GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-11-01 13:17:16 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AC1 465,76GB Running: xxsh6nrc.exe; Driver: C:\Users\Misiek\AppData\Local\Temp\kwldrpob.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 83C79369 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83CB2D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\windows\system32\DRIVERS\atksgt.sys section is writeable [0xA0773300, 0x3B6D8, 0xE8000020] .text C:\windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA07CF300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Programy\ESET NOD32 Antivirus\ekrn.exe[1752] kernel32.dll!SetUnhandledExceptionFilter 75DCF4FB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[3084] kernel32.dll!SetUnhandledExceptionFilter 75DCF4FB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73B52437] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73B35600] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73B356BE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [73B524B2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73B48514] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73B44CC8] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73B4506F] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73B45144] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73B46671] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73B4826B] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73B487BA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73B4901B] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73B4E1BE] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\windows\Explorer.EXE[668] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73B44BFA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00158344e1f3 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654edff Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654f493 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b654f652 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b6b1d969 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0026b6b1d969@00181308d8c0 0x41 0x57 0x44 0xC6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x16 0x31 0xAF 0xA2 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3D 0x28 0xD6 0xDB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00158344e1f3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654edff (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654f493 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b654f652 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b6b1d969 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0026b6b1d969@00181308d8c0 0x41 0x57 0x44 0xC6 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x16 0x31 0xAF 0xA2 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3D 0x28 0xD6 0xDB ... Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{71FB004E-E6CE-11DE-A402-806E6F6E6963} 13689247232 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----