GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2013-01-14 15:31:42 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0003 Running: y3mfo3cv.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0x8C13A7F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0x8C13A8B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0x8C13A870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0x8C13A830] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwCreateKey [0x8304FFCE] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304FFCE] ZwCreateKey [0x8304FFCE] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteKey [0x8304FFD8] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304FFD8] ZwDeleteKey [0x8304FFD8] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwDeleteValueKey [0x8304FFC9] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304FFC9] ZwDeleteValueKey [0x8304FFC9] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateKey [0x8304FFDD] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304FFDD] ZwEnumerateKey [0x8304FFDD] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwEnumerateValueKey [0x8304FFE2] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304FFE2] ZwEnumerateValueKey [0x8304FFE2] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwOpenKey [0x8304FFF1] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304FFF1] ZwOpenKey [0x8304FFF1] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryKey [0x8304FFEC] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304FFEC] ZwQueryKey [0x8304FFEC] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwQueryValueKey [0x8304FFE7] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304FFE7] ZwQueryValueKey [0x8304FFE7] SSDT \SystemRoot\system32\ntkrnlpa.exe (NT Kernel & System/Microsoft Corporation) ZwSetValueKey [0x8304FFD3] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [8304FFD3] ZwSetValueKey [0x8304FFD3] INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 8304FFFB ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 8308D339 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830C6D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 830CDEB4 3 Bytes [CE, FF, 04] .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 830CDEF8 4 Bytes [F0, A7, 13, 8C] .text ntkrnlpa.exe!KeRemoveQueueEx + 1243 830CDF38 3 Bytes [D8, FF, 04] .text ntkrnlpa.exe!KeRemoveQueueEx + 124F 830CDF44 3 Bytes [C9, FF, 04] .text ntkrnlpa.exe!KeRemoveQueueEx + 1277 830CDF6C 3 Bytes [DD, FF, 04] .text ... .text C:\Windows\system32\DRIVERS\atipmdag.sys section is writeable [0x92034000, 0x2D2B8A, 0xE8000020] .text C:\Windows\system32\drivers\aksfridge.sys section is writeable [0xA096A000, 0x44527, 0xE0000020] .init C:\Windows\system32\drivers\aksfridge.sys entry point in ".init" section [0xA09BC224] .init C:\Windows\system32\drivers\aksfridge.sys unknown last code section [0xA09BC000, 0x7000, 0xE20000E0] PAGE peauth.sys A7C44E20 101 Bytes [24, E8, B7, 98, 3D, 9D, 13, ...] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[2604] kernel32.dll!SetUnhandledExceptionFilter 76D03D01 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[2792] kernel32.dll!SetUnhandledExceptionFilter 76D03D01 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74222437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74205600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [742056BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [742224B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74218514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74214CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7421506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74215144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74216671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7421826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [742187BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7421901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7421E1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1752] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74214BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe[4676] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe[4676] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe[4676] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe[4676] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\PROGRA~1\COMMON~1\INSTAL~1\UPDATE~1\agent.exe[4676] @ C:\Windows\system32\wininet.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[5812] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[5812] @ C:\Windows\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[5812] @ C:\Windows\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) IAT C:\Program Files\Common Files\InstallShield\UpdateService\issch.exe[5812] @ C:\Windows\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [7559FFF6] C:\Windows\system32\apphelp.dll (Biblioteka klienta zgodności aplikacji/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 VMkbd.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 VMkbd.sys Device \Driver\usbehci \Device\USBPDO-0 hcmon.sys Device \Driver\usbehci \Device\USBPDO-1 hcmon.sys Device \Driver\usbhub \Device\USBPDO-2 hcmon.sys Device \Driver\usbhub \Device\USBPDO-3 hcmon.sys Device \Driver\usbhub \Device\USBPDO-4 hcmon.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000066 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) Device \Driver\usbhub \Device\00000083 hcmon.sys Device \Driver\usbhub \Device\00000084 hcmon.sys Device \Driver\usbhub \Device\00000089 hcmon.sys Device \Driver\Disk \Device\Harddisk0\DR0 aksfridge.sys (Ancillary Function Driver/Aladdin Knowledge Systems Ltd.) Device \Driver\usbehci \Device\USBFDO-0 hcmon.sys Device \Driver\usbehci \Device\USBFDO-1 hcmon.sys Device \Driver\S7opcsrtx \Device\S7opcsrtx A7C24C40 Device \Driver\usbhub \Device\0000008a hcmon.sys ---- Threads - GMER 1.0.15 ---- Thread System [4:3096] 98F15E70 Thread System [4:3248] 98F15E70 Thread System [4:3460] 98F15E70 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\CD46DF2F72875CB4@Count 0x34 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\CD46DF2F72875CB4@DateTime 0xFB 0xC0 0xF3 0xA7 ... ---- EOF - GMER 1.0.15 ----