GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-08 18:01:26 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 Hitachi_HDP725025GLA380 rev.GM2OA52A 232,89GB Running: 71k5nl.exe; Driver: C:\Users\ad\AppData\Local\Temp\aftdapod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8CC0D000, 0x210C46, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!EnableWindow 7562CD8B 5 Bytes JMP 71A19ED4 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!DialogBoxParamW 756510B0 5 Bytes JMP 719718B3 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!DialogBoxIndirectParamW 75652EF5 5 Bytes JMP 71B691B6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!DialogBoxParamA 75668152 5 Bytes JMP 71B69151 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!DialogBoxIndirectParamA 7566847D 5 Bytes JMP 71B6921B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!MessageBoxIndirectA 7567D4D9 5 Bytes JMP 71B690D8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!MessageBoxIndirectW 7567D5D3 5 Bytes JMP 71B6905F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!MessageBoxExA 7567D639 5 Bytes JMP 71B68FFB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1596] USER32.dll!MessageBoxExW 7567D65D 5 Bytes JMP 71B68F97 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] kernel32.dll!CreateThread 7570CBEE 5 Bytes JMP 719D75DB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!CreateDialogParamW 756272A2 5 Bytes JMP 71B69520 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!GetAsyncKeyState 7562863C 5 Bytes JMP 719BDEC5 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!SetWindowsHookExW 756287AD 5 Bytes JMP 71A125CC C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!CallNextHookEx 75628E3B 5 Bytes JMP 71A3801F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!UnhookWindowsHookEx 756298DB 5 Bytes JMP 71A5ED28 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!EnableWindow 7562CD8B 5 Bytes JMP 71A19ED4 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!DefWindowProcA 7562DB88 7 Bytes JMP 719D9805 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!CreateWindowExA 7562DC2A 5 Bytes JMP 719E3627 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!CreateWindowExW 75631305 5 Bytes JMP 71A4040F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!GetKeyState 75638CB1 5 Bytes JMP 719BDD9B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!DefWindowProcW 756403B4 7 Bytes JMP 71A38082 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!IsDialogMessageW 75640745 5 Bytes JMP 71B69C9E C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!CreateDialogParamA 756417AA 5 Bytes JMP 71B694E8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!IsDialogMessage 75641847 5 Bytes JMP 71B69C76 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!CreateDialogIndirectParamA 756426F1 5 Bytes JMP 71B69558 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!CreateDialogIndirectParamW 75649A62 5 Bytes JMP 71B69590 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!SetKeyboardState 75650987 5 Bytes JMP 71B6A565 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!DialogBoxParamW 756510B0 5 Bytes JMP 719718B3 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!DialogBoxIndirectParamW 75652EF5 5 Bytes JMP 71B691B6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!SendInput 75652F75 5 Bytes JMP 71B6A50D C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!EndDialog 7565326E 5 Bytes JMP 71B69F4A C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!SetCursorPos 75666FB2 5 Bytes JMP 71B6A5E6 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!DialogBoxParamA 75668152 5 Bytes JMP 71B69151 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!DialogBoxIndirectParamA 7566847D 5 Bytes JMP 71B6921B C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!MessageBoxIndirectA 7567D4D9 5 Bytes JMP 71B690D8 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!MessageBoxIndirectW 7567D5D3 5 Bytes JMP 71B6905F C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!MessageBoxExA 7567D639 5 Bytes JMP 71B68FFB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!MessageBoxExW 7567D65D 5 Bytes JMP 71B68F97 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] USER32.dll!keybd_event 7567D972 5 Bytes JMP 71B6A4CA C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[1624] SHELL32.dll!SHRestricted + D95 75A788D8 4 Bytes [CF, 01, 6F, 6F] {IRET ; ADD [EDI+0x6f], EBP} .text C:\Program Files\Internet Explorer\iexplore.exe[1624] SHELL32.dll!SHRestricted + D9D 75A788E0 8 Bytes [E0, 61, 6E, 6F, 79, F7, 6E, ...] {LOOPNZ 0x63; OUTS DX, BYTE [ESI]; OUTS DX, DWORD [ESI]; JNS 0xfffffffd; OUTS DX, BYTE [ESI]; OUTS DX, DWORD [ESI]} .text C:\Program Files\Internet Explorer\iexplore.exe[1624] ole32.dll!OleLoadFromStream 766D1E80 5 Bytes JMP 71B699A8 C:\Windows\system32\IEFRAME.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73C97817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73CDB4F1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73C9BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73C8F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73C975E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73C8E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73CC73F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73C9DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73C8FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73C8FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73C871CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73D1CB00] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73CBC8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73C8D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73C86853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73C8687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll IAT C:\Windows\Explorer.EXE[1476] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73C92AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18813_none_9e51e050ca1696a4\gdiplus.dll ---- EOF - GMER 2.1 ----