GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-22 17:44:42 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 FUJITSU_MHV2100BH rev.00000029 93,16GB Running: jpf9puy1.exe; Driver: C:\DOCUME~1\Kasprzyk\USTAWI~1\Temp\uwlyyfob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwAssignProcessToJobObject [0xB0F2EC40] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0xB0F2EF80] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDebugActiveProcess [0xB0F2F240] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDuplicateObject [0xB0F2ED60] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0xB0F2F040] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenProcess [0xB0F2EAE0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenThread [0xB0F2EBA0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwProtectVirtualMemory [0xB0F2ED00] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwQueueApcThread [0xB0F2EDC0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetContextThread [0xB0F2ECC0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetInformationThread [0xB0F2EC80] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSecurityObject [0xB0F2EE00] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0xB0F2F000] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendProcess [0xB0F2EB40] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendThread [0xB0F2EBC0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0xB0F2EFC0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateProcess [0xB0F2EB00] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateThread [0xB0F2EC00] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwWriteVirtualMemory [0xB0F2ED80] INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys B0C7B16D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys B0C7AFC2 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2E70 80504758 4 Bytes JMP E030B0F2 .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [40, EB, F2, B0, C0, EB, F2, ...] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xAE43B400, 0x87EE2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAE4DF620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAE4DF620] .protect˙˙˙˙hardlockunknown last code section [0xAE4DF400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xAE4DF400, 0x5126, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[408] kernel32.dll!SetUnhandledExceptionFilter 7C8449CD 4 Bytes [C2, 04, 00, 00] ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys AttachedDevice \FileSystem\Fastfat \Fat eamon.sys ---- Threads - GMER 2.1 ---- Thread System [4:1988] 883F0540 ---- EOF - GMER 2.1 ----