GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-18 20:20:34 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0 ST340014 rev.3.06 37,27GB Running: fqxoq50v.exe; Driver: C:\DOCUME~1\Beata\USTAWI~1\Temp\kflyqpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwAssignProcessToJobObject [0xF0A084B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0xF0A087F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDebugActiveProcess [0xF0A08AB0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDuplicateObject [0xF0A085D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0xF0A088B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenProcess [0xF0A08350] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenThread [0xF0A08410] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwProtectVirtualMemory [0xF0A08570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwQueueApcThread [0xF0A08630] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwReplaceKey [0xF0A08C70] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwRestoreKey [0xF0A08C30] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetContextThread [0xF0A08530] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetInformationThread [0xF0A084F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSecurityObject [0xF0A08670] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0xF0A08870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendProcess [0xF0A083B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendThread [0xF0A08430] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0xF0A08830] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateProcess [0xF0A08370] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateThread [0xF0A08470] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwWriteVirtualMemory [0xF0A085F0] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + 271 804E2845 3 Bytes [85, A0, F0] .text ntoskrnl.exe!_abnormal_termination + 440 804E2A14 12 Bytes [B0, 83, A0, F0, 30, 84, A0, ...] .text C:\WINDOWS\System32\DRIVERS\nv4_mini.sys section is writeable [0xF644E340, 0x130B5F, 0xF8000020] .text C:\WINDOWS\System32\nv4_disp.dll section is writeable [0xBF012380, 0x268611, 0xF8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Endpoint Security\ekrn.exe[1964] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01330BCB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 01330916 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 01330A43 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 01330950 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 01649BCE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 01330D6F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 01649C1E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 1000921C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01636DFA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01635622 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] kernel32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 013D6358 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01633E16 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4052] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 02048E4A C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\Fastfat \Fat eamon.sys ---- Threads - GMER 2.1 ---- Thread System [4:1260] 856C86B0 ---- EOF - GMER 2.1 ----