GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-23 09:35:30 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 SAMSUNG_HM250HI rev.2AC101C4 232,88GB Running: d5n85swj.exe; Driver: C:\Users\ADMINH~1\AppData\Local\Temp\aftcaaob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeKey [0x8FBE76E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwNotifyChangeMultipleKeys [0x8FBE7800] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenProcess [0x8FBE7010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwOpenThread [0x8FBE74D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendProcess [0x8FBE7300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwSuspendThread [0x8FBE73E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateProcess [0x8FBE7120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwTerminateThread [0x8FBE7210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys ZwWriteVirtualMemory [0x8FBE75E0] SSDT \SystemRoot\system32\ntkrnlpa.exe ZwCreateKey [0x83413FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [83413FEC] ZwCreateKey [0x83413FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe ZwOpenKey [0x83413FF1] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [83413FF1] ZwOpenKey [0x83413FF1] INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 83413FFB INT 0x06 \??\C:\Windows\system32\drivers\Haspnt.sys 9E07F16D INT 0x0E \??\C:\Windows\system32\drivers\Haspnt.sys 9E07EFC2 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 1291 83450879 1 Byte [E9] .text ntkrnlpa.exe!ZwRollbackEnlistment + 1291 83450879 6 Bytes JMP 95A3F57A \??\C:\Windows\system32\drivers\kisknl.sys .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83450A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 8348A212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 83491554 3 Bytes [EC, 3F, 41] {IN AL, DX; AAS ; INC ECX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1357 834916EC 8 Bytes [E0, 76, BE, 8F, 00, 78, BE, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 137F 83491714 3 Bytes [F1, 3F, 41] {INT1 ; AAS ; INC ECX} .text ntkrnlpa.exe!KeRemoveQueueEx + 139F 83491734 4 Bytes [10, 70, BE, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 13BF 83491754 4 Bytes [D0, 74, BE, 8F] {SAL BYTE [ESI+EDI*4-0x71], 0x1} .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90814000, 0x2D5378, 0xE8000020] .text C:\Windows\system32\DRIVERS\aksfridge.sys section is writeable [0x9E0A1000, 0x47E35, 0xE0000020] .init C:\Windows\system32\DRIVERS\aksfridge.sys entry point in ".init" section [0x9E0F5224] .init C:\Windows\system32\DRIVERS\aksfridge.sys unknown last code section [0x9E0F5000, 0x4000, 0xE20000E0] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0x9E0F9400, 0x6E6E2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9E183820] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9E183820] .protect˙˙˙˙hardlockunknown last code section [0x9E183600, 0x512A, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0x9E183600, 0x512A, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\Explorer.EXE[1692] kernel32.dll!CreateProcessW 76CB204D 5 Bytes JMP 0A548200 c:\program files\kingsoft\kingsoft antivirus\kshmpg.dll .text C:\Windows\Explorer.EXE[1692] kernel32.dll!CopyFileExW 76CEB280 7 Bytes JMP 0A780260 c:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[1692] kernel32.dll!CreateProcessInternalW 76D00792 5 Bytes JMP 0A546D40 c:\program files\kingsoft\kingsoft antivirus\kshmpg.dll .text C:\Windows\Explorer.EXE[1692] kernel32.dll!CreateProcessInternalW + 24 76D007B6 5 Bytes JMP 0A54F810 c:\program files\kingsoft\kingsoft antivirus\kshmpg.dll .text C:\Windows\Explorer.EXE[1692] ADVAPI32.dll!RegQueryValueExW 750E462D 5 Bytes JMP 0A546940 c:\program files\kingsoft\kingsoft antivirus\kshmpg.dll .text C:\Windows\Explorer.EXE[1692] SHELL32.dll!ShellExecuteExW 75E61DF6 5 Bytes JMP 099A5860 c:\program files\kingsoft\kingsoft antivirus\lblocker.dll .text C:\Windows\Explorer.EXE[1692] SHELL32.dll!SHGetItemFromDataObject + 378 75E8EBCC 4 Bytes CALL 49E8F046 .text C:\Windows\Explorer.EXE[1692] SHELL32.dll!SHCreateDefaultExtractIcon + 7373 75EB345C 4 Bytes [04, 00, D7, 07] {ADD AL, 0x0; XLAT BYTE [EBX+AL]; POP ES} .text C:\Windows\Explorer.EXE[1692] SHELL32.dll!SHEnumerateUnreadMailAccountsW + 1052 76065625 5 Bytes JMP 0A798B30 c:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[1692] SHELL32.dll!SHLoadInProc + 75D53 7614B3FB 6 Bytes JMP 0A78D000 c:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[1692] WS2_32.dll!WSASend 75E04406 5 Bytes JMP 0A780010 c:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text C:\Windows\Explorer.EXE[1692] WS2_32.dll!send 75E06F01 5 Bytes JMP 0A77FF10 c:\program files\kingsoft\kingsoft antivirus\kswebshield.dll .text c:\program files\kingsoft\kingsoft antivirus\kxescore.exe[1732] kernel32.dll!SetUnhandledExceptionFilter 76CFF4EB 5 Bytes JMP 01FE13B3 c:\program files\kingsoft\kingsoft antivirus\kdump.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [734E24CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [734C562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [734C56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [734E2546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [734D85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [734D4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [734D5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [734D51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [734D6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [734D8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [734D8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [734D90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [734DE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll IAT C:\Windows\Explorer.EXE[1692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [734D4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18120_none_72d2e82386681b36\gdiplus.dll