GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-07 16:56:47 Windows 6.1.7600 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500418AS rev.CC37 465.76GB Running: mq7jtp9f.exe; Driver: C:\Users\Dom\AppData\Local\Temp\uxldypob.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C55579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C79F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9140E000, 0x227A14, 0xE8000020] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x98D59300, 0x3B6D8, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x98DE9300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1500] kernel32.dll!SetUnhandledExceptionFilter 77413142 4 Bytes [C2, 04, 00, 00] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7444250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74442494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74425624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [744256E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74438573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74434D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [744350CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [744351A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [744366D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [744382CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74438819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7443907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7443E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll IAT C:\Windows\Explorer.EXE[724] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74434C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys AttachedDevice \Driver\tdx \Device\Tcp epfwtdir.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3C 0x32 0x15 0xA9 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0xD4 0xC3 0x97 0x02 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x3C 0x32 0x15 0xA9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{4D09CE84-5405-4830-9DE2-12DF848E1097} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D09CE84-5405-4830-9DE2-12DF848E1097} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D09CE84-5405-4830-9DE2-12DF848E1097}@Path \Microsoft\Windows Defender\MP Scheduled Scan Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D09CE84-5405-4830-9DE2-12DF848E1097}@Triggers 0x15 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{4D09CE84-5405-4830-9DE2-12DF848E1097}@DynamicInfo 0x03 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender\MP Scheduled Scan@Id {4D09CE84-5405-4830-9DE2-12DF848E1097} ---- Files - GMER 2.1 ---- File C:\Users\Dom\AppData\Local\Mozilla\Firefox\Profiles\duz912c6.default-1368449410798\cache2\entries\C6D8932706A42AA86F8C48949492DF71D9999F26 0 bytes ---- EOF - GMER 2.1 ----