GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-16 01:00:47 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 MAXTOR_STM3250310AS rev.4.AAA 232,88GB Running: 53678zr4.exe; Driver: C:\Users\wiekoo\AppData\Local\Temp\uxtiqpog.sys ---- Kernel code sections - GMER 2.0 ---- init C:\Windows\system32\drivers\mpfilt.sys entry point in "init" section [0x8D3C02A0] PAGE spsys.sys!?SPVersion@@3PADA + 1ABF 9E64E03F 110 Bytes [8B, FF, 55, 8B, EC, 8B, 45, ...] PAGE spsys.sys!?SPVersion@@3PADA + 1B2F 9E64E0AF 1 Byte [16] PAGE spsys.sys!?SPVersion@@3PADA + 1B2F 9E64E0AF 128 Bytes [16, 3B, C8, 75, E2, B0, 01, ...] PAGE spsys.sys!?SPVersion@@3PADA + 1BB0 9E64E130 6 Bytes [0E, 83, 78, 14, 01, 75] PAGE spsys.sys!?SPVersion@@3PADA + 1BB7 9E64E137 2298 Bytes [83, 78, 18, 37, 75, 02, B3, ...] PAGE ... .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9E6D4300, 0x3B6D8, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9E719300, 0x1BEE, 0xE8000020] ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Aston2\Aston2.exe[2288] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrGetProcedureAddress] [004118C0] C:\Program Files\Aston2\Aston2.exe (Aston2 Core/Gladiators Software) IAT C:\Program Files\Aston2\Aston2.exe[2288] @ C:\Windows\system32\kernel32.dll [ntdll.dll!LdrLoadDll] [00411910] C:\Program Files\Aston2\Aston2.exe (Aston2 Core/Gladiators Software) IAT C:\Program Files\Aston2\Aston2.exe[2288] @ C:\Windows\system32\SHELL32.dll [USER32.dll!TranslateAcceleratorW] [00405D70] C:\Program Files\Aston2\Aston2.exe (Aston2 Core/Gladiators Software) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusShutdown] [740C7817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCloneImage] [7410B4E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDrawImageRectI] [740CBB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [740BF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdiplusStartup] [740C75E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateFromHDC] [740BE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStreamICM] [740F73F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipCreateBitmapFromStream] [740CDA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageHeight] [740BFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipGetImageWidth] [740BFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDisposeImage] [740B71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFileICM] [7414CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipLoadImageFromFile] [740EC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipDeleteGraphics] [740BD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipFree] [740B6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipAlloc] [740B687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.exe[3848] @ C:\Windows\Explorer.exe [gdiplus.dll!GdipSetCompositingMode] [740C2AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18581_none_9e591052ca1013d0\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0C 0xA8 0x49 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1D 0x62 0x9E 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB8 0xAF 0xAB 0x42 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6D 0x56 0x1D 0x46 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 1 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x0C 0xA8 0x49 0xB8 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x1D 0x62 0x9E 0x55 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001@khjeh 0xB8 0xAF 0xAB 0x42 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4\00000001\0Jf40@khjeh 0x6D 0x56 0x1D 0x46 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG11.00.00.01WORKSTATION C9A12D94D431F1DCCCFEEE1941DFDEB25F57CDF5AFB364F3994E2A1F7A918B6BF2EB86B8AB53C3FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808C038D530D6EB3452A6A0AC4980AC7933D7B553EDC678C70ACC69A88D16C63A607A25A883306AE3FD5E256C84F89195D2FEE4EE69882DF02ECB661B8EEF0597AFD89B214ED9E7AB47DBD821867766A03F0851A1B03B17DA5EAA3159826777A19427B8C6ADE655DCB9B5F71B1F7C442B5DFA85EDD6C1B0B9256DDC4BD0EC727FB806B788F8737BB240C7866D35F291A3F993EDADF5F09853CF4CDFAFE1E2EC6C894B37280B104D7E8AA6EC7FB4B65711A3415D8AA91310026E341695A3218038B8813B3B41405CA38B18788B0D1A418CAFA7878513E67D34D6C6BBE287F26D463EE6AA2C7F7BE11B7997D99FB2E021C2369D07F1D71E6AEA21D5F4CF8415950ED3E9D0B6AB2E3AEFCFD224A09CC4EBF4123058789EDD05BD2CECC66992BC80197632DD6EB0B9E2434E2C50434672B9F8E39DDD9494C11ED617471D90B090D80869196439FC7082C9783A3C13B00AC73990595C946B562D74495445F85FAA6D8E32AB5C50831C5F4B944825EEDDA277AFC08B7C1ED71ECBE8EA3A702C251B31731B2C21423BF666232ED3B188D6C44DF0DE104DA7120FB699685 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG10.00.00.01WORKSTATION 11629FE531795640CC9B18DA6131E3C2D782050702F29434639920F63AC4591DB07C6CA97B245BBA783B1D5B05E6401894C64CE7C5B44A3B06F6FB45FB8CC85C40106B79B05BCEB14F68BC39842341CBC1946882C030B5FA6FA10253C4DF1CD206EBCD67BD7ABAA8EB77A2112F138038EE5D2298C8831AC9C4CF382C1271E1EC5B26F56763E21EC37E79AFE12AE9085DBF56F6D107D2AF1E3C76D9C232F222BCAD167BD4B3F969CE474BF88BEE5B57DD6AF919B9FAC2A292A3D0546B469B54F6FCD62BEA95A683379E07C5574922E0003C886C3FF37F13E95C60CA5CC628E6F36049034DC757C6FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC79335D575E7D6A3B9808C038D530D6EB3452A6A0AC4980AC7933525133FAF7DFB366937C8A855F76F454FAF63EE9778A21A5531B82C062F8CE14FD1B574B144374C86510D60B0CC8404F90591528B2CE7FEB344F0F9F325815B3664226CEED50FDF6D34EB0C2070069800A731A60E8D961A3D3110ED6EE0D7B94A39F37E11976A4960E4212E449D1F57BD127C64A9CC31C6A763998B646B4C802F21FE59307F741416A0F365CB0C3EE44F56A574B34F9885381AF8E45C541C73DB1C0D1A313EB2E83DFE89D497E33DF5629464E027A3D86E6027690BC63F6C67AE4185D8BF63CCBDD8 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL E413DC671AB6F78F95B9989ECC3B13C5E36E3C6E1C4CB4EE10786C8DE8B1BE389F1CD868072D3C242AB18E9FB68C9B51813E9B9EE9D0405918A786BF61E8DB38CD6E10F591F39B46F17C481B5B182543B087F2B7976CE0F43D7B3FEB6B6A1ACCD27CC7FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808BA7FD869164D6794A6A0AC4980AC79339DB7CE019D40AA5CD475CC78109DCA8BCBB79F93E6880EC116E19CD1F5AFFD1EEC3160FB1679980EE5DA5CE6C7DD7A2DD271CE9063675DCDB600CB0CCF7E2BCBC60F4D3E4D8E1330FE61E26AD1744628C095DE8FF3BF26C70C88A39460449F9D3993F541E97704195190E5122225F63FF2B0C5CC046CF0AD3AADACF2AC90496FD037117C291D56A075C47060CD4F9D67A5A7FD7723DF8FB1CAF572A6DD8A585000455DD86D763DD3E4300E4C90600AC9FD2D86B4061C93BBA83C051FC26ABF831CDD1B34BC142CF2FD5551424A5AD3C4844CE09B04BAD3E4A531F6C0C8FD39815E738DE0C0175DF18310CF9F7B56D3E822E295B899686CFB74D3E0E608264075E34FFDA5C7B64D791B8A2438CDFEA9FB28A2AD0BE663BC84AF7EDE5C37D6943FAE8C3ABBC3BBBD674FC66A530A14B5F849903908AE82E6B3515A0FE2B41C3AF0A49A11D0C98633CA1099C5ABA0E79F8B1C0849175 ---- EOF - GMER 2.0 ----