GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-02 14:39:42 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c Hitachi_HCS5C3225SLA380 rev.STBOA37E 232,89GB Running: cpr6g9ol.exe; Driver: C:\DOCUME~1\admin\USTAWI~1\Temp\kwndakoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwAssignProcessToJobObject [0xB26CDFE0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0xB26CE320] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDebugActiveProcess [0xB26CE5E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDuplicateObject [0xB26CE100] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0xB26CE3E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenProcess [0xB26CDE80] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenThread [0xB26CDF40] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwProtectVirtualMemory [0xB26CE0A0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwQueueApcThread [0xB26CE160] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwReplaceKey [0xB26CE7A0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwRestoreKey [0xB26CE760] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetContextThread [0xB26CE060] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetInformationThread [0xB26CE020] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSecurityObject [0xB26CE1A0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0xB26CE3A0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendProcess [0xB26CDEE0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendThread [0xB26CDF60] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0xB26CE360] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateProcess [0xB26CDEA0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateThread [0xB26CDFA0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwWriteVirtualMemory [0xB26CE120] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [E0, DE, 6C, B2, 60, DF, 6C, ...] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB51A53C0, 0x84E2FA, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[516] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\OO Software\Defrag\oodag.exe[2028] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 5 Bytes JMP 00401B30 C:\Program Files\OO Software\Defrag\oodag.exe .text C:\Program Files\Mozilla Firefox\firefox.exe[2364] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01260BCB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2364] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 01260916 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2364] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 01260A43 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2364] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 01260950 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2364] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 01579BCE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2364] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 01260D6F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2364] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 01579C1E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2364] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 1000921C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2364] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01566DFA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2364] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01565622 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2364] kernel32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 01306358 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2364] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01563E16 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2364] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 01F78E4A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3720] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003D921C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3720] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 01DE1014 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3720] USER32.dll!SetWindowLongA + 19 7E37C2B6 7 Bytes JMP 01DE10E9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3720] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 01DE33D1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3720] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 01DE19C4 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Control\Video\{0C181A69-7B90-4E5A-95F4-F18515C4867D}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet001\Control\Video\{0C181A69-7B90-4E5A-95F4-F18515C4867D}\0001@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet002\Control\Video\{0C181A69-7B90-4E5A-95F4-F18515C4867D}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet002\Control\Video\{0C181A69-7B90-4E5A-95F4-F18515C4867D}\0001@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet002\Control\Video\{CD52FFBB-21C2-4923-9ED6-79F62A66ECB2}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{0C181A69-7B90-4E5A-95F4-F18515C4867D}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{0C181A69-7B90-4E5A-95F4-F18515C4867D}\0001@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{CD52FFBB-21C2-4923-9ED6-79F62A66ECB2}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG17.00.00.01PROFESSIONAL 3935CFC5F547A67D97B3043834A1F878EFDFA216F80C7C5888113EEF3EA724B0D5D5488B6D96F3377329050476B3D8B35AAE4F00BA5459F67A7DAEF3C62410629585B9725789F38AF0F74C11321AFCDBD7C90C5952230D54E840B94CDE42A9D33B10DCF16E0809ED4A8CAF0128AEF6DDB5E1698D26E4F27BD9EA4FCB311FBAC4A30A1E65C5000C7C4F98B8566FD2C8505B682EE671885D98E3CF92A83E5A829DBCC49D0940E346746393A3F7EF65EAE940965596C20290FBB6875A7A5A18B26587DCB081972978B8FCB7E2326951CA856FE60EB07BC8C49B93EE3340AC02714D1BAB5F53D7C8D3D029FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D1407A9C6AECB7A5D1407A9C6AECB7A5D1407C038D530D6EB3452542106649B4AA1179072040045AA6F32B3A89ACDF573AE4E62D707A9D07BFAB7E1BFCE2E1C4E1E3DB7F44F7661BBEAA357D0E33924B2A86A5E3A9334A9EC0A5167B4D86150EA3A47E54A7102F3C2F88C14BB3E73653B413EF2893A5B72BA85A1D844FB1EF77D7CC30F31C7A88E2877ED01C42F86BD25CFE3F75F49CE3DC860F2EE636FD658D78E556D211541494D6ADFF67E25CFB07B500787897611A3F1AC28A540D2D5BAC13FB1FDBF00FA3A85778D94AF6C814C3E64E6808C5AF8C002A5363CBAA4346AF37 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 66 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 49 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@DeviceNotSelectedTimeout 15 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@GDIProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@Spooler yes Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@swapdisk Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@TransmissionRetryTimeout 90 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@USERProcessHandleQuota 10000 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows@RequireSignedAppInit_DLLs 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060120150608 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060120150608@CachePath %USERPROFILE%\Ustawienia lokalne\Historia\History.IE5\MSHist012015060120150608 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060120150608@CachePrefix :2015060120150608: Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060120150608@CacheLimit 8192 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060120150608@CacheOptions 11 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015060120150608@CacheRepair 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015062320150624 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015062320150624@CachePath %USERPROFILE%\Ustawienia lokalne\Historia\History.IE5\MSHist012015062320150624 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015062320150624@CachePrefix :2015062320150624: Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015062320150624@CacheLimit 8192 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015062320150624@CacheOptions 11 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015062320150624@CacheRepair 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015062420150625 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015062420150625@CachePath %USERPROFILE%\Ustawienia lokalne\Historia\History.IE5\MSHist012015062420150625 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015062420150625@CachePrefix :2015062420150625: Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015062420150625@CacheLimit 8192 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015062420150625@CacheOptions 11 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\Cache\Extensible Cache\MSHist012015062420150625@CacheRepair 0 ---- Files - GMER 2.1 ---- File C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\kspbym2s.default\cache2\entries\394192BC7283FF3DE4000F70200BEB66DB5881E1 696 bytes File C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\kspbym2s.default\cache2\entries\FC83129450B43D7CF696E245496BCA951573BA08 0 bytes File C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\kspbym2s.default\cache2\entries\84C092BA78FAD0F2B29C4691309899ECBE3DF7DE 0 bytes File C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\kspbym2s.default\cache2\entries\162026D36EAFA06C9C7AC8351B70F5C8E74E324A 4793 bytes File C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\kspbym2s.default\cache2\entries\8F4348127746A926107F43CEA6A2EB7F8C1C32AC 4793 bytes File C:\Documents and Settings\admin\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\kspbym2s.default\cache2\entries\9C08E7DBEB1395C9264F75ABFAB7A33E70889559 104 bytes ---- EOF - GMER 2.1 ----