GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-07 22:30:22 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD7501AALS-00E8B0 rev.05.00K05 698,64GB Running: yonbb1bw.exe; Driver: C:\Users\Adam\AppData\Local\Temp\kwtdrpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 8285CA09 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 828961F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!EnableWindow 76C38D02 5 Bytes JMP 6FE59EBC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!DialogBoxParamW 76C53B9B 5 Bytes JMP 6FDB189B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!DialogBoxIndirectParamW 76C63B7F 5 Bytes JMP 6FFA91B6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!DialogBoxParamA 76C7CF42 5 Bytes JMP 6FFA9151 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!DialogBoxIndirectParamA 76C7D274 5 Bytes JMP 6FFA921B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!MessageBoxIndirectA 76C8E869 5 Bytes JMP 6FFA90D8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!MessageBoxIndirectW 76C8E963 5 Bytes JMP 6FFA905F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!MessageBoxExA 76C8E9C9 5 Bytes JMP 6FFA8FFB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[312] USER32.dll!MessageBoxExW 76C8E9ED 5 Bytes JMP 6FFA8F97 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] kernel32.dll!CreateThread 76B9DCC2 5 Bytes JMP 6FE175E3 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!EnableWindow 76C38D02 5 Bytes JMP 6FE59EBC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!CallNextHookEx 76C3ABE1 5 Bytes JMP 6FE77FF1 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!UnhookWindowsHookEx 76C3ADF9 5 Bytes JMP 6FE9ED14 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!DefWindowProcA 76C3BB1C 7 Bytes JMP 6FE1980D C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!CreateWindowExA 76C3BF40 5 Bytes JMP 6FE23643 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!SetWindowsHookExW 76C3E30C 5 Bytes JMP 6FE525B4 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!CreateWindowExW 76C3EC7C 5 Bytes JMP 6FE803DF C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!DefWindowProcW 76C4507D 7 Bytes JMP 6FE78054 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!DialogBoxParamW 76C53B9B 5 Bytes JMP 6FDB189B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!DialogBoxIndirectParamW 76C63B7F 5 Bytes JMP 6FFA91B6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!DialogBoxParamA 76C7CF42 5 Bytes JMP 6FFA9151 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!DialogBoxIndirectParamA 76C7D274 5 Bytes JMP 6FFA921B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!MessageBoxIndirectA 76C8E869 5 Bytes JMP 6FFA90D8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!MessageBoxIndirectW 76C8E963 5 Bytes JMP 6FFA905F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!MessageBoxExA 76C8E9C9 5 Bytes JMP 6FFA8FFB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] USER32.dll!MessageBoxExW 76C8E9ED 5 Bytes JMP 6FFA8F97 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[444] ole32.dll!OleLoadFromStream 769F6143 5 Bytes JMP 6FFA9984 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] kernel32.dll!CreateThread 76B9DCC2 5 Bytes JMP 6FE175E3 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!EnableWindow 76C38D02 5 Bytes JMP 6FE59EBC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!CallNextHookEx 76C3ABE1 5 Bytes JMP 6FE77FF1 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!UnhookWindowsHookEx 76C3ADF9 5 Bytes JMP 6FE9ED14 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!DefWindowProcA 76C3BB1C 7 Bytes JMP 6FE1980D C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!CreateWindowExA 76C3BF40 5 Bytes JMP 6FE23643 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!SetWindowsHookExW 76C3E30C 5 Bytes JMP 6FE525B4 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!CreateWindowExW 76C3EC7C 5 Bytes JMP 6FE803DF C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!DefWindowProcW 76C4507D 7 Bytes JMP 6FE78054 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!DialogBoxParamW 76C53B9B 5 Bytes JMP 6FDB189B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!DialogBoxIndirectParamW 76C63B7F 5 Bytes JMP 6FFA91B6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!DialogBoxParamA 76C7CF42 5 Bytes JMP 6FFA9151 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!DialogBoxIndirectParamA 76C7D274 5 Bytes JMP 6FFA921B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!MessageBoxIndirectA 76C8E869 5 Bytes JMP 6FFA90D8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!MessageBoxIndirectW 76C8E963 5 Bytes JMP 6FFA905F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!MessageBoxExA 76C8E9C9 5 Bytes JMP 6FFA8FFB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] USER32.dll!MessageBoxExW 76C8E9ED 5 Bytes JMP 6FFA8F97 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3756] ole32.dll!OleLoadFromStream 769F6143 5 Bytes JMP 6FFA9984 C:\Windows\system32\IEFRAME.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xC6 0x0F 0x42 0x76 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x56 0x29 0x84 0x7B ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0xA0 0x02 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x8D 0x1A 0x2C 0x89 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0x2E 0x1D 0x47 0x69 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0xF0 0xC3 0x30 0x13 ... Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@D:\Program Files\Electronic Arts\Harry Potter i Insygnia Śmierci(TM) \x2013 część 1\Support\Harry Potter and the Deathly Hallows Part 1_code.exe 1 ---- EOF - GMER 2.1 ----