GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-30 08:26:53 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 ST3250310AS rev.4.AAA Running: zzyk6u5r.exe; Driver: C:\Users\fitnes\AppData\Local\Temp\uwloypog.sys ---- System - GMER 1.0.15 ---- SSDT 87E2E498 ZwAlertResumeThread SSDT 87E2E578 ZwAlertThread SSDT 87BBF200 ZwAllocateVirtualMemory SSDT 879E77B8 ZwAlpcConnectPort SSDT 87BBFC20 ZwAssignProcessToJobObject SSDT 87E2E1E8 ZwCreateMutant SSDT 87BBF940 ZwCreateSymbolicLinkObject SSDT 87BBF008 ZwCreateThread SSDT 87BBFD00 ZwDebugActiveProcess SSDT 87BBF390 ZwDuplicateObject SSDT 8838B618 ZwFreeVirtualMemory SSDT 87E2E2D8 ZwImpersonateAnonymousToken SSDT 87E2E3B8 ZwImpersonateThread SSDT 879E7740 ZwLoadDriver SSDT 8838B538 ZwMapViewOfSection SSDT 87E2E108 ZwOpenEvent SSDT 87BBF530 ZwOpenProcess SSDT 87BBF2D0 ZwOpenProcessToken SSDT 87BBFF28 ZwOpenSection SSDT 87BBF460 ZwOpenThread SSDT 87BBFB30 ZwProtectVirtualMemory SSDT 87E2E638 ZwResumeThread SSDT 8838B288 ZwSetContextThread SSDT 8838B368 ZwSetInformationProcess SSDT 87BBFDE0 ZwSetSystemInformation SSDT 87E2E028 ZwSuspendProcess SSDT 8838B0C8 ZwSuspendThread SSDT 87CA8C60 ZwTerminateProcess SSDT 8838B1A8 ZwTerminateThread SSDT 8838B458 ZwUnmapViewOfSection SSDT 87BBF0E8 ZwWriteVirtualMemory SSDT 87BBFA30 ZwCreateThreadEx SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x82C36FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [82C36FEC] ZwCreateKey [0x82C36FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x82C36FF1] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [82C36FF1] ZwOpenKey [0x82C36FF1] INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 82C36FFB ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 11D 82CE27E0 8 Bytes [98, E4, E2, 87, 78, E5, E2, ...] {CWDE ; IN AL, 0xe2; XCHG [EAX-0x1b], EDI; LOOP 0xffffffffffffff8f} .text ntkrnlpa.exe!KeSetEvent + 131 82CE27F4 4 Bytes [00, F2, BB, 87] .text ntkrnlpa.exe!KeSetEvent + 13D 82CE2800 4 Bytes [B8, 77, 9E, 87] .text ntkrnlpa.exe!KeSetEvent + 191 82CE2854 4 Bytes [20, FC, BB, 87] .text ntkrnlpa.exe!KeSetEvent + 1E9 82CE28AC 3 Bytes [EC, 6F, C3] {IN AL, DX ; OUTSD ; RET } .text ... .text C:\Windows\system32\DRIVERS\aksfridge.sys section is writeable [0xB560F000, 0x48E1C, 0xE0000020] .init C:\Windows\system32\DRIVERS\aksfridge.sys entry point in ".init" section [0xB5665224] .init C:\Windows\system32\DRIVERS\aksfridge.sys unknown last code section [0xB5665000, 0x4000, 0xE20000E0] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0xB5669400, 0x6EB98, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB56F3C20] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB56F3C20] .protect˙˙˙˙hardlockunknown last code section [0xB56F3A00, 0x50CA, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0xB56F3A00, 0x50CA, 0xE0000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[5064] ntdll.dll!LdrLoadDll 77239378 5 Bytes JMP 6279B52A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5064] kernel32.dll!LockResource + C 75B86B0B 7 Bytes JMP 62A4B6D2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5064] kernel32.dll!VirtualAllocEx + 54 75B8AF70 7 Bytes JMP 62A4B6F5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5064] GDI32.dll!SetStretchBltMode + 256 7609745C 7 Bytes JMP 62A4B653 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73F77817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73FBB4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73F7BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73F6F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73F775E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73F6E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73FA73F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73F7DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73F6FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73F6FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73F671CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73FFCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73F9C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73F6D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73F66853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73F6687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73F72AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3192] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [65E0F3FB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\partmgr \Device\PartmgrControl aksfridge.sys (Ancillary Function Driver/SafeNet Inc.) AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\aksusb \Device\0000006d AKSCLASS.SYS (Aladdin Class Driver/SafeNet Inc.) Device \Driver\aksusb \Device\0000006e AKSCLASS.SYS (Aladdin Class Driver/SafeNet Inc.) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----