GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-24 11:35:38 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS541080G9AT00 rev.MB4OA60A 74,53GB Running: kwjdq61p.exe; Driver: C:\DOCUME~1\Zosia\USTAWI~1\Temp\pwldrfob.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\lsass.exe[808] SHELL32.dll!FindExeDlgProc + 1F680 7CB8CBD7 1 Byte [00] .text C:\WINDOWS\system32\svchost.exe[1044] SHELL32.dll!FindExeDlgProc + 1F680 7CB8CBD7 1 Byte [00] .text C:\WINDOWS\RTHDCPL.EXE[1112] USER32.dll!DrawFrame + 413 7E382DD7 1 Byte [00] .text C:\Program Files\Internet Explorer\iexplore.exe[1528] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1528] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9B99 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1528] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D1CD C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1528] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC24 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1528] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 406146FC C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1528] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A7997 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1528] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78C9 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1528] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A7934 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1528] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A779A C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1528] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A77FC C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1528] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A79FA C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1528] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A785E C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1528] ole32.dll!CoCreateInstance 774EF1D4 5 Bytes JMP 406ADC80 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1528] ole32.dll!OleLoadFromStream 7751988B 5 Bytes JMP 407A7CFF C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC24 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A7997 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78C9 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A7934 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A779A C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A77FC C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A79FA C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2004] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A785E C:\WINDOWS\system32\IEFRAME.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}@LocalizedString @C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_16_0_0_257_ActiveX.exe,-101 Reg HKLM\SOFTWARE\Classes\CLSID\{B019E3BF-E7E5-453C-A2E4-D2C18CA0866F}\LocalServer32@ C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_16_0_0_257_ActiveX.exe Reg HKLM\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\InprocServer32@ C:\WINDOWS\system32\Macromed\Flash\Flash32_16_0_0_257.ocx Reg HKLM\SOFTWARE\Classes\CLSID\{D27CDB6E-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32@ C:\WINDOWS\system32\Macromed\Flash\Flash32_16_0_0_257.ocx, 1 Reg HKLM\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\InprocServer32@ C:\WINDOWS\system32\Macromed\Flash\Flash32_16_0_0_257.ocx Reg HKLM\SOFTWARE\Classes\CLSID\{D27CDB70-AE6D-11cf-96B8-444553540000}\ToolboxBitmap32@ C:\WINDOWS\system32\Macromed\Flash\Flash32_16_0_0_257.ocx, 1 Reg HKLM\SOFTWARE\Classes\TypeLib\{57A0E746-3863-4D20-A811-950C84F1DB9B}\1.1\0\win32@ C:\WINDOWS\system32\Macromed\Flash\Flash32_16_0_0_257.ocx\2 Reg HKLM\SOFTWARE\Classes\TypeLib\{D27CDB6B-AE6D-11CF-96B8-444553540000}\1.0\0\win32@ C:\WINDOWS\system32\Macromed\Flash\Flash32_16_0_0_257.ocx Reg HKLM\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\0\win32@ C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_16_0_0_257_ActiveX.exe Reg HKLM\SOFTWARE\Classes\TypeLib\{FAB3E735-69C7-453B-A446-B6823C6DF1C9}\1.0\HELPDIR@ C:\WINDOWS\system32\Macromed\Flash\FlashUtil32_16_0_0_257_ActiveX.exe ---- EOF - GMER 2.1 ----