GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-12 10:53:21 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0003SDM1 465,76GB Running: zng80rpb.exe; Driver: C:\Users\Lukasz\AppData\Local\Temp\ugrdapoc.sys ---- System - GMER 2.1 ---- SSDT 90488E86 ZwCreateSection SSDT 90488E90 ZwRequestWaitReplyPort SSDT 90488E8B ZwSetContextThread SSDT 90488E95 ZwSetSecurityObject SSDT 90488E9A ZwSystemDebugControl SSDT 90488E27 ZwTerminateProcess ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82C4FA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C89212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 82C9058C 4 Bytes [86, 8E, 48, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 1553 82C908E8 4 Bytes JMP CB57996F .text ntkrnlpa.exe!KeRemoveQueueEx + 1597 82C9092C 4 Bytes [8B, 8E, 48, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 1613 82C909A8 4 Bytes [95, 8E, 48, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 82C909FC 4 Bytes [9A, 8E, 48, 90] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] ntdll.dll!NtCreateFile 770B5608 5 Bytes JMP 5C32B8D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] ntdll.dll!NtFlushBuffersFile 770B5998 5 Bytes JMP 5C327B07 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] ntdll.dll!NtQueryFullAttributesFile 770B6028 5 Bytes JMP 5C327820 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] ntdll.dll!NtReadFile 770B62F8 5 Bytes JMP 5C327A00 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] ntdll.dll!NtReadFileScatter 770B6308 5 Bytes JMP 5CB7CCC0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] ntdll.dll!NtWriteFile 770B6AA8 5 Bytes JMP 5C32BFE0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] ntdll.dll!NtWriteFileGather 770B6AB8 5 Bytes JMP 5CB7CC6F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 755E94E6 7 Bytes JMP 5CB49E65 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] kernel32.dll!QueryPerformanceCounter + 13 755EC4E5 7 Bytes JMP 5CB49E88 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] kernel32.dll!LoadAppInitDlls + 355 755EF5A6 7 Bytes JMP 5C328236 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] USER32.dll!GetWindowInfo 76134B5E 5 Bytes JMP 5CA57585 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] GDI32.dll!GetViewportOrgEx + 26C 75E8884B 7 Bytes JMP 5CB49DE6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] WS2_32.dll!closesocket 75493918 5 Bytes JMP 661A46F0 C:\Program Files\Free Download Manager\flvsniff.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] WS2_32.dll!WSASend 75494406 5 Bytes JMP 661A4410 C:\Program Files\Free Download Manager\flvsniff.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] WS2_32.dll!recv 75496B0E 5 Bytes JMP 661A4530 C:\Program Files\Free Download Manager\flvsniff.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] WS2_32.dll!send 75496F01 5 Bytes JMP 661A4370 C:\Program Files\Free Download Manager\flvsniff.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] WS2_32.dll!WSARecv 75497089 5 Bytes JMP 661A45D0 C:\Program Files\Free Download Manager\flvsniff.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] WS2_32.dll!WSAGetOverlappedResult 75497489 5 Bytes JMP 661A5A00 C:\Program Files\Free Download Manager\flvsniff.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] WININET.dll!InternetCloseHandle 757B7549 5 Bytes JMP 661A4760 C:\Program Files\Free Download Manager\flvsniff.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] WININET.dll!InternetReadFile 757C41F7 5 Bytes JMP 661A4710 C:\Program Files\Free Download Manager\flvsniff.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] WININET.dll!HttpSendRequestW 757C6570 5 Bytes JMP 661A47C0 C:\Program Files\Free Download Manager\flvsniff.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3248] WININET.dll!HttpSendRequestA 757D9B82 5 Bytes JMP 661A4780 C:\Program Files\Free Download Manager\flvsniff.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch@VirtualStoreSize 1028 ---- EOF - GMER 2.1 ----