GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-02 14:52:18 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST9160310AS rev.HP07 149,05GB Running: e2pkevpp.exe; Driver: C:\Users\aaa\AppData\Local\Temp\uxriapow.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E92A09 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ECC1F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9362A000, 0x2D5378, 0xE8000020] ---- User code sections - GMER 2.1 ---- ? C:\Windows\system32\svchost.exe[2904] image checksum mismatch; time/date stamp mismatch; unknown module: dbghelp.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74A424CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74A2562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74A256EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74A42546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74A385AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74A34D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74A35105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74A351DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74A36707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74A38301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74A38850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74A390B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74A3E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\Explorer.EXE[1840] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74A34C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!__wgetmainargs] 244C8D51 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_exit] 1BC82B04 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_XcptFilter] 23D0F7C0 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!exit] 25C48BC8 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_initterm] FFFFF000 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_amsg_exit] 0A72C83B IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!__setusermatherr] 9459C18B IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!memcpy] 0489008B IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_controlfp] 002DC324 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_except_handler4_common] 85000010 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!?terminate@@YAXXZ] E9E9EB00 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!__set_app_type] 0000A77A IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!__p__fmode] 042474FF IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!__p__commode] 00A7ABE8 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [msvcrt.dll!_cexit] 8BC35900 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LocalAlloc] 56077400 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!CloseHandle] 00A783E8 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!DelayLoadFailureHook] C68B5900 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetProcAddress] 0004C25E IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetLastError] 2444B70F IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!FreeLibrary] FF505608 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!InterlockedCompareExchange] 330C2474 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExA] AF60E8F6 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!InterlockedExchange] C0850000 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!Sleep] 087E5959 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!SetUnhandledExceptionFilter] 15FF4650 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetModuleHandleA] [0006D174] C:\Windows\system32\svchost.exe IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!QueryPerformanceCounter] C35EC68B IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetTickCount] 83EC8B55 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetSystemTimeAsFileTime] 575318EC IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!UnhandledExceptionFilter] 3068DB33 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!DeactivateActCtx] 890006D2 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LoadLibraryExW] 5D89F05D IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!ActivateActCtx] 6C15FFE8 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!lstrcmpW] [0006D220] C:\Windows\system32\svchost.exe IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!RegCloseKey] 06D07C15 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!RegOpenKeyExW] 3BF88B00 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!HeapSetInformation] F47D89FB IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!lstrcmpiW] C0330775 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!lstrlenW] 0000EAE9 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LCMapStringW] 358B5600 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!RegQueryValueExW] [0006D078] C:\Windows\system32\svchost.exe IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!ReleaseActCtx] 06D21068 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!CreateActCtxW] D6FF5700 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!ExpandEnvironmentStringsW] 06D20468 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetCommandLineW] 45895700 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!ExitProcess] 68D6FFF8 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!SetProcessAffinityUpdateMode] [0006D1F0] C:\Windows\system32\svchost.exe IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!RegDisablePredefinedCacheEx] 8BF475FF IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!GetProcessHeap] 840FF85D IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!SetErrorMode] 000000AF IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!RegisterWaitForSingleObjectEx] 840FFB3B IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!LocalFree] 000000A7 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!HeapFree] 840FC33B IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [KERNEL32.dll!WideCharToMultiByte] 0000009F IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlAllocateHeap] 7415FFD0 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlLengthRequiredSid] 3B0006D0 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlSubAuthoritySid] EC4589C3 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlInitializeSid] 008E840F IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlCopySid] 88BE0000 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlSubAuthorityCountSid] 56000002 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlInitializeCriticalSection] 15FF5053 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlSetProcessIsCritical] [0006D070] C:\Windows\system32\svchost.exe IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlImageNtHeader] FB3BF88B IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlUnhandledExceptionFilter] 458D7A74 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!EtwEventWrite] 895750FC IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!EtwEventEnabled] 55FFFC75 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!EtwEventRegister] 6FF883F8 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [ntdll.dll!RtlFreeHeap] 75FF1075 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcMgmtSetServerStackSize] 89037406 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!I_RpcMapWin32Status] 5357E875 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIf] FFEC75FF IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcMgmtWaitServerListen] 06D06815 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcMgmtStopServerListening] F475FF00 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcServerUnregisterIfEx] D06415FF IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcServerRegisterIf] 5D390006 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcServerUseProtseqEpW] 8B0D74E8 IAT C:\Windows\system32\svchost.exe[2904] @ C:\Windows\system32\svchost.exe [RPCRT4.dll!RpcServerListen] FF0BEBC6 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e4309aa Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e4309aa@48dcfbf1d245 0x97 0x5F 0xCC 0x0A ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e4309aa@8400d290cf37 0x1A 0x55 0x3B 0xDC ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e4309aa@1886ac34e531 0x3E 0xD3 0xE8 0xAC ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e4309aa@945103fd0e73 0xD6 0x4A 0xC2 0xF6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e4309aa@f8db7f19647e 0x18 0x17 0x13 0x1E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e4309aa (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e4309aa@48dcfbf1d245 0x97 0x5F 0xCC 0x0A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e4309aa@8400d290cf37 0x1A 0x55 0x3B 0xDC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e4309aa@1886ac34e531 0x3E 0xD3 0xE8 0xAC ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e4309aa@945103fd0e73 0xD6 0x4A 0xC2 0xF6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e4309aa@f8db7f19647e 0x18 0x17 0x13 0x1E ... Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{A66C012D-F836-11E1-BB1C-806E6F6E6963} 2335663200 ---- Files - GMER 2.1 ---- File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS01148.log 1048576 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS01149.log 1048576 bytes ---- EOF - GMER 2.1 ----