GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2011-01-03 14:31:07 Windows 6.1.7600 Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T0L0-2 WDC_WD2500JS-60NCB1 rev.10.02E02 Running: 31nwe1le.exe; Driver: C:\Users\Przemo\AppData\Local\Temp\axldapow.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C85599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CA9F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl section is writeable [0x9A956000, 0x2892, 0xE8000020] .vmp2 C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0x9A979050] ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\Explorer.EXE[1708] SHELL32.dll!SHFileOperationW 75D79718 5 Bytes JMP 10001102 C:\Program Files\Unlocker\UnlockerHook.dll .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1848] kernel32.dll!SetUnhandledExceptionFilter 759D3162 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Mozilla Firefox\firefox.exe[4584] ntdll.dll!LdrLoadDll 76FEF625 5 Bytes JMP 010C13F0 C:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73D92494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73D75624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73D756E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73D9250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73D88573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73D84D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73D850CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73D851A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73D866D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73D882CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73D88819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73D8907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73D8E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1708] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73D84C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000055 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume6 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume7 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume8 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume9 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume10 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{F13326CE-EA28-44D8-BF8E-FBDDCBFB8A9C}?\Device\{FFDD9870-E6F8-4DE7-8451-EDD5D7009073}?\Device\{33B43394-59FE-4EFD-8BFF-A891CD4FAD6E}?\Device\{049E0F8F-4A99-4598-9024-929525FFD7D1}?\Device\{15B8C16A-9AA7-49D5-8733-3F56407FD8D9}?\Device\{04F02997-F18F-4784-A0B4-B0714F953714}?\Device\{D77A50C3-EF78-4B97-AA9D-9CB643437E3C}?\Device\{8D07E814-B663-4186-A9F4-4C136141C48A}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{F13326CE-EA28-44D8-BF8E-FBDDCBFB8A9C}"?"{FFDD9870-E6F8-4DE7-8451-EDD5D7009073}"?"{33B43394-59FE-4EFD-8BFF-A891CD4FAD6E}"?"{049E0F8F-4A99-4598-9024-929525FFD7D1}"?"{15B8C16A-9AA7-49D5-8733-3F56407FD8D9}"?"{04F02997-F18F-4784-A0B4-B0714F953714}"?"{D77A50C3-EF78-4B97-AA9D-9CB643437E3C}"?"{8D07E814-B663-4186-A9F4-4C136141C48A}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{F13326CE-EA28-44D8-BF8E-FBDDCBFB8A9C}?\Device\TCPIP6TUNNEL_{FFDD9870-E6F8-4DE7-8451-EDD5D7009073}?\Device\TCPIP6TUNNEL_{33B43394-59FE-4EFD-8BFF-A891CD4FAD6E}?\Device\TCPIP6TUNNEL_{049E0F8F-4A99-4598-9024-929525FFD7D1}?\Device\TCPIP6TUNNEL_{15B8C16A-9AA7-49D5-8733-3F56407FD8D9}?\Device\TCPIP6TUNNEL_{04F02997-F18F-4784-A0B4-B0714F953714}?\Device\TCPIP6TUNNEL_{D77A50C3-EF78-4B97-AA9D-9CB643437E3C}?\Device\TCPIP6TUNNEL_{8D07E814-B663-4186-A9F4-4C136141C48A}? Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 1521 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD5 0xF8 0x4B 0xE8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD5 0xF8 0x4B 0xE8 ... ---- EOF - GMER 1.0.15 ----