GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-07 06:28:12 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1637GSX rev.DL030M 149.05GB Running: gmer.exe; Driver: C:\Users\Robert\AppData\Local\Temp\uwliqpow.sys ---- System - GMER 2.1 ---- SSDT 90FABBC6 ZwCreateSection SSDT 90FABB9E ZwCreateSymbolicLinkObject SSDT 90FABBA3 ZwLoadDriver SSDT 90FABB99 ZwOpenSection SSDT 90FABBD0 ZwRequestWaitReplyPort SSDT 90FABBCB ZwSetContextThread SSDT 90FABBD5 ZwSetSecurityObject SSDT 90FABBA8 ZwSetSystemInformation SSDT 90FABBDA ZwSystemDebugControl SSDT 90FABB67 ZwTerminateProcess SSDT 90FABB62 ZwWriteVirtualMemory SSDT \SystemRoot\system32\ntkrnlpa.exe ZwCreateKey [0x82449FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [82449FEC] ZwCreateKey [0x82449FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe ZwOpenKey [0x82449FF1] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [82449FF1] ZwOpenKey [0x82449FF1] INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 82449FFB INT 0x06 \??\C:\Windows\system32\drivers\Haspnt.sys A1BA816D INT 0x0E \??\C:\Windows\system32\drivers\Haspnt.sys A1BA7FC2 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 1E9 824F586C 3 Bytes [EC, 9F, 44] {IN AL, DX; LAHF ; INC ESP} .text ntkrnlpa.exe!KeSetEvent + 215 824F5898 4 Bytes [C6, BB, FA, 90] .text ntkrnlpa.exe!KeSetEvent + 21D 824F58A0 4 Bytes [9E, BB, FA, 90] .text ntkrnlpa.exe!KeSetEvent + 37D 824F5A00 4 Bytes [A3, BB, FA, 90] .text ntkrnlpa.exe!KeSetEvent + 3DD 824F5A60 3 Bytes [F1, 9F, 44] {INT1 ; LAHF ; INC ESP} .text ... .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8975E000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x897A7000, 0x510, 0x40000040] .text C:\Windows\system32\DRIVERS\aksfridge.sys section is writeable [0xA2C08000, 0x49C57, 0xE0000020] .init C:\Windows\system32\DRIVERS\aksfridge.sys entry point in ".init" section [0xA2C5F224] .init C:\Windows\system32\DRIVERS\aksfridge.sys unknown last code section [0xA2C5F000, 0x4000, 0xE20000E0] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0xA2C63400, 0x6EED8, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA2CEE020] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xA2CEE020] .protect˙˙˙˙hardlockunknown last code section [0xA2CEDE00, 0x50BA, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0xA2CEDE00, 0x50BA, 0xE0000020] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73807817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7385A6B5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7380BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [737FF695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [738075E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [737FE7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73838305] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7380DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [737FFFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [737FFF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [737F71CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7388CBEE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [7382C840] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [737FD968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [737F6853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [737F687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll IAT C:\Windows\Explorer.EXE[2692] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73802AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19525_none_9e52b55cca15df71\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp tcpipBM.sys Device \Driver\partmgr \Device\PartmgrControl aksfridge.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----