GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-26 13:56:10 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST250DM000-1BC141 rev.JC4B 232,89GB Running: rq2ggelx.exe; Driver: C:\Users\user\AppData\Local\Temp\fwlyapob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8B8FE7F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8B8FE8B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8B8FE870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8B8FE830] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82E90A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ECA212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 82ED1598 4 Bytes [F0, E7, 8F, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 82ED16A8 4 Bytes CALL D7CDA23C .text ntkrnlpa.exe!KeRemoveQueueEx + 161F 82ED19B4 4 Bytes CALL E137A548 .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 82ED19FC 4 Bytes CALL E7A8A590 ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET Smart Security\ekrn.exe[1560] kernel32.dll!SetUnhandledExceptionFilter 7702F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[2836] USER32.dll!RegisterMessagePumpHook + 2F1 769F8B9E 7 Bytes JMP 003BBF70 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[2836] USER32.dll!PostMessageW + 43A 76A048B5 7 Bytes JMP 003BBE30 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[2836] USER32.dll!SetDlgItemTextA + 25 76A1709F 7 Bytes JMP 003BBF50 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[2836] USER32.dll!MessageBoxIndirectA + F5 76A4E95E 7 Bytes JMP 003BBFC0 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[2836] USER32.dll!MessageBoxIndirectW + 61 76A4E9C4 7 Bytes JMP 003BC090 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\PCCompanion.exe[2836] USER32.dll!MessageBoxExA + 1F 76A4E9E8 7 Bytes JMP 003BC040 C:\Program Files\Sony Ericsson\Sony Ericsson PC Companion\NewUI.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73B5249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73B35652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73B35710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73B5251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73B4857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73B44D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73B450D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73B451AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73B466DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73B482D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73B48824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73B49085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73B4E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1868] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73B44C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- EOF - GMER 2.1 ----