GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-29 16:12:10 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 SAMSUNG_ rev.HH10 Running: gmer.exe; Driver: C:\Users\heniek\AppData\Local\Temp\ufdoykod.sys ---- System - GMER 1.0.15 ---- SSDT 909ECCC0 ZwAlertResumeThread SSDT 909ECD80 ZwAlertThread SSDT 909ED8C0 ZwAllocateVirtualMemory SSDT 8E845E00 ZwAlpcConnectPort SSDT 908203D0 ZwAssignProcessToJobObject SSDT 909ECA70 ZwCreateMutant SSDT 909EEDB8 ZwCreateSymbolicLinkObject SSDT 909EC148 ZwCreateThread SSDT 907FD0D0 ZwDebugActiveProcess SSDT 909EBFC0 ZwDuplicateObject SSDT 909EBBA8 ZwFreeVirtualMemory SSDT 909ECB40 ZwImpersonateAnonymousToken SSDT 909ECC00 ZwImpersonateThread SSDT 8E3CF9D0 ZwLoadDriver SSDT 909EBA48 ZwMapViewOfSection SSDT 909EC9B0 ZwOpenEvent SSDT 909EDCB0 ZwOpenProcess SSDT 90786048 ZwOpenProcessToken SSDT 8E377510 ZwOpenSection SSDT 909EDBA0 ZwOpenThread SSDT 90822E40 ZwProtectVirtualMemory SSDT 909ECE40 ZwResumeThread SSDT 90826048 ZwSetContextThread SSDT 909EB830 ZwSetInformationProcess SSDT 908D1C90 ZwSetSystemInformation SSDT 909EC8F0 ZwSuspendProcess SSDT 909ECF00 ZwSuspendThread SSDT 9075FC48 ZwTerminateProcess SSDT 909EB5F0 ZwTerminateThread SSDT 907D1048 ZwUnmapViewOfSection SSDT 909EBE78 ZwWriteVirtualMemory SSDT 8E224308 ZwCreateThreadEx ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 11D 82AB28A0 8 Bytes [C0, CC, 9E, 90, 80, CD, 9E, ...] {ROR AH, 0x9e; NOP ; OR CH, 0x9e; NOP } .text ntkrnlpa.exe!KeSetEvent + 131 82AB28B4 4 Bytes [C0, D8, 9E, 90] {RCR AL, 0x9e; NOP } .text ntkrnlpa.exe!KeSetEvent + 13D 82AB28C0 4 Bytes [00, 5E, 84, 8E] .text ntkrnlpa.exe!KeSetEvent + 191 82AB2914 4 Bytes [D0, 03, 82, 90] .text ntkrnlpa.exe!KeSetEvent + 1F5 82AB2978 4 Bytes [70, CA, 9E, 90] {JO 0xffffffffffffffcc; SAHF ; NOP } .text ... ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73C37817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73C8A86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73C3BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73C2F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73C375E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73C2E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73C68395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73C3DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73C2FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73C2FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73C271CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73CBCAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73C5C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73C2D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73C26853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73C2687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73C32AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[3004] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6C15F3FB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Dynamiczna struktura WDF/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\001e37a768ea (not active ControlSet) Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001e37a768ea Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001e37a768ea (not active ControlSet) Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version Reg HKLM\SOFTWARE\Classes\CLSID\{BEB3C0C7-B648-4257-96D9-B5D024816E27}\Version@Version 0x9D 0x51 0x67 0x57 ... ---- EOF - GMER 1.0.15 ----