GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-06 13:53:34 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1637GSX rev.DL030M 149.05GB Running: gmer.exe; Driver: C:\Users\Robert\AppData\Local\Temp\uwliqpow.sys ---- System - GMER 2.1 ---- SSDT 901E5DFE ZwCreateSection SSDT 901E5DD6 ZwCreateSymbolicLinkObject SSDT 901E5DDB ZwLoadDriver SSDT 901E5DD1 ZwOpenSection SSDT 901E5E08 ZwRequestWaitReplyPort SSDT 901E5E03 ZwSetContextThread SSDT 901E5E0D ZwSetSecurityObject SSDT 901E5DE0 ZwSetSystemInformation SSDT 901E5E12 ZwSystemDebugControl SSDT 901E5D9F ZwTerminateProcess SSDT 901E5D9A ZwWriteVirtualMemory SSDT \SystemRoot\system32\ntkrnlpa.exe ZwCreateKey [0x82447FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [82447FEC] ZwCreateKey [0x82447FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe ZwOpenKey [0x82447FF1] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [82447FF1] ZwOpenKey [0x82447FF1] INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 82447FF6 INT 0x06 \??\C:\Windows\system32\drivers\Haspnt.sys A13AC16D INT 0x0E \??\C:\Windows\system32\drivers\Haspnt.sys A13ABFC2 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 1E9 824F386C 3 Bytes [EC, 7F, 44] {IN AL, DX; JG 0x47} .text ntkrnlpa.exe!KeSetEvent + 215 824F3898 4 Bytes [FE, 5D, 1E, 90] .text ntkrnlpa.exe!KeSetEvent + 21D 824F38A0 4 Bytes [D6, 5D, 1E, 90] {SALC ; POP EBP; PUSH DS; NOP } .text ntkrnlpa.exe!KeSetEvent + 37D 824F3A00 4 Bytes [DB, 5D, 1E, 90] {FISTP DWORD [EBP+0x1e]; NOP } .text ntkrnlpa.exe!KeSetEvent + 3DD 824F3A60 3 Bytes [F1, 7F, 44] {INT1 ; JG 0x47} .text ... .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x89750000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x89799000, 0x510, 0x40000040] .text C:\Windows\system32\DRIVERS\aksfridge.sys section is writeable [0x9196B000, 0x49C57, 0xE0000020] .init C:\Windows\system32\DRIVERS\aksfridge.sys entry point in ".init" section [0x919C2224] .init C:\Windows\system32\DRIVERS\aksfridge.sys unknown last code section [0x919C2000, 0x4000, 0xE20000E0] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0xA280F400, 0x6EED8, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA289A020] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA289A020] .protect˙˙˙˙hardlockunknown last code section [0xA2899E00, 0x50BA, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0xA2899E00, 0x50BA, 0xE0000020] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73537817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7358A6B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7353BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7352F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [735375E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7352E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73568305] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7353DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7352FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7352FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [735271CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [735BCBEE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7355C840] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7352D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73526853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7352687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2892] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73532AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp tcpipBM.sys Device \Driver\partmgr \Device\PartmgrControl aksfridge.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----