GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-01 21:35:04 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 SAMSUNG_HM250HI rev.2AC101C4 232.88GB Running: m57g1hli.exe; Driver: C:\Users\user\AppData\Local\Temp\aftcaaob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\ntkrnlpa.exe ZwCreateKey [0x83015FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [83015FEC] ZwCreateKey [0x83015FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe ZwOpenKey [0x83015FF1] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [83015FF1] ZwOpenKey [0x83015FF1] INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 83015FFB INT 0x06 \??\C:\Windows\system32\drivers\Haspnt.sys 997B416D INT 0x0E \??\C:\Windows\system32\drivers\Haspnt.sys 997B3FC2 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83052A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8308C212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 83093554 3 Bytes [EC, 5F, 01] .text ntkrnlpa.exe!KeRemoveQueueEx + 137F 83093714 3 Bytes [F1, 5F, 01] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E604000, 0x2D5378, 0xE8000020] .text C:\Windows\system32\drivers\aksfridge.sys section is writeable [0x9AE40000, 0x47E35, 0xE0000020] .init C:\Windows\system32\drivers\aksfridge.sys entry point in ".init" section [0x9AE94224] .init C:\Windows\system32\drivers\aksfridge.sys unknown last code section [0x9AE94000, 0x4000, 0xE20000E0] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0x9AE98400, 0x7960C, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9AF3A420] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9AF3A420] .protect˙˙˙˙hardlockunknown last code section [0x9AF3A200, 0x5049, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0x9AF3A200, 0x5049, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1572] ntdll.dll!LdrGetProcedureAddress + 26 776D22A9 7 Bytes JMP 634CB780 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1572] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 775D941E 7 Bytes JMP 63D06EDA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1572] kernel32.dll!QueryPerformanceCounter + 13 775DC425 7 Bytes JMP 63D06EFD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1572] kernel32.dll!LoadAppInitDlls + 355 775DF4E6 7 Bytes JMP 634D0836 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[1572] GDI32.dll!GetViewportOrgEx + 26C 7785884B 7 Bytes JMP 63D06E5B C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [741624CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [7414562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [741456EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74162546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [741585AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74154D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74155105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [741551DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74156707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74158301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74158850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [741590B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7415E254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[2688] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74154C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys Device \Driver\Disk \Device\Harddisk1\DR1 aksfridge.sys Device \Driver\Disk \Device\Harddisk2\DR4 aksfridge.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001b10000e57 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@b0d09c0dc960 0x6F 0x9C 0x08 0x7E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@b8d9ce5a6987 0x4A 0x95 0xD0 0xEB ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@0023f10330e3 0x69 0xA7 0xC6 0x8F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@44f459d8fe79 0x3C 0xB8 0xB0 0xE0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@001df680cce1 0x65 0xCE 0x0C 0x4F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@5c3c271c92c9 0x48 0xC5 0x7B 0x4C ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002215668f74@58170c92cec2 0xC1 0x23 0xA6 0x65 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001b10000e57 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@b0d09c0dc960 0x6F 0x9C 0x08 0x7E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@b8d9ce5a6987 0x4A 0x95 0xD0 0xEB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@0023f10330e3 0x69 0xA7 0xC6 0x8F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@44f459d8fe79 0x3C 0xB8 0xB0 0xE0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@001df680cce1 0x65 0xCE 0x0C 0x4F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@5c3c271c92c9 0x48 0xC5 0x7B 0x4C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002215668f74@58170c92cec2 0xC1 0x23 0xA6 0x65 ... ---- EOF - GMER 2.1 ----