GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-06 23:14:40 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 Hitachi_HDT721032SLA360 rev.ST2OA3AA Running: uixoxsbn.exe; Driver: C:\Users\Ania\AppData\Local\Temp\pxldrpow.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x8E96D620] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetTimerEx + 854 81EF2E78 4 Bytes [20, D6, 96, 8E] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8DE01000, 0x2D5046, 0xE8000020] .text smb.sys 8E8D1000 9 Bytes [00, 00, 00, 00, 00, 00, 33, ...] .text smb.sys 8E8D100A 30 Bytes [00, CC, CC, CC, CC, CC, 8B, ...] .text smb.sys 8E8D1029 137 Bytes [6A, 09, 89, 70, 0C, 89, 48, ...] .text smb.sys 8E8D10B4 37 Bytes [83, C0, 04, 6A, 00, 50, E8, ...] .text smb.sys 8E8D10DA 11 Bytes [00, 50, 6A, 00, FF, 15, 6C, ...] {ADD [EAX+0x6a], DL; ADD BH, BH; ADC EAX, 0x8e8db16c; RET } .text ... ? C:\Windows\system32\DRIVERS\smb.sys suspicious PE modification ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\smb.sys[HAL.dll!KfLowerIrql] 8D9FCC8E IAT \SystemRoot\system32\DRIVERS\smb.sys[HAL.dll!KeGetCurrentIrql] 0015FF8E IAT \SystemRoot\system32\DRIVERS\smb.sys[HAL.dll!KfRaiseIrql] C28E8DB1 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74408864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74449855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7440B984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [743FFB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74407A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [743FEA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7443B12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7440BC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74400756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [744006BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [743F71B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7448D9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74427329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [743FE109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [743F697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [743F69A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3720] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74402475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\usbhub \Device\0000005a hcmon.sys Device \Driver\usbhub \Device\0000005b hcmon.sys Device \Driver\usbhub \Device\0000005c hcmon.sys Device \Driver\usbhub \Device\0000005d hcmon.sys Device \Driver\usbhub \Device\0000005e hcmon.sys Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys ---- Threads - GMER 1.0.15 ---- Thread System [4:3224] 9C534540 Thread System [4:3228] 9C534540 ---- Files - GMER 1.0.15 ---- File C:\Windows\$NtUninstallKB12850$\1832820979 0 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\@ 2048 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\L 0 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\L\qnbwvoto 66560 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\loader.tlb 2632 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U 0 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@00000001 45968 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@000000c0 2560 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@000000cb 3072 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@000000cf 1536 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@80000000 73216 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@800000c0 43520 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@800000cb 25600 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@800000cf 31232 bytes File C:\Windows\$NtUninstallKB12850$\4220266113 0 bytes ---- EOF - GMER 1.0.15 ----