GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-08 06:58:34 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK1637GSX rev.DL030M 149,05GB Running: nupe7nv9.exe; Driver: C:\Users\Robert\AppData\Local\Temp\uwliqpow.sys ---- System - GMER 2.2 ---- SSDT 89E6D5DE ZwCreateSection SSDT 89E6D5B6 ZwCreateSymbolicLinkObject SSDT 89E6D5BB ZwLoadDriver SSDT 89E6D5B1 ZwOpenSection SSDT 89E6D5E8 ZwRequestWaitReplyPort SSDT 89E6D5E3 ZwSetContextThread SSDT 89E6D5ED ZwSetSecurityObject SSDT 89E6D5C0 ZwSetSystemInformation SSDT 89E6D5F2 ZwSystemDebugControl SSDT 89E6D57F ZwTerminateProcess SSDT \SystemRoot\system32\ntkrnlpa.exe ZwCreateKey [0x81E52FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [81E52FEC] ZwCreateKey [0x81E52FEC] SSDT \SystemRoot\system32\ntkrnlpa.exe ZwOpenKey [0x81E52FF1] SSDT \SystemRoot\system32\ntkrnlpa.exe[unknown section] [81E52FF1] ZwOpenKey [0x81E52FF1] INT 0x03 \SystemRoot\system32\ntkrnlpa.exe[unknown section] 81E52FFB ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!KeSetEvent + 1E9 81EFE854 4 Bytes [EC, 2F, E5, 81] {IN AL, DX; DAS ; IN EAX, 0x81} .text ntkrnlpa.exe!KeSetEvent + 215 81EFE880 4 Bytes [DE, D5, E6, 89] .text ntkrnlpa.exe!KeSetEvent + 21D 81EFE888 4 Bytes [B6, D5, E6, 89] {MOV DH, 0xd5; OUT 0x89, AL} .text ntkrnlpa.exe!KeSetEvent + 37D 81EFE9E8 4 Bytes [BB, D5, E6, 89] .text ntkrnlpa.exe!KeSetEvent + 3DD 81EFEA48 4 Bytes [F1, 2F, E5, 81] {INT1 ; DAS ; IN EAX, 0x81} .text ... .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x89154000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8919D000, 0x510, 0x40000040] .text C:\Windows\system32\DRIVERS\aksfridge.sys section is writeable [0x9CEF0000, 0x49379, 0xE0000020] .init C:\Windows\system32\DRIVERS\aksfridge.sys entry point in ".init" section [0x9CF46224] .init C:\Windows\system32\DRIVERS\aksfridge.sys unknown last code section [0x9CF46000, 0x4000, 0xE20000E0] .text C:\Windows\system32\drivers\hardlock.sys section is writeable [0x9CF4A400, 0x6EB98, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9CFD4C20] C:\Windows\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x9CFD4C20] .protect˙˙˙˙hardlockunknown last code section [0x9CFD4A00, 0x50CA, 0xE0000020] C:\Windows\system32\drivers\hardlock.sys unknown last code section [0x9CFD4A00, 0x50CA, 0xE0000020] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2824] kernel32.dll!LockResource + C 764B6C73 7 Bytes JMP 521287EB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2824] kernel32.dll!VirtualAllocEx + 54 764BB0F0 7 Bytes JMP 521295DD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2824] USER32.dll!CreateWindowExA 7777DC2A 5 Bytes JMP 522ACAEA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2824] USER32.dll!CreateWindowExW 77781305 5 Bytes JMP 51E1C7B8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2824] GDI32.dll!StretchDIBits + 179 77AB6FFD 7 Bytes JMP 52128097 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5524] kernel32.dll!HeapSetInformation + 26 7649A9A0 7 Bytes JMP 51E6870F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5524] kernel32.dll!LockResource + C 764B6C73 7 Bytes JMP 521287EB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5524] kernel32.dll!VirtualAllocEx + 54 764BB0F0 7 Bytes JMP 521295DD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5524] USER32.dll!CreateWindowExA 7777DC2A 5 Bytes JMP 522ACAEA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5524] USER32.dll!CreateWindowExW 77781305 5 Bytes JMP 51E1C7B8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5524] USER32.dll!GetWindowInfo 7778428E 5 Bytes JMP 52D3D518 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5524] GDI32.dll!StretchDIBits + 179 77AB6FFD 7 Bytes JMP 52128097 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.2 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 EUBKMON.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 EUBKMON.sys AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 EUBKMON.sys Device \Driver\disk \Device\Harddisk0\DR0 aksfridge.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- EOF - GMER 2.2 ----