GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-12-12 16:15:48 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-13 ST3160815A rev.3.AAD Running: dhette7r.exe; Driver: C:\DOCUME~1\jtd\USTAWI~1\Temp\afadikoc.sys ---- System - GMER 1.0.15 ---- SSDT 88E2D4D8 ZwAlertResumeThread SSDT 88E2D598 ZwAlertThread SSDT 88E2DE00 ZwAllocateVirtualMemory SSDT 897671F8 ZwConnectPort SSDT 890BFEC0 ZwCreateMutant SSDT 896C8C30 ZwCreateThread SSDT 88E2DC60 ZwFreeVirtualMemory SSDT 890BFF90 ZwImpersonateAnonymousToken SSDT 88E2D418 ZwImpersonateThread SSDT 8970B040 ZwMapViewOfSection SSDT 890BFE00 ZwOpenEvent SSDT 88E30208 ZwOpenProcessToken SSDT 88E2D9B0 ZwOpenThreadToken SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) ZwProtectVirtualMemory [0xB9DC86B0] SSDT \??\C:\WINDOWS\system32\drivers\avgtpx86.sys (AVG Technologies) ZwQueryValueKey [0xB9E341EA] SSDT 89FEF410 ZwResumeThread SSDT 88E2D8F0 ZwSetContextThread SSDT 88E2DA80 ZwSetInformationProcess SSDT 88E2D820 ZwSetInformationThread SSDT 890BFD40 ZwSuspendProcess SSDT 88E2D6A0 ZwSuspendThread SSDT 891415F0 ZwTerminateProcess SSDT 88E2D760 ZwTerminateThread SSDT 88E2F5D8 ZwUnmapViewOfSection SSDT 88E2DD30 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntoskrnl.exe!_abnormal_termination + 310 804E297C 4 Bytes JMP 80B9E341 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xBA0CF360, 0x372FAD, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[684] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[684] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[684] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A725F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[684] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A7191 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[684] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A71FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[684] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A7062 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[684] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A70C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[684] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A72C2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[684] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A7126 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\WINDOWS\system32\winlogon.exe[1592] ntdll.dll!NtLockProductActivationKeys 7C90D4AE 5 Bytes JMP 10001000 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\winlogon.exe[1592] USER32.dll!GetSystemMetrics 7E368F9C 5 Bytes JMP 10001018 C:\WINDOWS\system32\antiwpa.dll .text C:\Program Files\Internet Explorer\iexplore.exe[2624] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5505 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2624] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9AB5 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2624] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D12D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2624] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADB24 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2624] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 4061466C C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2624] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A725F C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2624] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A7191 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2624] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A71FC C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2624] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A7062 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2624] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A70C4 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2624] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A72C2 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2624] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A7126 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2624] ole32.dll!CoCreateInstance 774EF1BC 5 Bytes JMP 406ADB80 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[2624] ole32.dll!OleLoadFromStream 7751983B 5 Bytes JMP 407A75C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Program Files\Internet Explorer\iexplore.exe[2624] @ C:\WINDOWS\system32\ole32.dll [KERNEL32.dll!LoadLibraryExW] [451F1ACB] C:\Program Files\Internet Explorer\xpshims.dll (Internet Explorer Compatibility Shims for XP/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\SYMTDI \Device\SymTDI wpsdrvnt.sys (Symantec CMC Firewall WPS/Symantec Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----