GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-09-10 10:38:40 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD16 rev.11.0 Running: uqmfqwrq.exe; Driver: C:\DOCUME~1\wro01692\LOCALS~1\Temp\uwrdrpob.sys ---- System - GMER 1.0.15 ---- SSDT 883AD8BC ZwCreateKey SSDT 881A28A4 ZwCreateMutant SSDT 8844DDEC ZwCreateProcess SSDT 883A5A2C ZwCreateProcessEx SSDT 87FDD2DC ZwCreateSymbolicLinkObject SSDT 881A051C ZwCreateThread SSDT 87FDD25C ZwDebugActiveProcess SSDT 883C4CC4 ZwDeleteKey SSDT 8801C9F4 ZwDeleteValueKey SSDT 87FDD29C ZwDuplicateObject SSDT 881A28E4 ZwLoadDriver SSDT 8800D1FC ZwOpenProcess SSDT 881A059C ZwOpenSection SSDT 883A6614 ZwOpenThread SSDT 883C4C84 ZwRenameKey SSDT 8801CA34 ZwRestoreKey SSDT 881A2864 ZwSetSystemInformation SSDT 8849BE5C ZwSetValueKey SSDT 8800E294 ZwTerminateProcess SSDT 88186234 ZwTerminateThread SSDT 881A055C ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text iaStor.sys B99474FC 1 Byte [CC] {INT 3 } ? C:\WINDOWS\system32\drivers\prot_2k.sys The process cannot access the file because it is being used by another process. ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\Explorer.EXE[1780] SHELL32.dll!SHFileOperationW 7CA70984 5 Bytes JMP 031D1102 C:\Program Files\Unlocker\UnlockerHook.dll .text C:\WINDOWS\explorer.exe[4320] SHELL32.dll!SHFileOperationW 7CA70984 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll .text D:\Kies\External\FirmwareUpdate\KiesPDLR.exe[6128] ntdll.dll!DbgUiRemoteBreakin 7C9520EC 1 Byte [C3] ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs TmPreFlt.sys (Pre-Filter For XP/Trend Micro Inc.) AttachedDevice \Driver\Tcpip \Device\Ip tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.) AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 prot_2k.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 prot_2k.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 prot_2k.sys AttachedDevice \Driver\Tcpip \Device\Udp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.) AttachedDevice \Driver\Tcpip \Device\RawIp tmtdi.sys (Trend Micro TDI Driver (i386-fre)/Trend Micro Inc.) ---- Threads - GMER 1.0.15 ---- Thread System [4:424] 8A00B0F4 ---- Registry - GMER 1.0.15 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EAF2DACB-A6F2-626F-964F-CB4711A670EF} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EAF2DACB-A6F2-626F-964F-CB4711A670EF}@paoimcjpkpimcmmfaeamepfnoijfcino 0x69 0x61 0x62 0x6A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{EAF2DACB-A6F2-626F-964F-CB4711A670EF}@oaeikifpoejapgbojcdfmhooikjaab 0x69 0x61 0x62 0x6A ... ---- EOF - GMER 1.0.15 ----