GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-31 09:46:34 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST380815AS rev.4.ADA 74,51GB Running: 9dn7z838.exe; Driver: C:\DOCUME~1\OPTIPL~1\USTAWI~1\Temp\ufldypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwAssignProcessToJobObject [0xAA5CC4B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0xAA5CC7F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDebugActiveProcess [0xAA5CCAB0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDuplicateObject [0xAA5CC5D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0xAA5CC8B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenProcess [0xAA5CC350] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenThread [0xAA5CC410] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwProtectVirtualMemory [0xAA5CC570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwQueueApcThread [0xAA5CC630] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwReplaceKey [0xAA5CCC70] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwRestoreKey [0xAA5CCC30] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetContextThread [0xAA5CC530] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetInformationThread [0xAA5CC4F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSecurityObject [0xAA5CC670] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0xAA5CC870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendProcess [0xAA5CC3B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendThread [0xAA5CC430] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0xAA5CC830] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateProcess [0xAA5CC370] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateThread [0xAA5CC470] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwWriteVirtualMemory [0xAA5CC5F0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2E70 80504758 2 Bytes [50, C3] {PUSH EAX; RET } .text ntkrnlpa.exe!ZwCallbackReturn + 2E88 80504770 2 Bytes [10, C4] {ADC AH, AL} .text ntkrnlpa.exe!ZwCallbackReturn + 301C 80504904 2 Bytes [F0, C4] .text ntkrnlpa.exe!ZwCallbackReturn + 303C 80504924 2 Bytes [70, C6] {JO 0xffffffc8} .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [B0, C3, 5C, AA, 30, C4, 5C, ...] {MOV AL, 0xc3; POP ESP; STOSB ; XOR AH, AL; POP ESP; STOSB ; XOR AL, CL; POP ESP; STOSB } init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF70AFF80] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Endpoint Security\ekrn.exe[344] kernel32.dll!SetUnhandledExceptionFilter 7C8449CD 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 20, 4F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 23, 4F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 20, 4F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 21, 4F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B91253A .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 22, 4F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 21, 4F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 22, 4F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B9125AB .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 20, 4F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B9126D9 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 21, 4F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 22, 4F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 23, 4F, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2404] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 58, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 5B, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 58, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 59, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B910D72 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 5A, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 59, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 5A, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B910DE3 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 58, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B910F11 .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 59, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 5A, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 5B, 37, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2756] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\WINDOWS\system32\SearchIndexer.exe[2980] kernel32.dll!WriteFile 7C8112FF 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL .text C:\Program Files\Google\Chrome\Application\chrome.exe[3748] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [18, 10, C4, 01] {SBB [EAX], DL; LES EAX, [ECX]} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3748] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 58, 3E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 5B, 3E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 58, 3E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 59, 3E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B911472 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 5A, 3E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 59, 3E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 5A, 3E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B9114E3 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 58, 3E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B911611 .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 59, 3E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 5A, 3E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 5B, 3E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3976] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\Fastfat \Fat eamon.sys ---- Threads - GMER 2.1 ---- Thread System [4:1292] 85D50940 ---- EOF - GMER 2.1 ----