GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-08-24 00:13:25 Windows 5.1.2600 Dodatek Service Pack 2 Running: uwgb6j24.exe; Driver: C:\DOCUME~1\DOMOWY\USTAWI~1\Temp\pxtdapow.sys ---- Kernel code sections - GMER 1.0.15 ---- init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF880BA1E] .text cdrom.sys F27C2000 36 Bytes [5F, 5E, 5B, C9, C2, 08, 00, ...] .text cdrom.sys F27C2025 1 Byte [57] .text cdrom.sys F27C2025 135 Bytes [57, 8B, 79, 60, 89, 45, F8, ...] .text cdrom.sys F27C20AD 9 Bytes [00, 80, 75, 09, C7, 45, 10, ...] .text cdrom.sys F27C20B7 115 Bytes [C0, B0, 01, 33, FF, 84, C0, ...] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\program files\Internet Explorer\IEXPLORE.EXE[308] USER32.dll!CallNextHookEx 77D3ED6E 5 Bytes JMP 00CCDD81 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[308] USER32.dll!CreateWindowExW 77D41AD5 5 Bytes JMP 00CD4832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[308] USER32.dll!DialogBoxParamW 77D46702 5 Bytes JMP 00BF9315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[308] USER32.dll!DialogBoxParamA 77D488E1 5 Bytes JMP 00DEDFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[308] USER32.dll!DialogBoxIndirectParamW 77D52598 5 Bytes JMP 00DEE021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[308] USER32.dll!MessageBoxIndirectA 77D5AEF1 5 Bytes JMP 00DEDF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[308] USER32.dll!SetWindowsHookExW 77D5E621 5 Bytes JMP 00CCDBCB C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[308] USER32.dll!UnhookWindowsHookEx 77D5F29F 5 Bytes JMP 00C31CA2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[308] USER32.dll!MessageBoxExW 77D70559 5 Bytes JMP 00DEDE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[308] USER32.dll!MessageBoxExA 77D7057D 5 Bytes JMP 00DEDE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[308] USER32.dll!DialogBoxIndirectParamA 77D76CED 5 Bytes JMP 00DEE084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[308] USER32.dll!MessageBoxIndirectW 77D860B7 5 Bytes JMP 00DEDEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[308] ole32.dll!CoCreateInstance 77516009 5 Bytes JMP 00CD488E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[1548] USER32.dll!CreateWindowExW 77D41AD5 5 Bytes JMP 00CD4832 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[1548] USER32.dll!DialogBoxParamW 77D46702 5 Bytes JMP 00BF9315 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[1548] USER32.dll!DialogBoxParamA 77D488E1 5 Bytes JMP 00DEDFBE C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[1548] USER32.dll!DialogBoxIndirectParamW 77D52598 5 Bytes JMP 00DEE021 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[1548] USER32.dll!MessageBoxIndirectA 77D5AEF1 5 Bytes JMP 00DEDF51 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[1548] USER32.dll!MessageBoxExW 77D70559 5 Bytes JMP 00DEDE22 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[1548] USER32.dll!MessageBoxExA 77D7057D 5 Bytes JMP 00DEDE84 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[1548] USER32.dll!DialogBoxIndirectParamA 77D76CED 5 Bytes JMP 00DEE084 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\program files\Internet Explorer\IEXPLORE.EXE[1548] USER32.dll!MessageBoxIndirectW 77D860B7 5 Bytes JMP 00DEDEE6 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwOpenFile] 1B7404F2 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwCreateSection] 681077FF IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwMapViewOfSection] [F27C9D88] \SystemRoot\system32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation) IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwClose] 35FF5E6A IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwUnmapViewOfSection] [F27C9E0C] \SystemRoot\system32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation) IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExAllocatePool] 9E0835FF IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExFreePoolWithTag] B7E8F27C IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlIpv4AddressToStringA] 8BFFFFA4 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeQueryInterruptTime] 04E91047 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwQueryDirectoryFile] 8BFFFFFC IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlTimeToTimeFields] 778B0C43 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlUnicodeStringToInteger] 16B60F18 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlTimeToSecondsSince1970] 8BF04589 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwDeviceIoControlFile] 488D1047 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExUuidCreate] 104D89FC IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwReadFile] 014EB60F IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwQueryInformationFile] 8D08E2C1 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwSetInformationFile] 3BFE114C IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!swprintf] 0373104D IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlInitUnicodeString] F6104D89 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwWriteFile] 7C9E1405 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlSecondsSince1970ToTime] 207404F2 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwCreateFile] 50FEC083 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlRandom] 0C75FF51 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeEnterCriticalRegion] 7C9D8868 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExAcquireFastMutexUnsafe] FF5F6AF2 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExReleaseFastMutexUnsafe] 7C9E0C35 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeLeaveCriticalRegion] 0835FFF2 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeQuerySystemTime] E8F27C9E IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeInsertQueue] FFFFA4C0 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeRemoveQueue] 83F0458B IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeRundownQueue] 75040878 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoFreeIrp] 10458B2A IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeInitializeQueue] 468D5048 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ObfReferenceObject] 458B5005 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!PsCreateSystemThread] 18C083F0 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ObReferenceObjectByHandle] 2815FF50 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoBuildDeviceIoControlRequest] 8BF27C97 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IofCallDriver] 458B104D IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeInitializeTimer] 0144C6F0 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeInitializeDpc] B60F0017 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeSetTimer] 4889044E IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeCancelTimer] FF14EB0C IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!qsort] 458B1075 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwQueryValueKey] 04C683F0 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlIpv4StringToAddressW] 5618C083 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwOpenKey] 2815FF50 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwEnumerateKey] 8BF27C97 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwOpenSection] 4D8B1045 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!MmAllocatePagesForMdl] 0CC483F0 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!MmMapLockedPagesSpecifyCache] 8918C083 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!MmUnmapLockedPages] FB59E901 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!MmFreePagesFromMdl] 478BFFFF IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlHashUnicodeString] 40B60F18 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeSetEvent] 0C4B8B07 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!RtlPrefixUnicodeString] 8906E8C1 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoGetRelatedDeviceObject] 1C43C701 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAllocateIrp] 00000004 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeInitializeEvent] 8518478B IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeWaitForSingleObject] D4358BC0 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExAllocatePoolWithTag] 74F27C97 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwDeleteKey] 50006A05 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!PoStartNextPowerIrp] 478BD6FF IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IofCompleteRequest] 74C0851C IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!PoCallDriver] 50006A05 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ObReferenceObjectByName] 006AD6FF IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoDriverObjectType] 80D6FF57 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoEnumerateDeviceObjectList] 7400217B IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoCreateDevice] 60438B07 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwFlushVirtualMemory] 01034880 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwQueryKey] 8B0C758B IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoQueueWorkItem] C0850446 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwLoadDriver] FF500774 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ObMakeTemporaryObject] [7C97C415] \WINDOWS\system32\ntdll.dll (Biblioteka NT Layer DLL/Microsoft Corporation) IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwFsControlFile] 15FF56F2 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoDeleteDevice] [F27C97C8] \SystemRoot\system32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation) IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwSetSystemInformation] 89F8458B IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwDeleteFile] 458B1843 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwOpenDirectoryObject] 7DC085F8 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ZwQueryDirectoryObject] 00A33D67 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoGetDeviceObjectPointer] 2A74C000 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoCreateDriver] 0000B53D IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!wcsrchr] 3D2374C0 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoRegisterShutdownNotification] C00000A2 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!IoAllocateWorkItem] 133D1C74 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!KeSetTimerEx] 74C00000 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ExQueueWorkItem] 00163D15 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!ObfDereferenceObject] 0E748000 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!_allmul] 0000143D IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!_allshr] 3D0774C0 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!memset] C0000012 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!_aulldiv] 05F63675 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[ntoskrnl.exe!memcpy] [F27C9E14] \SystemRoot\system32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation) IAT \SystemRoot\system32\DRIVERS\cdrom.sys[HAL.dll!KeGetCurrentIrql] F6FFFFA4 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\program files\Internet Explorer\IEXPLORE.EXE[308] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [017918FD] C:\program files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\Disk \GLOBAL??\ACPI#PNP0303#2&da1a3ff&0 F871B11B ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) F893E000-F8944000 (24576 bytes) Module (noname) (*** hidden *** ) F87DE000-F87E4000 (24576 bytes) Module (noname) (*** hidden *** ) F87E6000-F87EC000 (24576 bytes) ---- Threads - GMER 1.0.15 ---- Thread System [4:120] F89409D0 Thread System [4:124] F87E0510 Thread System [4:128] F871BE8A ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList\S-1-5-19@RefCount 4 ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 sector 05: copy of MBR ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\DOMOWY\Ustawienia lokalne\Dane aplikacji\Microsoft\Internet Explorer\Recovery\Last Active\{59B627D8-AF00-11DF-A777-000461589DC2}.dat 0 bytes File C:\Documents and Settings\DOMOWY\Ustawienia lokalne\temp\~DF30A9.tmp 16384 bytes File C:\Documents and Settings\DOMOWY\Ustawienia lokalne\temp\~DFA278.tmp 0 bytes File C:\Documents and Settings\DOMOWY\Ustawienia lokalne\Temporary Internet Files\Content.IE5\NGZF0KN3\infobar_close[2] 0 bytes File C:\Documents and Settings\DOMOWY\Ustawienia lokalne\Temporary Internet Files\Content.IE5\PWDY7EGD\infobar[1] 0 bytes File C:\Documents and Settings\DOMOWY\Ustawienia lokalne\Temporary Internet Files\Content.IE5\SXEGJJGH\f[1].htm 0 bytes ---- EOF - GMER 1.0.15 ----