GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-08-18 19:05:41 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\00000062 ST3320620A rev.3.AAF 298,09GB Running: zcbzejjl.exe; Driver: C:\DOCUME~1\dm\USTAWI~1\Temp\pweorpob.sys ---- System - GMER 2.2 ---- SSDT F7B13374 ZwClose SSDT F7B1332E ZwCreateKey SSDT F7B1337E ZwCreateSection SSDT F7B13356 ZwCreateSymbolicLinkObject SSDT F7B13324 ZwCreateThread SSDT F7B13333 ZwDeleteKey SSDT F7B1333D ZwDeleteValueKey SSDT F7B1336F ZwDuplicateObject SSDT F7B1335B ZwLoadDriver SSDT F7B13342 ZwLoadKey SSDT F7B13310 ZwOpenProcess SSDT F7B13351 ZwOpenSection SSDT F7B13315 ZwOpenThread SSDT F7B13397 ZwQueryValueKey SSDT F7B1334C ZwReplaceKey SSDT F7B13388 ZwRequestWaitReplyPort SSDT F7B13347 ZwRestoreKey SSDT F7B13383 ZwSetContextThread SSDT F7B1338D ZwSetSecurityObject SSDT F7B13360 ZwSetSystemInformation SSDT F7B13338 ZwSetValueKey SSDT F7B13392 ZwSystemDebugControl SSDT F7B1331F ZwTerminateProcess SSDT F7B1331A ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.2 ---- .text ntoskrnl.exe!_abnormal_termination + 3A1 804E29FD 3 Bytes [33, B1, F7] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6AEA360, 0x372FAD, 0xE8000020] ---- Devices - GMER 2.2 ---- AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Registry - GMER 2.2 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{604258D8-22D5-512F-AA5F-8E762E8F9DE6} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{604258D8-22D5-512F-AA5F-8E762E8F9DE6}@oaijdgjdlelcephfnfnbpgigaebeoi 0x64 0x61 0x68 0x64 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{604258D8-22D5-512F-AA5F-8E762E8F9DE6}@oaeidaiimllmknolkakhfenafmoeoi 0x6A 0x61 0x69 0x64 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{604258D8-22D5-512F-AA5F-8E762E8F9DE6}@nakibccdgedbkkkiafnpngdgaghi 0x6B 0x61 0x68 0x64 ... ---- EOF - GMER 2.2 ----