GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-03-13 13:05:59 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD2500BEVS-22UST0 rev.01.01A01 Running: 3x9n5btb.exe; Driver: C:\Users\SOCE~1\AppData\Local\Temp\pwldypog.sys ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C7B579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C9FF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E236000, 0x2D5378, 0xE8000020] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [74A3250F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [74A32494] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74A15624] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74A156E2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74A28573] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74A24D27] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [74A250CE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [74A251A3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [74A266D0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [74A282CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74A28819] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74A2907A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [74A2E21D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\Windows\Explorer.EXE[716] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74A24C59] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7600.16385_none_72fc7cbf861225ca\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \Driver\ACPI_HAL \Device\00000043 halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume4 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume5 rdyboost.sys (ReadyBoost Driver/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) ---- Services - GMER 1.0.15 ---- Service C:\Windows\servicing\TrustedInstaller.exe (*** hidden *** ) [AUTO] TrustedInstaller <-- ROOTKIT !!! ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{CDE7572A-1873-4934-AB91-FA4148D37687}\Connection@Name isatap.{6C9A1007-1694-4C23-A4A2-EC1D352E350E} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{CA02DE7D-32EE-43B5-9D93-D9E1E41BF6DE}?\Device\{1C0748CC-A7C2-4BD8-B26D-B8BEA3737290}?\Device\{CDE7572A-1873-4934-AB91-FA4148D37687}?\Device\{E6DC7B52-E882-4E4C-B1AA-4988CB1CAA3C}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{CA02DE7D-32EE-43B5-9D93-D9E1E41BF6DE}"?"{1C0748CC-A7C2-4BD8-B26D-B8BEA3737290}"?"{CDE7572A-1873-4934-AB91-FA4148D37687}"?"{E6DC7B52-E882-4E4C-B1AA-4988CB1CAA3C}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{CA02DE7D-32EE-43B5-9D93-D9E1E41BF6DE}?\Device\TCPIP6TUNNEL_{1C0748CC-A7C2-4BD8-B26D-B8BEA3737290}?\Device\TCPIP6TUNNEL_{CDE7572A-1873-4934-AB91-FA4148D37687}?\Device\TCPIP6TUNNEL_{E6DC7B52-E882-4E4C-B1AA-4988CB1CAA3C}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{CDE7572A-1873-4934-AB91-FA4148D37687}@InterfaceName isatap.{6C9A1007-1694-4C23-A4A2-EC1D352E350E} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{CDE7572A-1873-4934-AB91-FA4148D37687}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\TrustedInstaller@Start 3 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing@NextExecutionSequence 85 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing@SessionIdLow 1768460359 ---- Files - GMER 1.0.15 ---- File C:\$WINDOWS.~Q\DATA\Windows\$NtUninstallKB22243$\2065245037 0 bytes File C:\$WINDOWS.~Q\DATA\Windows\$NtUninstallKB22243$\802653899 0 bytes File C:\$WINDOWS.~Q\DATA\Windows\$NtUninstallKB22243$\802653899\@ 2048 bytes File C:\$WINDOWS.~Q\DATA\Windows\$NtUninstallKB22243$\802653899\L 0 bytes File C:\$WINDOWS.~Q\DATA\Windows\$NtUninstallKB22243$\802653899\L\xadqgnnk 238960 bytes File C:\$WINDOWS.~Q\DATA\Windows\$NtUninstallKB22243$\802653899\U 0 bytes File C:\System Volume Information\{c12734f4-6969-11e1-93f0-00030d84be2b}{3808876b-c176-4e48-b7ae-04046e6cc752} 136937472 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\edbtmp.log 393216 bytes File C:\Windows\SoftwareDistribution\DataStore\Logs\tmp.edb 524288 bytes ---- EOF - GMER 1.0.15 ----