GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-13 16:08:43 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-14 WDC_WD4000AAJS-00YFA0 rev.12.01C02 372,61GB Running: 7lvxxj5q.exe; Driver: D:\Documents and Settings\Tomek\Temp\kflirpow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB71233C0, 0x84E4FA, 0xE8000020] init C:\WINDOWS\system32\drivers\Senfilt.sys entry point in "init" section [0xB4D2AA00] ---- User code sections - GMER 2.1 ---- .text D:\Program Files\Internet Explorer\iexplore.exe[556] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[556] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC14 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[556] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A799F C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[556] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78D1 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[556] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A793C C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[556] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A77A2 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[556] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A7804 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[556] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A7A02 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[556] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A7866 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9B89 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D1C5 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC14 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 406146A6 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A799F C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78D1 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A793C C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A77A2 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A7804 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A7A02 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A7866 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] ole32.dll!CoCreateInstance 774EF1BC 5 Bytes JMP 406ADC70 C:\WINDOWS\system32\IEFRAME.dll .text D:\Program Files\Internet Explorer\iexplore.exe[880] ole32.dll!OleLoadFromStream 7751983B 5 Bytes JMP 407A7D07 C:\WINDOWS\system32\IEFRAME.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Tcp ABTDI.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 13698 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@DhcpNameServer 192.168.1.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@NTEContextList 0x00000002? Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@DhcpServer 192.168.1.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@Lease 7200 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@LeaseObtainedTime 1371128389 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@T1 1371131989 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@T2 1371134689 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@LeaseTerminatesTime 1371135589 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@DhcpIPAddress 192.168.1.104 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@DhcpSubnetMask 255.255.255.0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@DhcpRetryTime 3597 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@DhcpRetryStatus 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@DhcpNameServer 192.168.1.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@DhcpDefaultGateway 192.168.1.1? Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}@DhcpSubnetMaskOpt 255.255.255.0? Reg HKLM\SYSTEM\CurrentControlSet\Services\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}\Parameters\Tcpip@DhcpIPAddress 192.168.1.104 Reg HKLM\SYSTEM\CurrentControlSet\Services\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}\Parameters\Tcpip@DhcpSubnetMask 255.255.255.0 Reg HKLM\SYSTEM\CurrentControlSet\Services\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}\Parameters\Tcpip@DhcpServer 192.168.1.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}\Parameters\Tcpip@Lease 7200 Reg HKLM\SYSTEM\CurrentControlSet\Services\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}\Parameters\Tcpip@LeaseObtainedTime 1371128389 Reg HKLM\SYSTEM\CurrentControlSet\Services\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}\Parameters\Tcpip@T1 1371131989 Reg HKLM\SYSTEM\CurrentControlSet\Services\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}\Parameters\Tcpip@T2 1371134689 Reg HKLM\SYSTEM\CurrentControlSet\Services\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}\Parameters\Tcpip@LeaseTerminatesTime 1371135589 Reg HKLM\SYSTEM\CurrentControlSet\Services\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}\Parameters\Tcpip@DhcpDefaultGateway 192.168.1.1? Reg HKLM\SYSTEM\CurrentControlSet\Services\{DEBCCF98-C8DF-4F88-8988-05DEC1335DBE}\Parameters\Tcpip@DhcpSubnetMaskOpt 255.255.255.0? ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----