GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-05 12:03:16 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST3500418AS rev.CC35 Running: wli4cwlj.exe; Driver: C:\Users\Komp\AppData\Local\Temp\kxldqpoc.sys ---- Kernel code sections - GMER 1.0.15 ---- .text cdrom.sys 8F03B000 121 Bytes [64, 3A, 5C, 6C, 6F, 6E, 67, ...] .text cdrom.sys 8F03B07A 1 Byte [44] .text cdrom.sys 8F03B07A 57 Bytes [44, 00, 6F, 00, 73, 00, 44, ...] .text cdrom.sys 8F03B0B4 298 Bytes [64, 3A, 5C, 6C, 6F, 6E, 67, ...] .text cdrom.sys 8F03B1DF 25 Bytes [70, 28, 57, 68, E3, 0F, 00, ...] .text ... ? C:\Windows\system32\DRIVERS\cdrom.sys suspicious PE modification ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE[616] kernel32.dll!SetUnhandledExceptionFilter 778FA8C5 5 Bytes JMP 6A445629 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll (2007 Microsoft Office component/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] USER32.dll!SetWindowsHookExW 766287AD 5 Bytes JMP 71D79A89 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] USER32.dll!CallNextHookEx 76628E3B 5 Bytes JMP 71D6D0C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] USER32.dll!UnhookWindowsHookEx 766298DB 5 Bytes JMP 71CE467E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] USER32.dll!CreateWindowExW 76631305 5 Bytes JMP 71D7DAFC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] USER32.dll!DialogBoxParamW 766510B0 5 Bytes JMP 71CA54D5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] USER32.dll!DialogBoxIndirectParamW 76652EF5 5 Bytes JMP 71E752F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] USER32.dll!DialogBoxParamA 76668152 5 Bytes JMP 71E75294 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] USER32.dll!DialogBoxIndirectParamA 7666847D 5 Bytes JMP 71E7535A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] USER32.dll!MessageBoxIndirectA 7667D4D9 5 Bytes JMP 71E75229 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] USER32.dll!MessageBoxIndirectW 7667D5D3 5 Bytes JMP 71E751BE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] USER32.dll!MessageBoxExA 7667D639 5 Bytes JMP 71E7515C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] USER32.dll!MessageBoxExW 7667D65D 5 Bytes JMP 71E750FA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] ole32.dll!OleLoadFromStream 77601E80 5 Bytes JMP 71E7565F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1820] ole32.dll!CoCreateInstance 77639F3E 5 Bytes JMP 71D7DB58 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!CreateWindowExW 76631305 5 Bytes JMP 71D7DAFC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!DialogBoxParamW 766510B0 5 Bytes JMP 71CA54D5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!DialogBoxIndirectParamW 76652EF5 5 Bytes JMP 71E752F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!DialogBoxParamA 76668152 5 Bytes JMP 71E75294 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!DialogBoxIndirectParamA 7666847D 5 Bytes JMP 71E7535A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!MessageBoxIndirectA 7667D4D9 5 Bytes JMP 71E75229 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!MessageBoxIndirectW 7667D5D3 5 Bytes JMP 71E751BE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!MessageBoxExA 7667D639 5 Bytes JMP 71E7515C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3200] USER32.dll!MessageBoxExW 7667D65D 5 Bytes JMP 71E750FA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3200] CRYPT32.dll!CertDuplicateCRLContext + 5A 75CD89ED 7 Bytes JMP 35675558 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3200] CRYPT32.dll!I_CryptFreeLruCache + 1E1 75CDDC4F 7 Bytes JMP 356755B8 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] USER32.dll!SetWindowsHookExW 766287AD 5 Bytes JMP 71D79A89 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] USER32.dll!CallNextHookEx 76628E3B 5 Bytes JMP 71D6D0C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] USER32.dll!UnhookWindowsHookEx 766298DB 5 Bytes JMP 71CE467E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] USER32.dll!CreateWindowExW 76631305 5 Bytes JMP 71D7DAFC C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] USER32.dll!DialogBoxParamW 766510B0 5 Bytes JMP 71CA54D5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] USER32.dll!DialogBoxIndirectParamW 76652EF5 5 Bytes JMP 71E752F7 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] USER32.dll!DialogBoxParamA 76668152 5 Bytes JMP 71E75294 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] USER32.dll!DialogBoxIndirectParamA 7666847D 5 Bytes JMP 71E7535A C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] USER32.dll!MessageBoxIndirectA 7667D4D9 5 Bytes JMP 71E75229 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] USER32.dll!MessageBoxIndirectW 7667D5D3 5 Bytes JMP 71E751BE C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] USER32.dll!MessageBoxExA 7667D639 5 Bytes JMP 71E7515C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] USER32.dll!MessageBoxExW 7667D65D 5 Bytes JMP 71E750FA C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] ole32.dll!OleLoadFromStream 77601E80 5 Bytes JMP 71E7565F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] ole32.dll!CoCreateInstance 77639F3E 5 Bytes JMP 71D7DB58 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] CRYPT32.dll!CertDuplicateCRLContext + 5A 75CD89ED 7 Bytes JMP 35675558 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5296] CRYPT32.dll!I_CryptFreeLruCache + 1E1 75CDDC4F 7 Bytes JMP 356755B8 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\system32\DRIVERS\cdrom.sys[HAL.dll!KfLowerIrql] 3D8F0460 IAT \SystemRoot\system32\DRIVERS\cdrom.sys[HAL.dll!KeGetCurrentIrql] [8F046000] \SystemRoot\system32\DRIVERS\cdrom.sys (SCSI CD-ROM Driver/Microsoft Corporation) IAT \SystemRoot\system32\DRIVERS\cdrom.sys[HAL.dll!KfRaiseIrql] 40F62874 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74787817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [747DA86D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7478BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7477F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [747875E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7477E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [747B8395] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7478DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [7477FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [7477FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [747771CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7480CAE2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [747AC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7477D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74776853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7477687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[1960] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74782AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Ntfs \Ntfs symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat symsnap.sys (StorageCraft Volume Snap-Shot/StorageCraft) ---- Modules - GMER 1.0.15 ---- Module (noname) (*** hidden *** ) 8F02C000-8F03A000 (57344 bytes) ---- Threads - GMER 1.0.15 ---- Thread System [4:252] 8F033540 Thread System [4:256] 8F033540 Thread System [4:260] 8F033540 Thread System [4:264] 8F033540 ---- Files - GMER 1.0.15 ---- File C:\Windows\$NtUninstallKB15222$\2575326473 0 bytes File C:\Windows\$NtUninstallKB15222$\2575326473\@ 2048 bytes File C:\Windows\$NtUninstallKB15222$\2575326473\L 0 bytes File C:\Windows\$NtUninstallKB15222$\2575326473\L\qnbwvoto 67072 bytes File C:\Windows\$NtUninstallKB15222$\2575326473\loader.tlb 2632 bytes File C:\Windows\$NtUninstallKB15222$\2575326473\U 0 bytes File C:\Windows\$NtUninstallKB15222$\2575326473\U\@00000001 45968 bytes File C:\Windows\$NtUninstallKB15222$\2575326473\U\@000000c0 2560 bytes File C:\Windows\$NtUninstallKB15222$\2575326473\U\@000000cb 3072 bytes File C:\Windows\$NtUninstallKB15222$\2575326473\U\@000000cf 1536 bytes File C:\Windows\$NtUninstallKB15222$\2575326473\U\@80000000 73216 bytes File C:\Windows\$NtUninstallKB15222$\2575326473\U\@800000c0 43520 bytes File C:\Windows\$NtUninstallKB15222$\2575326473\U\@800000cb 25600 bytes File C:\Windows\$NtUninstallKB15222$\2575326473\U\@800000cf 31232 bytes File C:\Windows\$NtUninstallKB15222$\3192731225 0 bytes ---- EOF - GMER 1.0.15 ----