GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-07 23:23:04 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD322HJ rev.1AC01110 298,09GB Running: 9i7r7udx.exe; Driver: C:\Users\MICHA~1\AppData\Local\Temp\afrdrpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 000000007509d03c 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075341401 2 bytes JMP 750aeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075341419 2 bytes JMP 750bb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075341431 2 bytes JMP 75138609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007534144a 2 bytes CALL 75091dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753414dd 2 bytes JMP 75137efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753414f5 2 bytes JMP 751380d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007534150d 2 bytes JMP 75137df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075341525 2 bytes JMP 751381c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007534153d 2 bytes JMP 750af088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075341555 2 bytes JMP 750bb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007534156d 2 bytes JMP 751386c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075341585 2 bytes JMP 75138222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007534159d 2 bytes JMP 75137db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753415b5 2 bytes JMP 750af121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753415cd 2 bytes JMP 750bb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753416b2 2 bytes JMP 75138584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1972] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753416bd 2 bytes JMP 75137d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075341401 2 bytes JMP 750aeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075341419 2 bytes JMP 750bb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075341431 2 bytes JMP 75138609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007534144a 2 bytes CALL 75091dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753414dd 2 bytes JMP 75137efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753414f5 2 bytes JMP 751380d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007534150d 2 bytes JMP 75137df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075341525 2 bytes JMP 751381c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007534153d 2 bytes JMP 750af088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075341555 2 bytes JMP 750bb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007534156d 2 bytes JMP 751386c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075341585 2 bytes JMP 75138222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007534159d 2 bytes JMP 75137db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753415b5 2 bytes JMP 750af121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753415cd 2 bytes JMP 750bb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753416b2 2 bytes JMP 75138584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ipla\ipla.exe[2128] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753416bd 2 bytes JMP 75137d4d C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2384] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 00000000770e000c 1 byte [C3] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2384] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007716f50a 5 bytes JMP 000000017711dba1 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075341401 2 bytes JMP 750aeb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075341419 2 bytes JMP 750bb513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075341431 2 bytes JMP 75138609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007534144a 2 bytes CALL 75091dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000753414dd 2 bytes JMP 75137efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000753414f5 2 bytes JMP 751380d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007534150d 2 bytes JMP 75137df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075341525 2 bytes JMP 751381c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007534153d 2 bytes JMP 750af088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075341555 2 bytes JMP 750bb885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007534156d 2 bytes JMP 751386c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075341585 2 bytes JMP 75138222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007534159d 2 bytes JMP 75137db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000753415b5 2 bytes JMP 750af121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000753415cd 2 bytes JMP 750bb29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000753416b2 2 bytes JMP 75138584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Skype\Phone\Skype.exe[736] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000753416bd 2 bytes JMP 75137d4d C:\Windows\syswow64\kernel32.dll ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1532:2884] 000007fee8419688 ---- EOF - GMER 2.1 ----