GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-16 12:07:13 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HM641JI rev.2AJ10001 596,17GB Running: hjwjs57m.exe; Driver: C:\Users\Krzysiek\AppData\Local\Temp\uwkdruod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8E917F80] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8E918040] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8E918000] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8E917FC0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 8327FA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832B9212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 832C0598 4 Bytes [80, 7F, 91, 8E] {CMP BYTE [EDI-0x6f], 0x8e} .text ntkrnlpa.exe!KeRemoveQueueEx + 1314 832C06A9 3 Bytes [80, 91, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 161F 832C09B4 4 Bytes [00, 80, 91, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 832C09FC 4 Bytes [C0, 7F, 91, 8E] {SAR BYTE [EDI-0x6f], 0x8e} .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x88932B2E] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8FE05000, 0x2BFBF0, 0xE8000020] ? C:\Windows\System32\Drivers\aam0t9sq.SYS suspicious PE modification .text autochk.exe 004511D1 5 Bytes [8B, E5, 5D, C2, 08] .text autochk.exe 004511D7 22 Bytes [CC, CC, CC, CC, CC, CC, CC, ...] .text autochk.exe 004511EE 27 Bytes [74, 12, 8B, 4D, 0C, 51, 8B, ...] .text autochk.exe 0045120A 23 Bytes [CC, CC, CC, CC, CC, CC, 55, ...] .text autochk.exe 00451222 25 Bytes [00, 74, 04, 33, C0, EB, 5C, ...] .text ... ? C:\Windows\System32\autochk.exe Odmowa dostêpu. ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[2004] kernel32.dll!SetUnhandledExceptionFilter 772DF5AB 4 Bytes [C2, 04, 00, 00] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [740024CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73FE562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73FE56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74002546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73FF85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73FF4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73FF5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73FF51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73FF6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73FF8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73FF8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73FF90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73FFE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[112] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73FF4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 850A41E8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys ACPI.sys halmacpi.dll >>UNKNOWN [0x850a01e8]<< 850a01e8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x85f3e030] 85f3e030 Trace 3 CLASSPNP.SYS[890f159e] -> nt!IofCallDriver -> [0x85104918] 85104918 Trace 5 ACPI.sys[8895f3d4] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x85e32030] 85e32030 Trace \Driver\atapi[0x85e18c48] -> IRP_MJ_CREATE -> 0x850a01e8 850a01e8 ---- Threads - GMER 2.1 ---- Thread System [4:768] 874CCE70 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e840ebc Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e840ebc@002403bcf589 0x8D 0xBC 0xE3 0x8D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e840ebc@444e1a183ab7 0xE2 0x29 0x2F 0x62 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e840ebc@001fe3ff7f4a 0x27 0x09 0x08 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e840ebc@b0899182804a 0xA1 0x5D 0x96 0x20 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e840ebc@bc20a46f3168 0x3B 0x67 0x59 0x19 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFF 0x31 0x26 0x9C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x58 0x04 0xFD 0xE5 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDD 0xE9 0x7D 0x63 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA1 0x52 0x3B 0x96 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e840ebc (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e840ebc@002403bcf589 0x8D 0xBC 0xE3 0x8D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e840ebc@444e1a183ab7 0xE2 0x29 0x2F 0x62 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e840ebc@001fe3ff7f4a 0x27 0x09 0x08 0x66 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e840ebc@b0899182804a 0xA1 0x5D 0x96 0x20 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e840ebc@bc20a46f3168 0x3B 0x67 0x59 0x19 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xFF 0x31 0x26 0x9C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x58 0x04 0xFD 0xE5 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xDD 0xE9 0x7D 0x63 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xA1 0x52 0x3B 0x96 ...