GMER 2.1.19355 - http://www.gmer.net Rootkit scan 2014-01-25 14:29:40 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 298,09GB Running: 3wunt1w5.exe; Driver: C:\Users\damian\AppData\Local\Temp\awrdrpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8DC017F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8DC018B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8DC01870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8DC01830] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1409 840439A5 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 84063512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 14CB 8406AAC0 4 Bytes [F0, 17, C0, 8D] .text ntoskrnl.exe!KeRemoveQueueEx + 15DB 8406ABD0 4 Bytes [B0, 18, C0, 8D] .text ntoskrnl.exe!KeRemoveQueueEx + 18E7 8406AEDC 4 Bytes [70, 18, C0, 8D] .text ntoskrnl.exe!KeRemoveQueueEx + 192F 8406AF24 4 Bytes [30, 18, C0, 8D] .text C:\windows\system32\DRIVERS\atikmdag.sys section is writeable [0x96419000, 0x2BFBF0, 0xE8000020] .text C:\windows\system32\DRIVERS\atksgt.sys section is writeable [0x94E2B300, 0x3B6D8, 0xE8000020] .text C:\windows\system32\DRIVERS\lirsgt.sys section is writeable [0x95FF7300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[664] kernel32.dll!SetUnhandledExceptionFilter 763DF4EB 4 Bytes [C2, 04, 00, 00] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73E924CB] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73E7562E] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73E756EC] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [73E92546] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73E885AA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73E84D5E] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73E85105] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73E851DA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73E86707] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73E88301] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73E88850] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73E890B1] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73E8E254] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\windows\Explorer.EXE[2648] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73E84C90] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ---- Devices - GMER 2.1 ---- Device Ntfs.sys Device \Driver\volmgr \Device\VolMgrControl fltsrv.sys Device \Driver\volmgr \Device\HarddiskVolume1 fltsrv.sys Device \Driver\volmgr \Device\HarddiskVolume2 fltsrv.sys Device \Driver\volmgr \Device\HarddiskVolume3 fltsrv.sys Device \Driver\volmgr \Device\HarddiskVolume4 fltsrv.sys Device \Driver\partmgr \Device\PartmgrControl fltsrv.sys Device \Driver\Disk \Device\Harddisk0\DR0 fltsrv.sys Device \Driver\rdyboost \Device\RdyBoost fltsrv.sys ---- Threads - GMER 2.1 ---- Thread System [4:1004] 89820540 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\002269e276d4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\002269e276d8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\00242cf91ac0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x61 0x00 0x5E 0xE1 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x76 0x8C 0x2B 0x7B ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x21 0x7C 0xB7 0xE0 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x35 0xE5 0xAC 0x08 ... Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq2@hdf12 0x6D 0x36 0x8A 0xC2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269e276d4 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002269e276d8 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00242cf91ac0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDF 0xE5 0xC0 0x88 ... Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\002269e276d4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\002269e276d8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\00242cf91ac0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDF 0xE5 0xC0 0x88 ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----