GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-11 09:32:00 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 ST500DM002-1BD142 rev.KC45 465,76GB Running: tpdrnlph.exe; Driver: C:\Users\ADMINI~1\AppData\Local\Temp\uwlcypob.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82C80A35 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CBA392 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!RegCloseKey] [76D7461D] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!RegCreateKeyW] [76D71494] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!RegGetValueW] [76D70DC5] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!RegOpenKeyExW] [76D7460D] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!RegCreateKeyExW] [76D7407E] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!RegQueryValueExW] [76D7462D] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!GetLengthSid] [76D740BB] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!GetTokenInformation] [76D7429C] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!OpenProcessToken] [76D74284] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!RegSetValueExW] [76D71456] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!RegDeleteKeyExW] [76D6A965] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!RegOpenKeyW] [76D723D9] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!RegDeleteValueW] [76D6CED1] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!RegEnumValueW] [76D7484C] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!RegQueryInfoKeyW] [76D74667] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!ConvertStringSidToSidW] [76D8095C] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!CloseServiceHandle] [76D7361C] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!OpenServiceW] [76D6C9EC] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!OpenSCManagerW] [76D6CA04] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!RegEnumKeyExW] [76D74648] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!CreateWellKnownSid] [76D7479E] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!StartServiceW] [76D67914] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!CryptAcquireContextW] [76D6DEB4] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!CryptCreateHash] [76D6DEEE] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!CryptHashData] [76D6DED6] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!CryptGetHashParam] [76D6DF1E] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!CryptDestroyHash] [76D6DF06] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!CryptReleaseContext] [76D6E0C4] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!StartTraceW] [76D6E407] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!EnableTraceEx] [76D6FC04] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!StopTraceW] [76D70D69] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!LsaLookupSids] [76D89374] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!IsValidSid] [76D72E6F] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!GetSidSubAuthorityCount] [76D70D8A] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!GetSidSubAuthority] [76D70DA2] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!LsaOpenPolicy] [76D806FC] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!LsaFreeMemory] [76D7ED61] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!LsaClose] [76D81A77] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!OpenThreadToken] [76D742AC] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!ConvertSidToStringSidW] [76D742C4] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!ConvertStringSecurityDescriptorToSecurityDescriptorW] [76D71ED9] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!CheckTokenMembership] [76D6DEA4] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [ADVAPI32.dll!QueryServiceStatus] [76D72A06] C:\Windows\system32\ADVAPI32.dll IAT C:\Windows\Explorer.EXE[3228] @ C:\Windows\Explorer.EXE [KERNEL32.dll!CreateProcessW] [772C8000] C:\Windows\system32\kernel32.dll ---- Devices - GMER 2.1 ---- Device \Driver\RasPppoe \Device\NDMP10 ntkrnlpa.exe Device \Driver\PptpMiniport \Device\NDMP11 ntkrnlpa.exe Device \Driver\RasSstp \Device\NDMP12 ntkrnlpa.exe Device \Driver\AsyncMac \Device\NDMP13 ntkrnlpa.exe Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 [8BD26FFB] \SystemRoot\system32\drivers\atapi.sys[unknown section] {JMP 0xf4e7515f} Device \Driver\atapi \Device\Ide\IdePort0 [8BD26FFB] \SystemRoot\system32\drivers\atapi.sys[unknown section] {JMP 0xf4e7515f} Device \Driver\atapi \Device\Ide\IdePort1 [8BD26FFB] \SystemRoot\system32\drivers\atapi.sys[unknown section] {JMP 0xf4e7515f} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-1 [8BD26FFB] \SystemRoot\system32\drivers\atapi.sys[unknown section] {JMP 0xf4e7515f} Device \Driver\NdisWan \Device\NDMP7 ntkrnlpa.exe Device \Driver\NdisWan \Device\NDMP8 ntkrnlpa.exe Device \Driver\NdisWan \Device\NDMP9 ntkrnlpa.exe Device \Driver\AsyncMac \Device\ASYNCMAC ntkrnlpa.exe Device \Driver\NdisWan \Device\NdisWan ntkrnlpa.exe Device \Driver\Null \Device\{6EBEDAB9-C4C4-0953-FD96-812A37385BEC} ntkrnlpa.exe Device \Driver\RasSstp \Device\SstpDrv ntkrnlpa.exe ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@998BB567 433 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{EA5B402A-FA07-11E2-ACB0-806E6F6E6963} 7604913672 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{EA5B402B-FA07-11E2-ACB0-806E6F6E6963} 21869408 ---- Files - GMER 2.1 ---- File C:\Windows\system32\drivers\atapi.sys suspicious modification ---- EOF - GMER 2.1 ----