GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-20 06:31:44 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1637GSX rev.DL030M 149.05GB Running: gmer.exe; Driver: C:\Users\Robert\AppData\Local\Temp\uwliqpow.sys ---- System - GMER 2.1 ---- SSDT 8FBDDACE ZwCreateSection SSDT 8FBDDAA6 ZwCreateSymbolicLinkObject SSDT 8FBDDAAB ZwLoadDriver SSDT 8FBDDAA1 ZwOpenSection SSDT 8FBDDAD8 ZwRequestWaitReplyPort SSDT 8FBDDAD3 ZwSetContextThread SSDT 8FBDDADD ZwSetSecurityObject SSDT 8FBDDAB0 ZwSetSystemInformation SSDT 8FBDDAE2 ZwSystemDebugControl SSDT 8FBDDA6F ZwTerminateProcess SSDT 8FBDDA6A ZwWriteVirtualMemory SSDT \SystemRoot\system32\ntkrnlpa.exe ZwCreateKey [0x82441FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [82441FEC] ZwCreateKey [0x82441FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe ZwOpenKey [0x82441FF1] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [82441FF1] ZwOpenKey [0x82441FF1] INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 82441FF6 INT 0x06 \??\C:\Windows\system32\drivers\Haspnt.sys A35AB16D INT 0x0E \??\C:\Windows\system32\drivers\Haspnt.sys A35AAFC2 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 1E9 824ED7AC 3 Bytes [EC, 1F, 44] {IN AL, DX; POP DS; INC ESP} .text ntkrnlpa.exe!KeSetEvent + 215 824ED7D8 4 Bytes [CE, DA, BD, 8F] .text ntkrnlpa.exe!KeSetEvent + 21D 824ED7E0 4 Bytes [A6, DA, BD, 8F] .text ntkrnlpa.exe!KeSetEvent + 37D 824ED940 4 Bytes [AB, DA, BD, 8F] .text ntkrnlpa.exe!KeSetEvent + 3DD 824ED9A0 3 Bytes [F1, 1F, 44] {INT1 ; POP DS; INC ESP} .text ... .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x89750000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x89799000, 0x510, 0x40000040] .text C:\Windows\system32\DRIVERS\aksfridge.sys section is writeable [0xA4A0F000, 0x49C57, 0xE0000020] .init C:\Windows\system32\DRIVERS\aksfridge.sys entry point in ".init" section [0xA4A66224] .init C:\Windows\system32\DRIVERS\aksfridge.sys unknown last code section [0xA4A66000, 0x4000, 0xE20000E0] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0xA4A6A400, 0x6EED8, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA4AF5020] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA4AF5020] .protect˙˙˙˙hardlockunknown last code section [0xA4AF4E00, 0x50BA, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0xA4AF4E00, 0x50BA, 0xE0000020] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73077817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [730B5EFD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7307BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7306F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [730775E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7306E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [730C92D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7307DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7306FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7306FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [730671CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [730FCB4D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7309C840] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7306D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73066853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7306687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll IAT C:\Windows\Explorer.EXE[124] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73072AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19299_none_9e595caeca0ff663\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp tcpipBM.sys Device \Driver\partmgr \Device\PartmgrControl aksfridge.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Configuration Manager@BackupCount 2 ---- EOF - GMER 2.1 ----