GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-01-04 18:36:37 Windows 5.1.2600 Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-17 ST3200826AS rev.3.03 Running: b2tp8umc.exe; Driver: C:\DOCUME~1\HP_Owner\LOCALS~1\Temp\uxldapod.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwCreateFile [0xB3715444] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwCreateSymbolicLinkObject [0xB3715900] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwCreateThread [0xB3714C46] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwDeleteKey [0xB3715232] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwDeleteValueKey [0xB3715104] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwDeviceIoControlFile [0xB371599E] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwLoadDriver [0xB3714A7C] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwMapViewOfSection [0xB371481E] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwOpenFile [0xB371572A] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwOpenKey [0xB37153FE] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwOpenProcess [0xB3714D6A] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwOpenSection [0xB3714ED0] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwOpenThread [0xB3714E1A] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwProtectVirtualMemory [0xB37158C0] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwQueueApcThread [0xB3714CF8] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwSecureConnectPort [0xB3715858] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwSetContextThread [0xB37147AE] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwSetSystemInformation [0xB3714BD8] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwSetValueKey [0xB37152FE] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwTerminateProcess [0xB3714FEA] SSDT \??\C:\Program Files\AntiLogger\AntiLog32.sys (Zemana AntiLogger Driver/Zemana Ltd.) ZwWriteVirtualMemory [0xB371469A] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FE8 80504884 4 Bytes JMP DCB3714F .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB67D03A0, 0x83C195, 0xE8000020] ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xAF 0x8B 0xAB 0x75 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF7 0xEE 0x63 0xE9 ... Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\AutoplayHandlers\ContentTypeSniffers\VideoFilesContentSniffer@RelPattern *.asf?*.avi?*.divx?*.mov?*.mpeg?*.mpg?*.ogm?*.qt?*.rm?*.wmv?*.mkv?*.vob?*.m1v?*.m2v?*.swf?*.fli?*.flc?*.flic?*.dat?*.mp4?*.mpe?*.3gp?*.3g2?*.ts?*.tp?*.trp?*.k3g?*.flv?*.m4v?*.mpg?VIDEO\*.mpg?*. Reg HKLM\SOFTWARE\Classes\CLSID\{5ED60779-4DE2-4E07-B862-974CA4FF2E9C}@scansk 0x33 0x94 0x72 0x60 ... Reg HKLM\SOFTWARE\Classes\CLSID\{5f05130f-1d7c-495d-a1c3-09c22f19153e}@Model 90 Reg HKLM\SOFTWARE\Classes\CLSID\{5f05130f-1d7c-495d-a1c3-09c22f19153e}@Therad 13 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{001D370E-1DDC-C845-3351-E7C4AEC31563} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{001D370E-1DDC-C845-3351-E7C4AEC31563}@oabkcnfdjomapknfimlffknbjklnef 0x64 0x61 0x61 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{001D370E-1DDC-C845-3351-E7C4AEC31563}@oafjkpgeflnkahedmmkfjmlfgbnjob 0x6A 0x61 0x62 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{001D370E-1DDC-C845-3351-E7C4AEC31563}@naliaamjdmeegepmbeengfelpggm 0x6A 0x61 0x62 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{001D370E-1DDC-C845-3351-E7C4AEC31563}@eanicphmcn 0x6A 0x61 0x6B 0x6A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{001D370E-1DDC-C845-3351-E7C4AEC31563}@cakjol 0x64 0x62 0x6F 0x6A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{12EBA2F2-0C26-1CD0-8125-0879D386D75F} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{54A7B785-2559-7FB3-7792-C33510A1BC35} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{54A7B785-2559-7FB3-7792-C33510A1BC35}@haiifihipeafhmpm 0x61 0x62 0x6B 0x68 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{54A7B785-2559-7FB3-7792-C33510A1BC35}@jajieiblhapggobdngen 0x6F 0x61 0x6D 0x68 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{6E861BD3-8E02-C9A0-270B-EF4CC27333F1} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{8FF8623D-7C80-9D75-D1A1-DCFE67873391} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E47744A9-9EFD-63E9-D5CF-558628CCCA47} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E47744A9-9EFD-63E9-D5CF-558628CCCA47}@oaclmneielnlpgdfldhapikhibmlfn 0x64 0x61 0x66 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E47744A9-9EFD-63E9-D5CF-558628CCCA47}@oaglmplcbcmjdcdbhiacomfiaefppp 0x6A 0x61 0x63 0x62 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E47744A9-9EFD-63E9-D5CF-558628CCCA47}@naancbfbeeamjfihooeomnkllfol 0x6A 0x61 0x63 0x62 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E47744A9-9EFD-63E9-D5CF-558628CCCA47}@eaommbnifc 0x6A 0x61 0x64 0x6C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{E47744A9-9EFD-63E9-D5CF-558628CCCA47}@cadlgm 0x64 0x62 0x68 0x6B ... ---- EOF - GMER 1.0.15 ----