GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-05 16:27:32 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-e WDC_WD5000AZRX-00A8LB0 rev.01.01A01 465,76GB Running: owj4r2fk.exe; Driver: C:\DOCUME~1\Nexxem\USTAWI~1\Temp\fgxcqfob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwAssignProcessToJobObject [0xAF1A5610] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDebugActiveProcess [0xAF1A5C10] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwDuplicateObject [0xAF1A5730] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenProcess [0xAF1A54B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwOpenThread [0xAF1A5570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwProtectVirtualMemory [0xAF1A56D0] SSDT \??\C:\WINDOWS\system32\drivers\avgtpx86.sys ZwQueryValueKey [0xB82491D6] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwQueueApcThread [0xAF1A5790] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetContextThread [0xAF1A5690] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetInformationThread [0xAF1A5650] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSecurityObject [0xAF1A57D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendProcess [0xAF1A5510] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSuspendThread [0xAF1A5590] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateProcess [0xAF1A54D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwTerminateThread [0xAF1A55D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwWriteVirtualMemory [0xAF1A5750] ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB524D3C0, 0x74AA7A, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[740] kernel32.dll!SetUnhandledExceptionFilter 7C8449B5 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1504] ntdll.dll!DbgBreakPoint 7C90120E 1 Byte [C3] .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[1504] ntdll.dll!DbgUiRemoteBreakin 7C95211C 5 Bytes JMP 7C924778 C:\WINDOWS\system32\ntdll.dll .text D:\Program Files\FlashGet Network\FlashGet 3\flashget3.exe[2788] kernel32.dll!LoadLibraryExW 7C801AF5 7 Bytes JMP 004EF9E0 D:\Program Files\FlashGet Network\FlashGet 3\flashget3.exe .text D:\Program Files\FlashGet Network\FlashGet 3\flashget3.exe[2788] WS2_32.dll!send 71A54C27 5 Bytes JMP 02C30000 .text D:\Program Files\FlashGet Network\FlashGet 3\flashget3.exe[2788] WS2_32.dll!WSASend 71A568FA 5 Bytes JMP 02C40000 ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys AttachedDevice \Driver\Tcpip \Device\Ip epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\Udp epfwtdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp epfwtdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat eamon.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{0414F9B8-6BCD-4E25-894F-0646DEE34B9C}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{83E9859D-E672-4115-8877-4B4DBCE48983}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet002\Control\Video\{0414F9B8-6BCD-4E25-894F-0646DEE34B9C}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet002\Control\Video\{83E9859D-E672-4115-8877-4B4DBCE48983}\0000@D3D_\x3332\x3331 2089309684 ---- EOF - GMER 2.1 ----