25 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\b49a8041\b49a8041.exe 0xCA 0x13 0x9C 0xC5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Czubacka\AppData\Roaming\b49a8041.exe 0x8B 0xD6 0xA0 0xC5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Czubacka\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\b49a8041.exe 0x0A 0x51 0x97 0xC5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 0x08 0xC5 0x2A 0x96 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Czubacka\AppData\Local\Temp\Low\45CA.tmp 0xA4 0x39 0xE7 0xC5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Czubacka\AppData\Local\Temp\Low\27EE.tmp 0xE7 0x0F 0xD3 0xF7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 0xF2 0xBB 0x87 0xB8 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Microsoft Office\Office12\EXCEL.EXE 0xC9 0xAB 0xCC 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Microsoft Office\Office12\OUTLOOK.EXE 0x24 0x8D 0xEE 0x67 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Microsoft Office\Office12\WINWORD.EXE 0xEE 0x48 0x44 0x7D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Microsoft Office\Office12\POWERPNT.EXE 0x92 0x0E 0x4F 0xD5 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\PROGRA~1\MICROS~1\Office12\OUTLOOK.EXE 0x0E 0x8A 0xC8 0xEE ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\PROGRA~1\MICROS~1\Office12\WINWORD.EXE 0xEC 0x42 0xBE 0x5A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Malwarebytes Anti-Malware\mbamservice.exe 0x1E 0x45 0x73 0xE8 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Malwarebytes Anti-Malware\mbam.exe 0xD8 0x72 0x05 0x7E ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x75 0x75 0x03 0xEA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\CompatTel\wicainventory.exe 0xA9 0x6A 0xF1 0x22 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0x1A 0x28 0x94 0x97 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0x1D 0xC8 0x1F 0x06 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0xE8 0x49 0xE5 0xD7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\aitstatic.exe 0x17 0xDD 0x5E 0xA0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\$Windows.~BT\Sources\SetupHost.exe 0x0D 0xBE 0x45 0x7D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\svchost.exe 0x56 0x5A 0xEB 0xD7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\wbem\WmiPrvSE.exe 0x53 0x45 0xD5 0x3F ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Malwarebytes Anti-Malware\mbam.exe 0x76 0xF4 0xAF 0x6B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\Malwarebytes Anti-Malware\mbamservice.exe 0xF6 0x1C 0x30 0x90 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@5143B4B7 629 ---- EOF - GMER 2.2 ----