GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-05-08 22:27:32 Windows 6.0.6002 Service Pack 2 Running: 3s6qpmhp.exe; Driver: C:\Users\as\AppData\Local\Temp\pgddrpoc.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8FE05000, 0x1E6984, 0xE8000020] ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0xA9 0x35 0xDD ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B055FF2D-625D-4BC9-B4F8-C27EEBE3963D}@LeaseObtainedTime 1336507998 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B055FF2D-625D-4BC9-B4F8-C27EEBE3963D}@T1 1337112778 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B055FF2D-625D-4BC9-B4F8-C27EEBE3963D}@T2 1337112778 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{B055FF2D-625D-4BC9-B4F8-C27EEBE3963D}@LeaseTerminatesTime 1337112798 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0xA9 0x35 0xDD ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0xA9 0x35 0xDD ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0xA9 0x35 0xDD ... Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet005\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0xA9 0x35 0xDD ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0xA9 0x35 0xDD ... Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet007\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0xA9 0x35 0xDD ... Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet008\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0xA9 0x35 0xDD ... Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet009\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0xA9 0x35 0xDD ... Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet011\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xA2 0xA9 0x35 0xDD ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DPX\Assets\4B8D84D894FD29F5@DateTime 0x6E 0x16 0xE6 0xF9 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DPX\Assets\EA49A2EFCB3FBD8E@Count 0xC7 0x62 0x01 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\DPX\Assets\EA49A2EFCB3FBD8E@DateTime 0xFE 0x30 0xB4 0xF9 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\Results\Install@LastSuccessTime 2012-05-04 14:18:39 Reg HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates@ASSignatureVersion 1.125.1137.0 Reg HKLM\SOFTWARE\Microsoft\Windows Defender\Signature Updates@SignatureLocation C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{59FF70B2-BF9C-4A6C-9469-8427AF82B977} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore@LastIndex 654 Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@LazyCheckPointUpdateInterval 86400