GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-03-01 06:02:24 Windows 6.0.6000 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3250310AS rev.3.AAC 232,89GB Running: s4cebpuf.exe; Driver: C:\Users\Domek\AppData\Local\Temp\ugrcapow.sys ---- System - GMER 2.1 ---- SSDT 851E4840 ZwAlertResumeThread SSDT 851E4920 ZwAlertThread SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwAllocateVirtualMemory [0x8BBB409C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwAlpcConnectPort [0x8BBB7544] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwAlpcSendWaitReceivePort [0x8BBB707A] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwAssignProcessToJobObject [0x8BBB4C66] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwClose [0x8BBB7B6A] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwConnectPort [0x8BBB63F6] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateFile [0x8BBB593A] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateKey [0x8BBB6AEE] SSDT 851B1670 ZwCreateMutant SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateProcess [0x8BBB4EBC] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateProcessEx [0x8BBB4F72] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateSection [0x8BBB525C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateThread [0x8BBB3A0C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwDeviceIoControlFile [0x8BBB6C5E] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwDuplicateObject [0x8BBBB0F8] SSDT 851CC990 ZwFreeVirtualMemory SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwFsControlFile [0x8BBB6F16] SSDT 851B3380 ZwImpersonateAnonymousToken SSDT 851B0C08 ZwImpersonateThread SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwLoadDriver [0x8BBB4572] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwMakeTemporaryObject [0x8BBB7912] SSDT 851CC8B0 ZwMapViewOfSection SSDT 851CA7D8 ZwOpenEvent SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwOpenFile [0x8BBB572C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwOpenProcess [0x8BBBAB50] SSDT 851D0450 ZwOpenProcessToken SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwOpenSection [0x8BBB502C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwOpenThread [0x8BBBAE00] SSDT 851B1F60 ZwOpenThreadToken SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwProtectVirtualMemory [0x8BBB3F20] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwQueueApcThread [0x8BBB4D8E] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwReplaceKey [0x8BBB7760] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwRequestPort [0x8BBB6564] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwRequestWaitReplyPort [0x8BBB5EF8] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwRestoreKey [0x8BBB77EA] SSDT 850AC210 ZwResumeThread SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSecureConnectPort [0x8BBB697E] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSetContextThread [0x8BBB3B7C] SSDT 851CC738 ZwSetInformationProcess SSDT 851B1D90 ZwSetInformationThread SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSetSecurityObject [0x8BBB76BA] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSetSystemInformation [0x8BBB476C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwShutdownSystem [0x8BBB787C] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSuspendProcess [0x8BBB3DF8] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSuspendThread [0x8BBB3CD2] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwSystemDebugControl [0x8BBB4B98] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwTerminateProcess [0x8BBBAA48] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwTerminateThread [0x8BBBB2EA] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwUnloadDriver [0x8BBB79A8] SSDT 851CA510 ZwUnmapViewOfSection SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwWriteVirtualMemory [0x8BBB3890] SSDT \??\C:\Program Files\Bitdefender\Antivirus Free Edition\bdselfpr.sys ZwCreateThreadEx [0x8BBB7D86] SYSENTER \SystemRoot\system32\DRIVERS\avc3.sys 8074A000 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 704 82080C10 4 Bytes JMP E18BBB77 .text ntkrnlpa.exe!ZwCallbackReturn + 7E0 82080CEC 12 Bytes [F8, 3D, BB, 8B, D2, 3C, BB, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe[840] USER32.dll!UserClientDllInitialize 774C4205 1 Byte [E9] .text C:\Program Files\Common Files\Symantec Shared\AppCore\AppSvc32.exe[840] SHELL32.dll!SHAppBarMessage + 44B 76A50A7F 2 Bytes [1F, FD] {POP DS; STD } .text C:\Program Files\HP\Digital Imaging\bin\hpqSTE08.exe[2172] USER32.dll!UserClientDllInitialize 774C4205 1 Byte [E9] .text C:\Windows\system32\svchost.exe[2468] SHELL32.dll!SHAppBarMessage + 44B 76A50A7F 2 Bytes [1F, FD] {POP DS; STD } .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2552] USER32.dll!UserClientDllInitialize 774C4205 1 Byte [E9] .text C:\Program Files\HP\HP Software Update\hpwuSchd2.exe[2552] SHELL32.dll!SHAppBarMessage + 44B 76A50A7F 2 Bytes [1F, FD] {POP DS; STD } .text C:\Program Files\Windows Live\Messenger\msnmsgr.exe[2656] kernel32.dll!SetUnhandledExceptionFilter 7794D177 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\msnmsgr.exe .text C:\Windows\ehome\ehtray.exe[2672] SHELL32.dll!SHAppBarMessage + 44B 76A50A7F 2 Bytes [1F, FD] {POP DS; STD } .text C:\Windows\system32\svchost.exe[3828] USER32.dll!UserClientDllInitialize 774C4205 1 Byte [E9] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7488FBC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7485B9AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7484A31F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [7484CBFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74848AB2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7485CF28] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74847D98] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74847CFF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74846A64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [748DC1D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74867F56] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [748490CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74852179] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [748521A4] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74857F1C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74857D3E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll IAT C:\Windows\Explorer.EXE[268] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [748883D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6000.16782_none_9ea1072ec96e0be7\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp SYMTDI.SYS AttachedDevice \Driver\tdx \Device\Tcp bdftdif.sys AttachedDevice \Driver\tdx \Device\Udp SYMTDI.SYS AttachedDevice \Driver\tdx \Device\Udp bdftdif.sys ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 83332C20 ---- EOF - GMER 2.1 ----