GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-05 20:12:26 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 Hitachi_HDT721032SLA360 rev.ST2OA3AA Running: bhxb2qbt[1].exe; Driver: C:\Users\Ania\AppData\Local\Temp\pxldrpow.sys ---- System - GMER 1.0.15 ---- SSDT \??\C:\Program Files\SUPERAntiSpyware\SASKUTIL.SYS ZwTerminateProcess [0x805D5620] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetTimerEx + 854 81EECE78 4 Bytes [20, 56, 5D, 80] ? system32\drivers\auxxjew.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E00D000, 0x2D5046, 0xE8000020] .text netbt.sys 8EB44304 1 Byte [40] .text netbt.sys 8EB44307 1 Byte [42] .text netbt.sys 8EB4430E 31 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text netbt.sys 8EB44331 1386 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text netbt.sys 8EB4489F 228 Bytes [00, 00, 00, 00, 00, 00, 00, ...] .text ... .INIT C:\Windows\System32\DRIVERS\netbt.sys entry point in ".INIT" section [0x8EB52222] ? C:\Windows\System32\DRIVERS\netbt.sys suspicious PE modification ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!DialogBoxIndirectParamW 771FBD25 5 Bytes JMP 70CF0F0D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!DialogBoxParamW 77211FD5 5 Bytes JMP 70CF0E97 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!DialogBoxParamA 772380B2 5 Bytes JMP 70CF0ED2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!DialogBoxIndirectParamA 772383DD 5 Bytes JMP 70CF0F48 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!MessageBoxIndirectA 7724D471 5 Bytes JMP 70CF0E53 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!MessageBoxIndirectW 7724D56B 5 Bytes JMP 70CF0E0F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!MessageBoxExA 7724D5D1 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!MessageBoxExA 7724D5D1 5 Bytes JMP 70CF0DD5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3980] USER32.dll!MessageBoxExW 7724D5F5 5 Bytes JMP 70CF0D9B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3980] ole32.dll!OleLoadFromStream 77549794 5 Bytes JMP 70CF1123 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3980] CRYPT32.dll!CertFreeCertificateChain + 1E2 75E97E76 7 Bytes JMP 356755B8 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3980] CRYPT32.dll!CryptDecodeObject + 1E7 75E9BD9C 7 Bytes JMP 35675558 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4448] USER32.dll!GetWindowInfo 77200560 5 Bytes JMP 63170924 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4448] USER32.dll!SetWindowLongA 77200736 4 Bytes JMP 633E01A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4448] USER32.dll!SetWindowLongW 77201F35 4 Bytes JMP 633E0135 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4448] USER32.dll!TrackPopupMenu 77211417 5 Bytes JMP 63170ECF C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4448] CRYPT32.dll!CertFreeCertificateChain + 1E2 75E97E76 7 Bytes JMP 356755B8 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4448] CRYPT32.dll!CryptDecodeObject + 1E7 75E9BD9C 7 Bytes JMP 35675558 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4652] USER32.dll!DialogBoxIndirectParamW 771FBD25 5 Bytes JMP 70CF0F0D C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4652] USER32.dll!DialogBoxParamW 77211FD5 5 Bytes JMP 70CF0E97 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4652] USER32.dll!DialogBoxParamA 772380B2 5 Bytes JMP 70CF0ED2 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4652] USER32.dll!DialogBoxIndirectParamA 772383DD 5 Bytes JMP 70CF0F48 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4652] USER32.dll!MessageBoxIndirectA 7724D471 5 Bytes JMP 70CF0E53 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4652] USER32.dll!MessageBoxIndirectW 7724D56B 5 Bytes JMP 70CF0E0F C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4652] USER32.dll!MessageBoxExA 7724D5D1 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[4652] USER32.dll!MessageBoxExA 7724D5D1 5 Bytes JMP 70CF0DD5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4652] USER32.dll!MessageBoxExW 7724D5F5 5 Bytes JMP 70CF0D9B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4652] ole32.dll!OleLoadFromStream 77549794 5 Bytes JMP 70CF1123 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4652] CRYPT32.dll!CertFreeCertificateChain + 1E2 75E97E76 7 Bytes JMP 356755B8 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4652] CRYPT32.dll!CryptDecodeObject + 1E7 75E9BD9C 7 Bytes JMP 35675558 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5436] ntdll.dll!LdrLoadDll 77CE79B3 5 Bytes JMP 62FF5B60 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5436] CRYPT32.dll!CertFreeCertificateChain + 1E2 75E97E76 7 Bytes JMP 356755B8 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) .text C:\Program Files\Mozilla Firefox\firefox.exe[5436] CRYPT32.dll!CryptDecodeObject + 1E7 75E9BD9C 7 Bytes JMP 35675558 C:\Windows\system32\mswsock.dll (Microsoft Windows Sockets 2.0 Dostawca usługi/Microsoft Corporation) ---- Kernel IAT/EAT - GMER 1.0.15 ---- IAT \SystemRoot\System32\DRIVERS\netbt.sys[HAL.dll!KeGetCurrentIrql] 8B000000 ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74B38864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74B79855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74B3B984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74B2FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74B37A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74B2EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [74B6B12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [74B3BC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74B30756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74B306BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74B271B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [74BBD9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [74B57329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74B2E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74B2697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74B269A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[204] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74B32475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\usbhub \Device\0000005a hcmon.sys Device \Driver\usbhub \Device\0000005b hcmon.sys Device \Driver\usbhub \Device\0000005c hcmon.sys Device \Driver\usbhub \Device\0000005d hcmon.sys Device \Driver\usbhub \Device\0000005e hcmon.sys Device \Driver\usbuhci \Device\USBFDO-0 hcmon.sys Device \Driver\usbuhci \Device\USBFDO-1 hcmon.sys Device \Driver\usbuhci \Device\USBFDO-2 hcmon.sys Device \Driver\usbuhci \Device\USBFDO-3 hcmon.sys Device \Driver\usbehci \Device\USBFDO-4 hcmon.sys ---- Threads - GMER 1.0.15 ---- Thread System [4:364] 86D5F540 Thread System [4:368] 86D5F540 ---- Files - GMER 1.0.15 ---- File C:\Windows\$NtUninstallKB12850$\1832820979 0 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\@ 2048 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\L 0 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\L\qnbwvoto 184320 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\loader.tlb 2632 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U 0 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@00000001 45968 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@000000c0 2560 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@000000cb 3072 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@000000cf 1536 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@80000000 73216 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@800000c0 43520 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@800000cb 25600 bytes File C:\Windows\$NtUninstallKB12850$\1832820979\U\@800000cf 31232 bytes File C:\Windows\$NtUninstallKB12850$\787996092 0 bytes ---- EOF - GMER 1.0.15 ----