GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-01-09 03:49:04 Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HM160HI rev.HH100-06 149,05GB Running: 513ts556.exe; Driver: C:\DOCUME~1\TITANG~1\IMPOST~1\Temp\ugdcrkoc.sys ---- System - GMER 2.1 ---- SSDT 85C17B30 ZwAlertResumeThread SSDT 85C17870 ZwAlertThread SSDT 85E07710 ZwAllocateVirtualMemory SSDT 861E14E8 ZwAssignProcessToJobObject SSDT 86345E00 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey [0xA9FEDF50] SSDT 862927A8 ZwCreateMutant SSDT 85D45F60 ZwCreateSymbolicLinkObject SSDT 862A0CD8 ZwCreateThread SSDT 86319F20 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey [0xA9FEE1D0] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey [0xA9FEE890] SSDT 85D279C0 ZwDuplicateObject SSDT 861EAAD8 ZwFreeVirtualMemory SSDT 85CFF6D0 ZwImpersonateAnonymousToken SSDT 85CFF660 ZwImpersonateThread SSDT 8606A668 ZwLoadDriver SSDT 861EAA80 ZwMapViewOfSection SSDT 85BF2360 ZwOpenEvent SSDT 85D102F0 ZwOpenProcess SSDT 85C17348 ZwOpenProcessToken SSDT 86098578 ZwOpenSection SSDT 85D193E8 ZwOpenThread SSDT 85CF5A18 ZwProtectVirtualMemory SSDT \??\C:\WINDOWS\system32\drivers\avgtpx86.sys ZwQueryValueKey [0xF77EC1D6] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwRenameKey [0xA9FEEDF0] SSDT 85C175B0 ZwResumeThread SSDT 85C17428 ZwSetContextThread SSDT 85E0AF80 ZwSetInformationProcess SSDT 86191960 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey [0xA9FEEB10] SSDT 85BE4358 ZwSuspendProcess SSDT 85C17508 ZwSuspendThread SSDT 860DDD80 ZwTerminateProcess SSDT 85C17498 ZwTerminateThread SSDT 85C173B8 ZwUnmapViewOfSection SSDT 85DD7DB8 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwYieldExecution + C2 804E486C 4 Bytes CALL B4D46685 .text ntoskrnl.exe!ZwYieldExecution + 17A 804E4924 4 Bytes [90, E8, FE, A9] .text ntoskrnl.exe!ZwYieldExecution + 276 804E4A20 4 Bytes [E8, 93, D1, 85] ? SYMDS.SYS Impossibile trovare il file specificato. ! ? SYMEFA.SYS Impossibile trovare il file specificato. ! ---- User code sections - GMER 2.1 ---- .text C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe[176] ntdll.dll!NtMapViewOfSection 7C91D51E 5 Bytes JMP 003A0048 .text C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe[176] ntdll.dll!NtTerminateThread 7C91DE7E 5 Bytes JMP 00360050 .text C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe[176] USER32.dll!CreateSystemThreads + 10A 7E3B17F2 7 Bytes JMP 003A092C .text C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe[176] USER32.dll!DeviceEventWorker + 178 7E3DA270 7 Bytes JMP 003A084A .text C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe[176] ADVAPI32.dll!OpenSCManagerW + A3 77F56FF8 7 Bytes JMP 003A020E .text C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe[176] ADVAPI32.dll!LogonUserExW + 461 77F64A04 7 Bytes JMP 003A012A .text C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe[176] ADVAPI32.dll!SystemFunction025 + 8D 77F64C61 7 Bytes JMP 003A0682 .text C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe[176] ADVAPI32.dll!SetServiceObjectSecurity + E3 77FA6E64 7 Bytes JMP 003A059E .text C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe[176] ADVAPI32.dll!ChangeServiceConfigA + 193 77FA6FFC 7 Bytes JMP 003A03D6 .text C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe[176] ADVAPI32.dll!ChangeServiceConfig2W + 83 77FA720C 2 Bytes JMP 003A02F2 .text C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe[176] ADVAPI32.dll!ChangeServiceConfig2W + 86 77FA720F 4 Bytes [3F, 88, EB, F9] {AAS ; MOV BL, CH; STC } .text C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe[176] ADVAPI32.dll!CreateServiceA + 193 77FA73A4 7 Bytes JMP 003A04BA .text C:\Programmi\SAMSUNG\MagicKBD\MagicKBD.exe[176] ADVAPI32.dll!CreateServiceW + 103 77FA74AC 7 Bytes JMP 003A0766 .text C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe[204] ntdll.dll!NtMapViewOfSection 7C91D51E 5 Bytes JMP 003B0048 .text C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe[204] ntdll.dll!NtTerminateThread 7C91DE7E 5 Bytes JMP 00370050 .text C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe[204] USER32.dll!CreateSystemThreads + 10A 7E3B17F2 7 Bytes JMP 003B092C .text C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe[204] USER32.dll!DeviceEventWorker + 178 7E3DA270 7 Bytes JMP 003B084A .text C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe[204] ADVAPI32.dll!OpenSCManagerW + A3 77F56FF8 7 Bytes JMP 003B020E .text C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe[204] ADVAPI32.dll!LogonUserExW + 461 77F64A04 7 Bytes JMP 003B012A .text C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe[204] ADVAPI32.dll!SystemFunction025 + 8D 77F64C61 7 Bytes JMP 003B0682 .text C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe[204] ADVAPI32.dll!SetServiceObjectSecurity + E3 77FA6E64 7 Bytes JMP 003B059E .text C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe[204] ADVAPI32.dll!ChangeServiceConfigA + 193 77FA6FFC 7 Bytes JMP 003B03D6 .text C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe[204] ADVAPI32.dll!ChangeServiceConfig2W + 83 77FA720C 2 Bytes JMP 003B02F2 .text C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe[204] ADVAPI32.dll!ChangeServiceConfig2W + 86 77FA720F 4 Bytes [40, 88, EB, F9] {INC EAX; MOV BL, CH; STC } .text C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe[204] ADVAPI32.dll!CreateServiceA + 193 77FA73A4 7 Bytes JMP 003B04BA .text C:\Programmi\SAMSUNG\MagicKBD\PerformanceManager.exe[204] ADVAPI32.dll!CreateServiceW + 103 77FA74AC 7 Bytes JMP 003B0766 .text C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe[844] ntdll.dll!NtMapViewOfSection 7C91D51E 5 Bytes JMP 003A0048 .text C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe[844] ntdll.dll!NtTerminateThread 7C91DE7E 5 Bytes JMP 00360050 .text C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe[844] USER32.dll!CreateSystemThreads + 10A 7E3B17F2 7 Bytes JMP 003A092C .text C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe[844] USER32.dll!DeviceEventWorker + 178 7E3DA270 7 Bytes JMP 003A084A .text C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe[844] ADVAPI32.dll!OpenSCManagerW + A3 77F56FF8 7 Bytes JMP 003A020E .text C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe[844] ADVAPI32.dll!LogonUserExW + 461 77F64A04 7 Bytes JMP 003A012A .text C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe[844] ADVAPI32.dll!SystemFunction025 + 8D 77F64C61 7 Bytes JMP 003A0682 .text C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe[844] ADVAPI32.dll!SetServiceObjectSecurity + E3 77FA6E64 7 Bytes JMP 003A059E .text C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe[844] ADVAPI32.dll!ChangeServiceConfigA + 193 77FA6FFC 7 Bytes JMP 003A03D6 .text C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe[844] ADVAPI32.dll!ChangeServiceConfig2W + 83 77FA720C 2 Bytes JMP 003A02F2 .text C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe[844] ADVAPI32.dll!ChangeServiceConfig2W + 86 77FA720F 4 Bytes [3F, 88, EB, F9] {AAS ; MOV BL, CH; STC } .text C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe[844] ADVAPI32.dll!CreateServiceA + 193 77FA73A4 7 Bytes JMP 003A04BA .text C:\Programmi\Samsung\Samsung EDS\EDSAgent.exe[844] ADVAPI32.dll!CreateServiceW + 103 77FA74AC 7 Bytes JMP 003A0766 .text C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe[1936] ntdll.dll!NtMapViewOfSection 7C91D51E 5 Bytes JMP 003B0048 .text C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe[1936] ntdll.dll!NtTerminateThread 7C91DE7E 5 Bytes JMP 00370050 .text C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe[1936] ADVAPI32.dll!OpenSCManagerW + A3 77F56FF8 7 Bytes JMP 003B020E .text C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe[1936] ADVAPI32.dll!LogonUserExW + 461 77F64A04 7 Bytes JMP 003B012A .text C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe[1936] ADVAPI32.dll!SystemFunction025 + 8D 77F64C61 7 Bytes JMP 003B0682 .text C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe[1936] ADVAPI32.dll!SetServiceObjectSecurity + E3 77FA6E64 7 Bytes JMP 003B059E .text C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe[1936] ADVAPI32.dll!ChangeServiceConfigA + 193 77FA6FFC 7 Bytes JMP 003B03D6 .text C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe[1936] ADVAPI32.dll!ChangeServiceConfig2W + 83 77FA720C 2 Bytes JMP 003B02F2 .text C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe[1936] ADVAPI32.dll!ChangeServiceConfig2W + 86 77FA720F 4 Bytes [40, 88, EB, F9] {INC EAX; MOV BL, CH; STC } .text C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe[1936] ADVAPI32.dll!CreateServiceA + 193 77FA73A4 7 Bytes JMP 003B04BA .text C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe[1936] ADVAPI32.dll!CreateServiceW + 103 77FA74AC 7 Bytes JMP 003B0766 .text C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe[1936] USER32.dll!CreateSystemThreads + 10A 7E3B17F2 7 Bytes JMP 003B092C .text C:\Programmi\Samsung\Samsung Battery Manager\BatteryManager.exe[1936] USER32.dll!DeviceEventWorker + 178 7E3DA270 7 Bytes JMP 003B084A .text C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe[1988] ntdll.dll!NtMapViewOfSection 7C91D51E 5 Bytes JMP 003B0048 .text C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe[1988] ntdll.dll!NtTerminateThread 7C91DE7E 5 Bytes JMP 00370050 .text C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe[1988] USER32.dll!CreateSystemThreads + 10A 7E3B17F2 7 Bytes JMP 003B092C .text C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe[1988] USER32.dll!DeviceEventWorker + 178 7E3DA270 7 Bytes JMP 003B084A .text C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe[1988] ADVAPI32.dll!OpenSCManagerW + A3 77F56FF8 7 Bytes JMP 003B020E .text C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe[1988] ADVAPI32.dll!LogonUserExW + 461 77F64A04 7 Bytes JMP 003B012A .text C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe[1988] ADVAPI32.dll!SystemFunction025 + 8D 77F64C61 7 Bytes JMP 003B0682 .text C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe[1988] ADVAPI32.dll!SetServiceObjectSecurity + E3 77FA6E64 7 Bytes JMP 003B059E .text C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe[1988] ADVAPI32.dll!ChangeServiceConfigA + 193 77FA6FFC 7 Bytes JMP 003B03D6 .text C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe[1988] ADVAPI32.dll!ChangeServiceConfig2W + 83 77FA720C 2 Bytes JMP 003B02F2 .text C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe[1988] ADVAPI32.dll!ChangeServiceConfig2W + 86 77FA720F 4 Bytes [40, 88, EB, F9] {INC EAX; MOV BL, CH; STC } .text C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe[1988] ADVAPI32.dll!CreateServiceA + 193 77FA73A4 7 Bytes JMP 003B04BA .text C:\Programmi\Samsung\Easy Display Manager\dmhkcore.exe[1988] ADVAPI32.dll!CreateServiceW + 103 77FA74AC 7 Bytes JMP 003B0766 .text C:\Documents and Settings\tit angela\Desktop\513ts556.exe[2912] ntdll.dll!NtMapViewOfSection 7C91D51E 5 Bytes JMP 003B0048 .text C:\Documents and Settings\tit angela\Desktop\513ts556.exe[2912] ntdll.dll!NtTerminateThread 7C91DE7E 5 Bytes JMP 00370050 .text C:\Documents and Settings\tit angela\Desktop\513ts556.exe[2912] ADVAPI32.dll!OpenSCManagerW + A3 77F56FF8 7 Bytes JMP 003B020E .text C:\Documents and Settings\tit angela\Desktop\513ts556.exe[2912] ADVAPI32.dll!LogonUserExW + 461 77F64A04 7 Bytes JMP 003B012A .text C:\Documents and Settings\tit angela\Desktop\513ts556.exe[2912] ADVAPI32.dll!SystemFunction025 + 8D 77F64C61 7 Bytes JMP 003B0682 .text C:\Documents and Settings\tit angela\Desktop\513ts556.exe[2912] ADVAPI32.dll!SetServiceObjectSecurity + E3 77FA6E64 7 Bytes JMP 003B059E .text C:\Documents and Settings\tit angela\Desktop\513ts556.exe[2912] ADVAPI32.dll!ChangeServiceConfigA + 193 77FA6FFC 7 Bytes JMP 003B03D6 .text C:\Documents and Settings\tit angela\Desktop\513ts556.exe[2912] ADVAPI32.dll!ChangeServiceConfig2W + 83 77FA720C 2 Bytes JMP 003B02F2 .text C:\Documents and Settings\tit angela\Desktop\513ts556.exe[2912] ADVAPI32.dll!ChangeServiceConfig2W + 86 77FA720F 4 Bytes [40, 88, EB, F9] {INC EAX; MOV BL, CH; STC } .text C:\Documents and Settings\tit angela\Desktop\513ts556.exe[2912] ADVAPI32.dll!CreateServiceA + 193 77FA73A4 7 Bytes JMP 003B04BA .text C:\Documents and Settings\tit angela\Desktop\513ts556.exe[2912] ADVAPI32.dll!CreateServiceW + 103 77FA74AC 7 Bytes JMP 003B0766 .text C:\Documents and Settings\tit angela\Desktop\513ts556.exe[2912] USER32.dll!CreateSystemThreads + 10A 7E3B17F2 7 Bytes JMP 003B092C .text C:\Documents and Settings\tit angela\Desktop\513ts556.exe[2912] USER32.dll!DeviceEventWorker + 178 7E3DA270 7 Bytes JMP 003B084A ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS Device mrxsmb.sys ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----