GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-11-19 19:11:25 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\0000006a WDC_WD1600JS-55MHB1 rev.10.02E01 Running: wwilphdj[1].exe; Driver: C:\DOCUME~1\EWAIJA~1\USTAWI~1\Temp\uxtdypoc.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6890380, 0x3DF295, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Documents and Settings\All Users\Dane aplikacji\Mobile Partner\OnlineUpdate\ouc.exe[220] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\Documents and Settings\All Users\Dane aplikacji\Mobile Partner\OnlineUpdate\ouc.exe[220] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\WINDOWS\system32\svchost.exe[404] ADVAPI32.dll!RegisterServiceCtrlHandlerW 77DE3E77 1 Byte [FA] .text C:\WINDOWS\system32\nvsvc32.exe[1260] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\WINDOWS\system32\nvsvc32.exe[1260] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\WINDOWS\system32\svchost.exe[1308] ADVAPI32.dll!RegisterServiceCtrlHandlerW 77DE3E77 1 Byte [FA] .text C:\WINDOWS\system32\svchost.exe[1372] ADVAPI32.dll!RegisterServiceCtrlHandlerW 77DE3E77 1 Byte [FA] .text C:\WINDOWS\System32\svchost.exe[1412] ADVAPI32.dll!RegisterServiceCtrlHandlerW 77DE3E77 1 Byte [FA] .text C:\WINDOWS\Explorer.EXE[1436] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\WINDOWS\system32\wscntfy.exe[1460] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\WINDOWS\system32\wscntfy.exe[1460] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\WINDOWS\system32\svchost.exe[1464] ADVAPI32.dll!RegisterServiceCtrlHandlerW 77DE3E77 1 Byte [FA] .text C:\WINDOWS\system32\svchost.exe[1504] ADVAPI32.dll!RegisterServiceCtrlHandlerW 77DE3E77 1 Byte [FA] .text C:\WINDOWS\system32\svchost.exe[1936] ADVAPI32.dll!RegisterServiceCtrlHandlerW 77DE3E77 1 Byte [FA] .text C:\Documents and Settings\All Users\Dane aplikacji\DatacardService\HWDeviceService.exe[2000] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\Documents and Settings\All Users\Dane aplikacji\DatacardService\HWDeviceService.exe[2000] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\Program Files\Java\jre7\bin\jqs.exe[2012] user32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\Program Files\Java\jre7\bin\jqs.exe[2012] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2040] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[2040] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\WINDOWS\System32\alg.exe[2148] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\WINDOWS\System32\alg.exe[2148] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\Program Files\Mobile Partner\Mobile Partner.exe[2216] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\Program Files\Mobile Partner\Mobile Partner.exe[2216] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\WINDOWS\system32\RUNDLL32.EXE[2328] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\WINDOWS\system32\RUNDLL32.EXE[2328] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\WINDOWS\RTHDCPL.EXE[2352] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\WINDOWS\RTHDCPL.EXE[2352] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\WINDOWS\system32\ctfmon.exe[2376] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\WINDOWS\system32\ctfmon.exe[2376] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] ntdll.dll!NtResumeThread 7C90DB3E 1 Byte [FA] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9AB5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 4061466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A725F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A7191 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A71FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A7062 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A70C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A72C2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A7126 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] ole32.dll!CoCreateInstance 774EF1BC 5 Bytes JMP 406ADB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] ole32.dll!OleLoadFromStream 7751983B 5 Bytes JMP 407A75C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] WININET.dll!HttpSendRequestW 3FD0FACE 1 Byte [FA] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] WININET.dll!HttpSendRequestA 3FD1EEA1 1 Byte [FA] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] WININET.dll!InternetWriteFile 3FD66116 1 Byte [FA] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] ntdll.dll!NtResumeThread 7C90DB3E 1 Byte [FA] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A725F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A7191 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A71FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A7062 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A70C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A72C2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A7126 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] WININET.dll!HttpSendRequestW 3FD0FACE 1 Byte [FA] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] WININET.dll!HttpSendRequestA 3FD1EEA1 1 Byte [FA] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] WININET.dll!InternetWriteFile 3FD66116 1 Byte [FA] .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[3092] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\Documents and Settings\Ewa i Jan\Ustawienia lokalne\Temporary Internet Files\Content.IE5\XTOGLLSA\wwilphdj[1].exe[3412] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\Documents and Settings\Ewa i Jan\Ustawienia lokalne\Temporary Internet Files\Content.IE5\XTOGLLSA\wwilphdj[1].exe[3412] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text C:\Program Files\TC PowerPack\totalcmd.exe[3480] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text C:\Program Files\TC PowerPack\totalcmd.exe[3480] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] .text E:\Instalki\OTL.exe[3712] USER32.dll!TranslateMessage 7E368BF6 1 Byte [FA] .text E:\Instalki\OTL.exe[3712] CRYPT32.dll!PFXImportCertStore 77AE012F 1 Byte [FA] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Internet Explorer\IEXPLORE.EXE[2664] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore@Count 11883 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{18DF081C-E8AD-4283-A596-FA578C2EBDC3}\iexplore@Blocked 489 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore@Count 2014 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}\iexplore@LoadTime 8 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\iexplore@Count 3734 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{AE805869-2E5C-4ED4-8F7B-F1F7851A4497}\iexplore@Blocked 488 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore@Count 12700 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DBC80044-A445-435B-BC74-9C25C1C588A9}\iexplore@LoadTime 66 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D}\iexplore@Count 12711 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F5CC7F02-6F4E-4462-B5B1-394A57FD3E0D}\iexplore@Blocked 490 ---- EOF - GMER 1.0.15 ----