GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-11-06 19:30:22 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 WDC_WD2500AAJS-22B4A0 rev.01.03A01 Running: 055k41f7.exe; Driver: C:\Users\komputer\AppData\Local\Temp\pxldqpoc.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKey + 13D1 81E8E349 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81EC7D52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text autochk.exe 001B11E0 4 Bytes [4D, 9F, 9B, 28] .text autochk.exe 001B11E7 3 Bytes [80, A6, 01] .text autochk.exe 001B1204 4 Bytes [00, 00, 00, 00] {ADD [EAX], AL; ADD [EAX], AL} .text autochk.exe 001B120C 1 Byte [00] .text autochk.exe 001B1210 1 Byte [00] .text ... ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\System32\svchost.exe[584] user32.dll!GetCursorPos 76C6A4B3 5 Bytes JMP 0033000A .text C:\Windows\System32\svchost.exe[584] user32.dll!DialogBoxIndirectParamAorW 76C93B40 5 Bytes JMP 0034000A .text C:\Windows\System32\svchost.exe[584] ole32.dll!CoCreateInstance 755F9D0B 5 Bytes JMP 0032000A ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73DB2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73D95600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73D956BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73DB24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73DA8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73DA4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73DA506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73DA5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73DA6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73DA826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73DA87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73DA901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73DAE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1228] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73DA4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000046 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) ---- Processes - GMER 1.0.15 ---- Library c:\windows\system32\y (*** hidden *** ) @ C:\Windows\system32\svchost.exe [772] 0x45670000 Library c:\windows\system32\y (*** hidden *** ) @ C:\Windows\Explorer.EXE [1228] 0x45670000 ---- EOF - GMER 1.0.15 ----