GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-11-18 07:41:51 Windows 6.1.7601 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 Running: w88qkqw9.exe; Driver: C:\Users\Pietia\AppData\Local\Temp\axldapod.sys ---- System - GMER 1.0.15 ---- SSDT 911D051E ZwCreateSection SSDT 911D0523 ZwSetContextThread SSDT 911D04BF ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8328CA49 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832C64D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 832CD62C 4 Bytes [1E, 05, 1D, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 1597 832CD9CC 4 Bytes [23, 05, 1D, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 166F 832CDAA4 4 Bytes [BF, 04, 1D, 91] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[2436] kernel32.dll!CreateThread 770CDCC2 5 Bytes JMP 6A1575E3 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!EnableWindow 75918D02 5 Bytes JMP 6A199EBC C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!CallNextHookEx 7591ABE1 5 Bytes JMP 6A1B7FDF C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!UnhookWindowsHookEx 7591ADF9 5 Bytes JMP 6A1DED00 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!DefWindowProcA 7591BB1C 7 Bytes JMP 6A15980D C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!CreateWindowExA 7591BF40 5 Bytes JMP 6A163643 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!SetWindowsHookExW 7591E30C 5 Bytes JMP 6A1925B4 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!CreateWindowExW 7591EC7C 5 Bytes JMP 6A1C03CF C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!DefWindowProcW 7592507D 7 Bytes JMP 6A1B8042 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!DialogBoxParamW 75933B9B 5 Bytes JMP 6A0F1893 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!DialogBoxIndirectParamW 75943B7F 5 Bytes JMP 6A2E902E C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!DialogBoxParamA 7595CF42 5 Bytes JMP 6A2E8FC9 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!DialogBoxIndirectParamA 7595D274 5 Bytes JMP 6A2E9093 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!MessageBoxIndirectA 7596E869 5 Bytes JMP 6A2E8F50 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!MessageBoxIndirectW 7596E963 5 Bytes JMP 6A2E8ED7 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!MessageBoxExA 7596E9C9 5 Bytes JMP 6A2E8E73 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] USER32.dll!MessageBoxExW 7596E9ED 5 Bytes JMP 6A2E8E0F C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2436] ole32.dll!OleLoadFromStream 77166143 5 Bytes JMP 6A2E97FC C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!EnableWindow 75918D02 5 Bytes JMP 6A199EBC C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!DialogBoxParamW 75933B9B 5 Bytes JMP 6A0F1893 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!DialogBoxIndirectParamW 75943B7F 5 Bytes JMP 6A2E902E C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!DialogBoxParamA 7595CF42 5 Bytes JMP 6A2E8FC9 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!DialogBoxIndirectParamA 7595D274 5 Bytes JMP 6A2E9093 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!MessageBoxIndirectA 7596E869 5 Bytes JMP 6A2E8F50 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!MessageBoxIndirectW 7596E963 5 Bytes JMP 6A2E8ED7 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!MessageBoxExA 7596E9C9 5 Bytes JMP 6A2E8E73 C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3892] USER32.dll!MessageBoxExW 7596E9ED 5 Bytes JMP 6A2E8E0F C:\Windows\system32\IEFRAME.dll (Przeglądarka internetowa/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (Aparat wykonawczy struktury sterowników trybu jądra/Microsoft Corporation) Device \Driver\ACPI_HAL \Device\00000048 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002556c27df3 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002556c27df3@ec9b5b0f7cd4 0x4A 0x6F 0x14 0xD7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002556c27df3@78ca04090f21 0xAF 0x80 0x0B 0x01 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002556c27df3@a87b3925a281 0xD6 0x70 0x96 0x9F ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1E 0x49 0xBF 0xF6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002556c27df3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002556c27df3@ec9b5b0f7cd4 0x4A 0x6F 0x14 0xD7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002556c27df3@78ca04090f21 0xAF 0x80 0x0B 0x01 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002556c27df3@a87b3925a281 0xD6 0x70 0x96 0x9F ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x1E 0x49 0xBF 0xF6 ... ---- EOF - GMER 1.0.15 ----