GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-02-05 21:42:48 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.FBEO Running: yedmnndf.exe; Driver: C:\DOCUME~1\nowak\USTAWI~1\Temp\aflyqpoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwAssignProcessToJobObject [0xAE1AD610] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateKey [0xF71DB6E6] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcess [0xF71B9F68] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwCreateProcessEx [0xF71BA230] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDebugActiveProcess [0xAE1ADC10] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteKey [0xF71DC0A0] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwDeleteValueKey [0xF71DC42A] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwDuplicateObject [0xAE1AD730] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwOpenKey [0xF71DA924] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenProcess [0xAE1AD4B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwOpenThread [0xAE1AD570] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwProtectVirtualMemory [0xAE1AD6D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwQueueApcThread [0xAE1AD790] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwRenameKey [0xF71DC96E] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetContextThread [0xAE1AD690] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetInformationThread [0xAE1AD650] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSecurityObject [0xAE1AD7D0] SSDT PCTCore.sys (PC Tools KDS Core Driver/PC Tools) ZwSetValueKey [0xF71DBAA4] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendProcess [0xAE1AD510] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSuspendThread [0xAE1AD590] SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS (SASKUTIL.SYS/SUPERAdBlocker.com and SUPERAntiSpyware.com) ZwTerminateProcess [0xADF7E620] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwTerminateThread [0xAE1AD5D0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwWriteVirtualMemory [0xAE1AD750] Code szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) ZwSetSecurityObject [0xF749BE24] Code szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) NtSetSecurityObject ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntkrnlpa.exe!NtSetSecurityObject 805C062E 5 Bytes JMP F749BE28 szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6AD9000, 0x189C82, 0xE8000020] .text afd.sys ADFAE000 84 Bytes [FA, AD, 6A, 00, FF, 73, 0C, ...] .text afd.sys ADFAE055 88 Bytes [C0, EB, 3D, 8B, 45, DC, 80, ...] .text afd.sys ADFAE0AE 114 Bytes CALL ADFAD48E \SystemRoot\System32\drivers\afd.sys (Ancillary Function Driver for WinSock/Microsoft Corporation) .text afd.sys ADFAE121 54 Bytes [3B, C8, 72, 09, A1, C8, E3, ...] .text afd.sys ADFAE158 64 Bytes [8B, C2, 83, C8, 21, 89, 43, ...] .text ... ? C:\WINDOWS\System32\drivers\afd.sys suspicious PE modification ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe[804] kernel32.dll!CreateThread + 1A 7C8106F1 4 Bytes CALL 0044C909 C:\Program Files\IObit\IObit Malware Fighter\IMFsrv.exe (IObit Malware Fighter Service/IObit) .text C:\WINDOWS\system32\SearchIndexer.exe[2592] kernel32.dll!WriteFile 7C810E27 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL (mssrch.dll/Microsoft Corporation) .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[3240] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\Internet Explorer\iexplore.exe[3772] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D54D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9AE9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D125 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 4061467E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] ole32.dll!CoCreateInstance 774EF1BC 5 Bytes JMP 406ADBB8 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] ole32.dll!OleLoadFromStream 7751983B 5 Bytes JMP 407A572F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3772] CRYPT32.dll!CryptMsgCountersignEncoded + 27A 77A82F52 7 Bytes JMP 356753FE C:\WINDOWS\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D54D5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADB5C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A53C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A52F9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A5364 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A51CA C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A522C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A542A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3908] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A528E C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\System32\drivers\afd.sys[HAL.dll!KfLowerIrql] 39057CF3 IAT \SystemRoot\System32\drivers\afd.sys[HAL.dll!KeGetCurrentIrql] EC730846 IAT \SystemRoot\System32\drivers\afd.sys[HAL.dll!KfRaiseIrql] C72443FF ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Internet Explorer\iexplore.exe[3772] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys (Amon monitor/ESET) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp epfwtdir.sys (ESET Antivirus Network Redirector/ESET) AttachedDevice \FileSystem\Fastfat \Fat szkgfs.sys (STOPzilla Kernel Guard File System, x86-32 /iS3, Inc.) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat eamon.sys (Amon monitor/ESET) ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) F654F000-F655D000 (57344 bytes) ---- Threads - GMER 1.0.15 ---- Thread System [4:1056] F6556540 Thread System [4:1060] F6556540 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\3da21691-e39d-4da6-8a4b-b43877bcb1b7@FlushCacheFiles ?????????? ??????e????????????????????????????????????????????????????:????????????????????????????????s???????????????????????s???????????????????????????????????????????????s???????????????????????s????Apartment?????????????v??????y???????????????{??????????????????132241??????????? ???????????????????s?y???????????y?????????x????B???????????????y????????????????????????????????????????s??????6?????????????????*??????????????????????????????????????????????s?????????????????????????????????????????y???????????????????????????????????????????????????e???????????????????????????\??????????s??????????????????????????s???????????????????????s????Wed, 25 Jan 2012 08:44:35 GMT??????????????????????s????????????? ??1????\??????e????????????????????????????y?????????sme?????????????????????s*\???????????!