GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-06-18 23:07:57 Windows 6.1.7600 Running: 7uvbyz51.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\pwddifow.sys ---- System - GMER 1.0.15 ---- SSDT 85EE3790 ZwAlertResumeThread SSDT 85EE2090 ZwAlertThread SSDT 85EE0F30 ZwAllocateVirtualMemory SSDT 85C053B0 ZwAlpcConnectPort SSDT 85EE6048 ZwAssignProcessToJobObject SSDT 85EE4180 ZwCreateMutant SSDT 85EE8918 ZwCreateSymbolicLinkObject SSDT 85EDED30 ZwCreateThread SSDT 85EE8C68 ZwCreateThreadEx SSDT 85EE6180 ZwDebugActiveProcess SSDT 85EDE700 ZwDuplicateObject SSDT 85EE0A10 ZwFreeVirtualMemory SSDT 85EE48D0 ZwImpersonateAnonymousToken SSDT 85EE4C10 ZwImpersonateThread SSDT 85D16540 ZwLoadDriver SSDT 85EE08B0 ZwMapViewOfSection SSDT 85EE4048 ZwOpenEvent SSDT 85EDE960 ZwOpenProcess SSDT 85E85048 ZwOpenProcessToken SSDT 85EE6E08 ZwOpenSection SSDT 85EDE810 ZwOpenThread SSDT 85EE72B0 ZwProtectVirtualMemory SSDT 85EE2910 ZwResumeThread SSDT 85EB2048 ZwSetContextThread SSDT 85EE06E0 ZwSetInformationProcess SSDT 85EE6C80 ZwSetSystemInformation SSDT 85EE5440 ZwSuspendProcess SSDT 85EDE580 ZwSuspendThread SSDT 85E83048 ZwTerminateProcess SSDT 85EDD268 ZwTerminateThread SSDT 85EA2050 ZwUnmapViewOfSection SSDT 85EE0CA0 ZwWriteVirtualMemory INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83238AF8 INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83238104 INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832383F4 INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83220FB4 INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832381DC INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83238958 INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832386F8 INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83238F2C INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 832391A8 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82E51599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82E75F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 224 82E7D734 8 Bytes [90, 37, EE, 85, 90, 20, EE, ...] .text ntkrnlpa.exe!RtlSidHashLookup + 23C 82E7D74C 4 Bytes [30, 0F, EE, 85] .text ntkrnlpa.exe!RtlSidHashLookup + 248 82E7D758 4 Bytes [B0, 53, C0, 85] .text ntkrnlpa.exe!RtlSidHashLookup + 29C 82E7D7AC 4 Bytes [48, 60, EE, 85] .text ntkrnlpa.exe!RtlSidHashLookup + 318 82E7D828 4 Bytes [80, 41, EE, 85] {ADD BYTE [ECX-0x12], 0x85} .text ... .text peauth.sys A3834C9D 28 Bytes [D5, 05, 88, 19, 39, 70, 0E, ...] .text peauth.sys A3834CC1 28 Bytes [D5, 05, 88, 19, 39, 70, 0E, ...] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\Explorer.EXE[2256] SHELL32.dll!SHFileOperationW 76659708 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74652494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74635624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [746356E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7465250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74648573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74644D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [746450CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [746451A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [746466D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [746482CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74648819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7464907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7464E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[2256] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74644C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\tdx \Device\Tcp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000066 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\tdx \Device\RawIp SYMTDIV.SYS (Network Dispatch Driver/Symantec Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\eventlog\Application@Sources MSDMine?DfSdk Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x93 0x81 0x5E 0x96 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x18 0x31 0x5E 0x0C ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x21 0x3E 0xF0 0xE1 ... Reg HKLM\SYSTEM\ControlSet002\services\eventlog\Application@Sources MSDMine?DfSdk Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x93 0x81 0x5E 0x96 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x18 0x31 0x5E 0x0C ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x21 0x3E 0xF0 0xE1 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL 1C3EFC4D0E789D801EF97490364DCC230B25E42FD3B6B5BBEA80F0783D7350546B31A953085664494704AD3D199521937D47AFD486A904175C30BAF241FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA6A0AC4980AC7933A6171C11EC38DE3DFEBC9E127BECC74CA6A0AC4980AC7933350593AE7F089382C1567E7B687330A91B16B8637E2A84A50B23D8F11BA77E8F290FB90180415239357BC93EBE6F165B0656E987ADEAED1A88D8680FEC9A455051DCF959FECF9B313486D10072D1593EF7AF45CF8EBAC28016B57AACA5A4E79A84062BCAE2253AAF960AFA39B5191F8AEB54D4BB46451EA3ED2AE36C7BBE1AF1DF578DBB92A61C09FACF0A3645392C899EA9891B012CC1650FD85C46ABD535E943CEBFEAFB2ED2A741D52B98DD98ED1D1348B4946C8211B8BC988005F44CB62CD12049658E8B138A8F49EB534113EFB68EFD8E223B4F1327FDF151471BF5BF7674B31391BF7F39C34F11BDB0B4F6E6DC1CCD3290251074CB9EA53300669C931AD8A4E9250841C1782CC478CD8107A9AD0A6BA00463B30558AC266DF4217B9BFBEBC17E2C6479CEE31932D59A76F9B3D669413B6F369F388FFB972DC11CC56594651068865446A7D449D8F4DBE47CA21B90ECC91EDDA9264AA4D68355AA20A2F1BAC49F69DD39332DB7ECD62AA12CB9529BBF7 ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 61: malicious code @ sector 0x12a14c00 size 0x2c3 ---- EOF - GMER 1.0.15 ----