GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-27 04:29:37 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.11.0 298,09GB Running: 0szizfws.exe; Driver: C:\Users\sandoz\AppData\Local\Temp\uwldypob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8F205340, 0x3FC377, 0xE8000020] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xA7709300, 0x3AF78, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xA774C300, 0x1BCE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtCreateEvent 778241A0 5 Bytes JMP 0011DCC2 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtCreateFile 778241C0 5 Bytes JMP 0011DDC4 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtCreateIoCompletion 778241D0 5 Bytes JMP 0011DE3C .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtCreateKey 77824200 5 Bytes JMP 0011DE46 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtCreateMutant 77824230 5 Bytes JMP 0011DD10 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtCreateNamedPipeFile 77824240 5 Bytes JMP 0011DE02 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtCreateSection 778242B0 5 Bytes JMP 0011DD83 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtCreateSemaphore 778242C0 5 Bytes JMP 0011DD35 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtCreateThread 778242E0 5 Bytes JMP 0011DE9C .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtCreateTimer 778242F0 5 Bytes JMP 0011DD5E .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtDeleteFile 778245A0 5 Bytes JMP 0011DE1E .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtOpenDirectoryObject 77824970 5 Bytes JMP 0011DCA7 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtOpenEvent 77824980 5 Bytes JMP 0011DCD0 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtOpenFile 778249A0 5 Bytes JMP 0011DE10 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtOpenIoCompletion 778249B0 5 Bytes JMP 0011DE54 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtOpenKey 778249D0 5 Bytes JMP 0011DE54 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtOpenMutant 778249F0 5 Bytes JMP 0011DD1A .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtOpenSection 77824A50 5 Bytes JMP 0011DDA9 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtOpenSemaphore 77824A60 5 Bytes JMP 0011DD43 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtOpenSymbolicLinkObject 77824A80 5 Bytes JMP 0011DC8C .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtOpenTimer 77824AC0 5 Bytes JMP 0011DD68 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtQueryAttributesFile 77824B40 5 Bytes JMP 0011DE28 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtQueryFullAttributesFile 77824BF0 5 Bytes JMP 0011DE32 .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtCreateKeyedEvent 77825480 5 Bytes JMP 0011DCEB .text C:\Windows\system32\dllhost.exe[2464] ntdll.dll!NtOpenKeyedEvent 77825490 5 Bytes JMP 0011DCF5 .text C:\Windows\system32\dllhost.exe[2464] kernel32.dll!CreateProcessW 75E81BF3 5 Bytes JMP 0011DEFB .text C:\Windows\system32\dllhost.exe[2464] kernel32.dll!CreateProcessInternalW 75EA5477 5 Bytes JMP 0011DF1B .text C:\Windows\system32\dllhost.exe[2464] kernel32.dll!CompareStringA 75EC79B3 5 Bytes JMP 000A56E2 .text C:\Windows\system32\dllhost.exe[2464] kernel32.dll!CreateThread 75ECCBEE 5 Bytes JMP 000A5700 .text C:\Windows\system32\dllhost.exe[2464] ole32.dll!CoCreateInstance 77339E4E 5 Bytes JMP 000A5695 .text C:\Windows\system32\dllhost.exe[2464] USER32.dll!OpenDesktopW 7772B681 5 Bytes JMP 0011DF3B .text C:\Windows\system32\dllhost.exe[2464] USER32.dll!PostMessageA 7772F8F8 5 Bytes JMP 000A56B4 .text C:\Windows\system32\dllhost.exe[2464] USER32.dll!GetForegroundWindow 777332C4 5 Bytes JMP 000A569E .text C:\Windows\system32\dllhost.exe[2464] USER32.dll!SetFocus 77733684 5 Bytes JMP 000A56A8 .text C:\Windows\system32\dllhost.exe[2464] USER32.dll!GetFocus 77740B40 5 Bytes JMP 000A56A3 .text C:\Windows\system32\dllhost.exe[2464] USER32.dll!GetCursorPos 77740B88 5 Bytes JMP 000A56CE .text C:\Windows\system32\dllhost.exe[2464] USER32.dll!DialogBoxParamW 777510B0 5 Bytes JMP 000A56DA .text C:\Windows\system32\dllhost.exe[2464] USER32.dll!DialogBoxIndirectParamW 77752EF5 5 Bytes JMP 000A56DA .text C:\Windows\system32\dllhost.exe[2464] USER32.dll!DialogBoxParamA 77768152 5 Bytes JMP 000A56DA .text C:\Windows\system32\dllhost.exe[2464] USER32.dll!DialogBoxIndirectParamA 7776847D 5 Bytes JMP 000A56DA .text C:\Windows\system32\dllhost.exe[2464] SHLWAPI.dll!GetAcceptLanguagesW 763114B3 5 Bytes JMP 000A5EBA .text C:\Windows\system32\dllhost.exe[2464] SHLWAPI.dll!GetAcceptLanguagesA 76343AFC 5 Bytes JMP 000A5EA8 .text C:\Windows\system32\dllhost.exe[2464] secur32.dll!FreeCredentialsHandle 75D13598 5 Bytes JMP 0011DF72 .text C:\Windows\system32\dllhost.exe[2464] secur32.dll!AcquireCredentialsHandleA 75D18A43 2 Bytes JMP 0011DF4D .text C:\Windows\system32\dllhost.exe[2464] secur32.dll!AcquireCredentialsHandleA + 3 75D18A46 2 Bytes [40, 8A] .text C:\Windows\explorer.exe[3920] ntdll.dll!NtCreateEvent 778241A0 5 Bytes JMP 0022EDA2 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtCreateFile 778241C0 5 Bytes JMP 0022EEA4 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtCreateIoCompletion 778241D0 5 Bytes JMP 0022EF1C .text C:\Windows\explorer.exe[3920] ntdll.dll!NtCreateKey 77824200 5 Bytes JMP 0022EF26 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtCreateMutant 77824230 5 Bytes JMP 0022EDF0 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtCreateNamedPipeFile 77824240 5 Bytes JMP 0022EEE2 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtCreateSection 778242B0 5 Bytes JMP 0022EE63 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtCreateSemaphore 778242C0 5 Bytes JMP 0022EE15 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtCreateThread 778242E0 5 Bytes JMP 0022EF7C .text C:\Windows\explorer.exe[3920] ntdll.dll!NtCreateTimer 778242F0 5 Bytes JMP 0022EE3E .text C:\Windows\explorer.exe[3920] ntdll.dll!NtDeleteFile 778245A0 5 Bytes JMP 0022EEFE .text C:\Windows\explorer.exe[3920] ntdll.dll!NtOpenDirectoryObject 77824970 5 Bytes JMP 0022ED87 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtOpenEvent 77824980 5 Bytes JMP 0022EDB0 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtOpenFile 778249A0 5 Bytes JMP 0022EEF0 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtOpenIoCompletion 778249B0 5 Bytes JMP 0022EF34 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtOpenKey 778249D0 5 Bytes JMP 0022EF34 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtOpenMutant 778249F0 5 Bytes JMP 0022EDFA .text C:\Windows\explorer.exe[3920] ntdll.dll!NtOpenSection 77824A50 5 Bytes JMP 0022EE89 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtOpenSemaphore 77824A60 5 Bytes JMP 0022EE23 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtOpenSymbolicLinkObject 77824A80 5 Bytes JMP 0022ED6C .text C:\Windows\explorer.exe[3920] ntdll.dll!NtOpenTimer 77824AC0 5 Bytes JMP 0022EE48 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtQueryAttributesFile 77824B40 5 Bytes JMP 0022EF08 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtQueryFullAttributesFile 77824BF0 5 Bytes JMP 0022EF12 .text C:\Windows\explorer.exe[3920] ntdll.dll!NtCreateKeyedEvent 77825480 5 Bytes JMP 0022EDCB .text C:\Windows\explorer.exe[3920] ntdll.dll!NtOpenKeyedEvent 77825490 5 Bytes JMP 0022EDD5 .text C:\Windows\explorer.exe[3920] kernel32.dll!CreateProcessW 75E81BF3 5 Bytes JMP 0022EFDB .text C:\Windows\explorer.exe[3920] kernel32.dll!CreateProcessInternalW 75EA5477 5 Bytes JMP 0022EFFB .text C:\Windows\explorer.exe[3920] kernel32.dll!CompareStringA 75EC79B3 5 Bytes JMP 000A6E62 .text C:\Windows\explorer.exe[3920] kernel32.dll!CreateThread 75ECCBEE 5 Bytes JMP 000A6E80 .text C:\Windows\explorer.exe[3920] USER32.dll!OpenDesktopW 7772B681 5 Bytes JMP 0022F01B .text C:\Windows\explorer.exe[3920] USER32.dll!PostMessageA 7772F8F8 5 Bytes JMP 000A6E34 .text C:\Windows\explorer.exe[3920] USER32.dll!GetForegroundWindow 777332C4 5 Bytes JMP 000A6E1E .text C:\Windows\explorer.exe[3920] USER32.dll!SetFocus 77733684 5 Bytes JMP 000A6E28 .text C:\Windows\explorer.exe[3920] USER32.dll!GetFocus 77740B40 5 Bytes JMP 000A6E23 .text C:\Windows\explorer.exe[3920] USER32.dll!GetCursorPos 77740B88 5 Bytes JMP 000A6E4E .text C:\Windows\explorer.exe[3920] USER32.dll!DialogBoxParamW 777510B0 5 Bytes JMP 000A6E5A .text C:\Windows\explorer.exe[3920] USER32.dll!DialogBoxIndirectParamW 77752EF5 5 Bytes JMP 000A6E5A .text C:\Windows\explorer.exe[3920] USER32.dll!DialogBoxParamA 77768152 5 Bytes JMP 000A6E5A .text C:\Windows\explorer.exe[3920] USER32.dll!DialogBoxIndirectParamA 7776847D 5 Bytes JMP 000A6E5A .text C:\Windows\explorer.exe[3920] SHLWAPI.dll!GetAcceptLanguagesW 763114B3 5 Bytes JMP 000A763A .text C:\Windows\explorer.exe[3920] SHLWAPI.dll!GetAcceptLanguagesA 76343AFC 5 Bytes JMP 000A7628 .text C:\Windows\explorer.exe[3920] ole32.dll!CoCreateInstance 77339E4E 5 Bytes JMP 000A6E15 .text C:\Windows\explorer.exe[3920] secur32.dll!FreeCredentialsHandle 75D13598 5 Bytes JMP 0022F052 .text C:\Windows\explorer.exe[3920] secur32.dll!AcquireCredentialsHandleA 75D18A43 5 Bytes JMP 0022F02D ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs tvtumon.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c6076d89f08 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c6076d89f08@002668a444e1 0xC5 0x1A 0x14 0x79 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0c6076d89f08 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0c6076d89f08@002668a444e1 0xC5 0x1A 0x14 0x79 ... Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report10007761 ---- Files - GMER 2.1 ---- File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O459LENU\btn-play[1].png 674 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\O459LENU\url[1].js 5823 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\90OAQ2O2\sync[1].gif 42 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\9DRP579T\click[1].htm 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XKVBSLH0\retargeting[1].js 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XKVBSLH0\background_gradient[1] 453 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XKVBSLH0\pop-logo[1].png 294 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XKVBSLH0\s-l160[1].jpg 5013 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XKVBSLH0\s-l160[2].jpg 5753 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XKVBSLH0\s-l200[1].jpg 8992 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XKVBSLH0\s-l200[2].jpg 6416 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XKVBSLH0\s-l400[1].jpg 17974 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XKVBSLH0\s-l500[1].jpg 38074 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\XKVBSLH0\s-l500[2].jpg 22192 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J621Y4N1\surveyApi[2].js 54 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\J621Y4N1\_72[1].jpg 15184 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0MP6WEOK\$_35[1].jpg 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0MP6WEOK\f[1].txt 195924 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0MP6WEOK\f[3].txt 62624 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\0MP6WEOK\si[1].htm 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1LHZB32R\all[1].js 176617 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1LHZB32R\warszawa_naszemiasto_pl[1].htm 268086 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1LHZB32R\ErrorPageTemplate[1] 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1LHZB32R\prnews[1].gif 0 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\1LHZB32R\bankier_pl[1].htm 93757 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\22IZULP5\messageApi[1].js 14101 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3ONOA9YC\cceimg[1] 33802 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3ONOA9YC\7680019_1_314x236_kolorowe-osiedle-ii-gorzow-wielkopolski[1].jpg 14335 bytes File C:\Users\sandoz\AppData\Local\Microsoft\Windows\Temporary Internet Files\Low\Content.IE5\3ONOA9YC\xrefid[1].gif 43 bytes File C:\Users\sandoz\AppData\Local\Temp\datCD41.tmp 7240 bytes File C:\Users\sandoz\AppData\Roaming\Microsoft\Internet Explorer\UserData\Low\PMY4S764\NSBranch[1].xml 28 bytes ---- EOF - GMER 2.1 ----