GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-03 10:36:42 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1637GSX rev.DL030M Running: wgulzsdw.exe; Driver: C:\Users\Robert\AppData\Local\Temp\uwliqpow.sys ---- System - GMER 1.0.15 ---- SSDT 875B8756 ZwCreateSection SSDT 875B8760 ZwRequestWaitReplyPort SSDT 875B875B ZwSetContextThread SSDT 875B8765 ZwSetSecurityObject SSDT 875B876A ZwSystemDebugControl SSDT 875B86F7 ZwTerminateProcess SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x81E1BFEC] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [81E1BFEC] ZwCreateKey [0x81E1BFEC] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x81E1BFF1] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [81E1BFF1] ZwOpenKey [0x81E1BFF1] INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 81E1BFFB INT 0x06 \??\C:\Windows\system32\drivers\Haspnt.sys 9B7C816D INT 0x0E \??\C:\Windows\system32\drivers\Haspnt.sys 9B7C7FC2 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 1E9 81EC78AC 4 Bytes [EC, BF, E1, 81] .text ntkrnlpa.exe!KeSetEvent + 215 81EC78D8 4 Bytes [56, 87, 5B, 87] {PUSH ESI; XCHG [EBX-0x79], EBX} .text ntkrnlpa.exe!KeSetEvent + 3DD 81EC7AA0 4 Bytes [F1, BF, E1, 81] .text ntkrnlpa.exe!KeSetEvent + 539 81EC7BFC 4 Bytes [60, 87, 5B, 87] {PUSHA ; XCHG [EBX-0x79], EBX} .text ntkrnlpa.exe!KeSetEvent + 56D 81EC7C30 4 Bytes [5B, 87, 5B, 87] {POP EBX; XCHG [EBX-0x79], EBX} .text ... .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x86753000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8679C000, 0x510, 0x40000040] .text C:\Windows\system32\DRIVERS\aksfridge.sys section is writeable [0x9D205000, 0x49C57, 0xE0000020] .init C:\Windows\system32\DRIVERS\aksfridge.sys entry point in ".init" section [0x9D25C224] .init C:\Windows\system32\DRIVERS\aksfridge.sys unknown last code section [0x9D25C000, 0x4000, 0xE20000E0] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0x9D260400, 0x6EED8, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9D2EB020] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9D2EB020] .protect˙˙˙˙hardlockunknown last code section [0x9D2EAE00, 0x50BA, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0x9D2EAE00, 0x50BA, 0xE0000020] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73927817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7396B4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7392BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7391F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [739275E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7391E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [739573F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7392DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7391FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7391FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [739171CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [739ACAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7394C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7391D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73916853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7391687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[472] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73922AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\partmgr \Device\PartmgrControl aksfridge.sys (Ancillary Function Driver/SafeNet Inc.) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----