GMER 1.0.15.15641 - http://www.gmer.net
Rootkit scan 2012-07-02 19:14:51
Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\0000007e ST316081 rev.3.AA
Running: gmer.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\aftciaog.sys


---- Kernel code sections - GMER 1.0.15 ----

.text           ntkrnlpa.exe!ZwSaveKey + 13D1                                                                            83282369 1 Byte  [06]
.text           ntkrnlpa.exe!KiDispatchInterrupt + 5A2                                                                   832BBD52 19 Bytes  [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3}
.text           C:\Windows\system32\DRIVERS\lirsgt.sys                                                                   section is writeable [0x9B79E300, 0x1B7E, 0xE8000020]

---- User IAT/EAT - GMER 1.0.15 ----

IAT             C:\Windows\System32\rundll32.exe[2340] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress]    [74FCFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
IAT             C:\Windows\System32\rundll32.exe[2340] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress]     [74FCFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
IAT             C:\Windows\System32\rundll32.exe[2340] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress]   [74FCFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
IAT             C:\Windows\System32\rundll32.exe[2340] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress]  [74FCFFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc]                          [73D02437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup]                     [73CE5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown]                    [73CE56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree]                           [73D024B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics]                 [73CF8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage]                   [73CF4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth]                  [73CF506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight]                 [73CF5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP]        [73CF6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC]                  [73CF826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode]             [73CF87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode]           [73CF901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI]                 [73CFE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)
IAT             C:\Windows\Explorer.EXE[2872] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage]                     [73CF4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation)

---- Devices - GMER 1.0.15 ----

AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume1                                                                   hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume2                                                                   hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                   fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation)
AttachedDevice  \Driver\volmgr \Device\HarddiskVolume3                                                                   hotcore3.sys (A part of Paragon System Utilities/Paragon Software Group)

Device          \Driver\ACPI_HAL \Device\00000069                                                                        halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation)

---- Files - GMER 1.0.15 ----

File            C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00018.log                                   1048576 bytes
File            C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS00019.log                                   0 bytes
File            C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS0001A.log                                   1048576 bytes

---- EOF - GMER 1.0.15 ----