GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-09-17 19:32:06 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0003 Running: zj55bqce.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0x8BDC07F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0x8BDC08B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0x8BDC0870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0x8BDC0830] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x8304BFCE] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304BFCE] ZwCreateKey [0x8304BFCE] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteKey [0x8304BFD8] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304BFD8] ZwDeleteKey [0x8304BFD8] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteValueKey [0x8304BFC9] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304BFC9] ZwDeleteValueKey [0x8304BFC9] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x8304BFDD] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304BFDD] ZwEnumerateKey [0x8304BFDD] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x8304BFE2] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304BFE2] ZwEnumerateValueKey [0x8304BFE2] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x8304BFF1] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304BFF1] ZwOpenKey [0x8304BFF1] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryKey [0x8304BFEC] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304BFEC] ZwQueryKey [0x8304BFEC] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryValueKey [0x8304BFE7] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304BFE7] ZwQueryValueKey [0x8304BFE7] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetValueKey [0x8304BFD3] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304BFD3] ZwSetValueKey [0x8304BFD3] INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 8304BFFB ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 83089339 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830C2D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 830C9EB4 3 Bytes [CE, BF, 04] .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 830C9EF8 4 Bytes [F0, 07, DC, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 1243 830C9F38 3 Bytes [D8, BF, 04] .text ntkrnlpa.exe!KeRemoveQueueEx + 124F 830C9F44 3 Bytes [C9, BF, 04] .text ntkrnlpa.exe!KeRemoveQueueEx + 1277 830C9F6C 3 Bytes [DD, BF, 04] .text ... .text C:\Windows\system32\DRIVERS\atipmdag.sys section is writeable [0x92218000, 0x2D2B8A, 0xE8000020] .text C:\Windows\system32\drivers\aksfridge.sys section is writeable [0xA38D0000, 0x44527, 0xE0000020] .init C:\Windows\system32\drivers\aksfridge.sys entry point in ".init" section [0xA3922224] .init C:\Windows\system32\drivers\aksfridge.sys unknown last code section [0xA3922000, 0x7000, 0xE20000E0] PAGE spsys.sys!?SPRevision@@3PADA + 4F90 A9C97000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 A9C97123 629 Bytes [25, C9, A9, FE, 05, 34, 25, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 A9C97399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F A9C973FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE spsys.sys!?SPRevision@@3PADA + 543B A9C974AB 2228 Bytes [8B, FF, 55, 8B, EC, FF, 75, ...] PAGE ... ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[2672] kernel32.dll!SetUnhandledExceptionFilter 76593D01 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[5628] ntdll.dll!LdrGetProcedureAddress + 26 775222B3 7 Bytes JMP 64900C00 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5628] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76588996 7 Bytes JMP 64B37B29 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5628] kernel32.dll!GetEnvironmentStringsA + 11 76592FB1 7 Bytes JMP 64B37B4C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5628] kernel32.dll!BaseThreadInitThunk + C9 76593CFC 7 Bytes JMP 64903FAC C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5628] GDI32.dll!GetViewportOrgEx + 26C 75A7884B 7 Bytes JMP 64B37AAA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74152437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74135600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [741356BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [741524B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74148514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74144CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7414506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74145144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74146671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7414826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [741487BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7414901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7414E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1700] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74144BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 VMkbd.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 VMkbd.sys Device \Driver\usbehci \Device\USBPDO-0 hcmon.sys Device \Driver\usbehci \Device\USBPDO-1 hcmon.sys Device \Driver\usbhub \Device\USBPDO-2 hcmon.sys Device \Driver\usbhub \Device\USBPDO-3 hcmon.sys Device \Driver\usbhub \Device\USBPDO-4 hcmon.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000066 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbhub \Device\00000083 hcmon.sys Device \Driver\usbhub \Device\00000084 hcmon.sys Device \Driver\usbhub \Device\00000089 hcmon.sys Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) Device \Driver\usbehci \Device\USBFDO-0 hcmon.sys Device \Driver\usbehci \Device\USBFDO-1 hcmon.sys Device \Driver\S7opcsrtx \Device\S7opcsrtx_{BA2E098D-EF3F-4DB4-9FD0-5C73BE625ADC} A9CFDC40 Device \Driver\S7opcsrtx \Device\S7opcsrtx A9CFDC40 Device \Driver\usbhub \Device\0000008a hcmon.sys ---- Threads - GMER 1.0.15 ---- Thread System [4:4024] 81FF2E70 Thread System [4:4040] 81FF2E70 Thread System [4:4056] 81FF2E70 Thread System [4:4152] A9CA4F2E ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{0C447F95-2947-4FFA-A89A-7780DFA6A0B7}\Connection@Name isatap.{EFE6C788-82A1-4431-AF34-A292E8561673} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{D53ED90A-3539-42C3-BA0D-63339676E85A}?\Device\{0C447F95-2947-4FFA-A89A-7780DFA6A0B7}?\Device\{47E0FF7D-7844-4789-BA4F-EACE66CDC0D1}?\Device\{8653248D-30DA-4DF2-AFC5-ED2AA8B78E8C}?\Device\{7ADCC01F-FEB4-4A88-BABF-6062559709CF}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{D53ED90A-3539-42C3-BA0D-63339676E85A}"?"{0C447F95-2947-4FFA-A89A-7780DFA6A0B7}"?"{47E0FF7D-7844-4789-BA4F-EACE66CDC0D1}"?"{8653248D-30DA-4DF2-AFC5-ED2AA8B78E8C}"?"{7ADCC01F-FEB4-4A88-BABF-6062559709CF}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{D53ED90A-3539-42C3-BA0D-63339676E85A}?\Device\TCPIP6TUNNEL_{0C447F95-2947-4FFA-A89A-7780DFA6A0B7}?\Device\TCPIP6TUNNEL_{47E0FF7D-7844-4789-BA4F-EACE66CDC0D1}?\Device\TCPIP6TUNNEL_{8653248D-30DA-4DF2-AFC5-ED2AA8B78E8C}?\Device\TCPIP6TUNNEL_{7ADCC01F-FEB4-4A88-BABF-6062559709CF}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{0C447F95-2947-4FFA-A89A-7780DFA6A0B7}@InterfaceName isatap.{EFE6C788-82A1-4431-AF34-A292E8561673} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{0C447F95-2947-4FFA-A89A-7780DFA6A0B7}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 5627 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\CD46DF2F72875CB4@Count 0x34 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\CD46DF2F72875CB4@DateTime 0xFB 0xC0 0xF3 0xA7 ... ---- EOF - GMER 1.0.15 ----