GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-06 09:10:44 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 WDC_WD1600AAJB-00J3A0 rev.01.03E01 Running: u9wp6fyk.exe; Driver: C:\Users\MZAWAD~1\AppData\Local\Temp\uwryyuoc.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A7C3C9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB5D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\Windows\system32\drivers\atikmdag.sys section is writeable [0x92619000, 0x227A14, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[2944] ntdll.dll!LdrLoadDll 7786223E 5 Bytes JMP 5EC7FA35 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2944] kernel32.dll!MapViewOfFile 774793DB 5 Bytes JMP 5EF2079E C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2944] kernel32.dll!VirtualAlloc 7747C43A 5 Bytes JMP 5EF207C5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[2944] GDI32.dll!CreateDIBSection 777B8850 5 Bytes JMP 5EF20728 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3896] ntdll.dll!LdrLoadDll 7786223E 5 Bytes JMP 690CD2FC C:\Program Files\Mozilla Thunderbird\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3896] kernel32.dll!MapViewOfFile 774793DB 5 Bytes JMP 69A58DB7 C:\Program Files\Mozilla Thunderbird\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3896] kernel32.dll!VirtualAlloc 7747C43A 5 Bytes JMP 69A58D71 C:\Program Files\Mozilla Thunderbird\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Thunderbird\thunderbird.exe[3896] GDI32.dll!CreateDIBSection 777B8850 5 Bytes JMP 69A58DDE C:\Program Files\Mozilla Thunderbird\xul.dll (Mozilla Foundation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [746D24CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [746B562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [746B56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [746D2546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [746C85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [746C4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [746C5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [746C51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [746C6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [746C8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [746C8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [746C90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [746CE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\explorer.exe[404] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [746C4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [746D24CB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746B562E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [746B56EC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [746D2546] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [746C85AA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746C4D5E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [746C5105] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [746C51DA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [746C6707] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [746C8301] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [746C8850] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [746C90B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [746CE254] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1876] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [746C4C90] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17825_none_72d273598668a06b\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs ShlDrv51.sys (PandaShield driver/Panda Security, S.L.) Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) ---- Files - GMER 1.0.15 ---- File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS000CD.log 1048576 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS000CE.log 1048576 bytes File C:\ProgramData\Microsoft\Search\Data\Applications\Windows\MSS000CF.log 1048576 bytes File C:\Users\MZawadzak\AppData\Local\Temp\acro_rd_dir\flaCF3.tmp 2215964 bytes ---- EOF - GMER 1.0.15 ----