GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-18 17:53:36 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000AAKX-001CA0 rev.15.01H15 465.76GB Running: gmer.exe; Driver: C:\Users\Tadeusz\AppData\Local\Temp\pwniipob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8A3D3260] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8A3D3320] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8A3D32E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8A3D32A0] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1419 8303C995 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8305C5F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 14CB 83063BA0 4 Bytes [60, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 15DB 83063CB0 4 Bytes [20, 33, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 18E7 83063FBC 4 Bytes [E0, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 192F 83064004 4 Bytes [A0, 32, 3D, 8A] ---- User code sections - GMER 2.1 ---- .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 003F0095 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 003F002D .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003F00C9 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 003F0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01E90095 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01E9002D .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01E900C9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01E90061 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 026A0095 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 026A002D .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 026A00C9 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 026A0061 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 040C0095 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 040C002D .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 040C00C9 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 040C0061 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 030B0095 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 030B002D .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 030B00C9 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 030B0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1460] kernel32.dll!SetUnhandledExceptionFilter 76F6F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01F40095 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01F4002D .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01F400C9 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01F40061 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00D80095 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 00D8002D .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 00D800C9 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00D80061 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 03510095 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0351002D .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 035100C9 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 03510061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 26 769E30AA 3 Bytes JMP 002F0095 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 2A 769E30AE 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CA 769E6BD8 3 Bytes JMP 002F002D .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CE 769E6BDC 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + B9 769E7142 3 Bytes JMP 002F00C9 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + BD 769E7146 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 94 769ECC3A 3 Bytes JMP 002F0061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 98 769ECC3E 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtCreateFile 76E25608 5 Bytes JMP 59A5D620 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtFlushBuffersFile 76E25998 5 Bytes JMP 59A44454 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtQueryFullAttributesFile 76E26028 5 Bytes JMP 59A44170 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFile 76E262F8 5 Bytes JMP 59A44350 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFileScatter 76E26308 5 Bytes JMP 5A3891E4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFile 76E26AA8 5 Bytes JMP 59A5E4F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFileGather 76E26AB8 5 Bytes JMP 5A389193 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!LdrLoadDll 76E422AE 5 Bytes JMP 5F641F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76F694E6 7 Bytes JMP 5A2F0A09 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!QueryPerformanceCounter + 13 76F6C4E5 7 Bytes JMP 5A2F0A2C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!LoadAppInitDlls + 355 76F6F5A6 7 Bytes JMP 59A5A0C0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] USER32.dll!GetWindowInfo 75274B5E 5 Bytes JMP 5A1F7F61 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] GDI32.dll!GetViewportOrgEx + 26C 7637884B 7 Bytes JMP 5A2F098A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00360095 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0036002D .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003600C9 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00360061 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73A3249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73A15652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73A15710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73A3251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73A2857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73A24D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73A250D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73A251AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73A266DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73A282D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73A28824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73A29085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73A2E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73A24C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-18 17:53:36 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000AAKX-001CA0 rev.15.01H15 465.76GB Running: gmer.exe; Driver: C:\Users\Tadeusz\AppData\Local\Temp\pwniipob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8A3D3260] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8A3D3320] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8A3D32E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8A3D32A0] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1419 8303C995 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8305C5F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 14CB 83063BA0 4 Bytes [60, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 15DB 83063CB0 4 Bytes [20, 33, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 18E7 83063FBC 4 Bytes [E0, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 192F 83064004 4 Bytes [A0, 32, 3D, 8A] ---- User code sections - GMER 2.1 ---- .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 003F0095 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 003F002D .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003F00C9 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 003F0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01E90095 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01E9002D .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01E900C9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01E90061 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 026A0095 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 026A002D .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 026A00C9 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 026A0061 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 040C0095 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 040C002D .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 040C00C9 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 040C0061 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 030B0095 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 030B002D .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 030B00C9 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 030B0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1460] kernel32.dll!SetUnhandledExceptionFilter 76F6F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01F40095 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01F4002D .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01F400C9 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01F40061 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00D80095 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 00D8002D .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 00D800C9 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00D80061 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 03510095 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0351002D .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 035100C9 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 03510061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 26 769E30AA 3 Bytes JMP 002F0095 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 2A 769E30AE 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CA 769E6BD8 3 Bytes JMP 002F002D .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CE 769E6BDC 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + B9 769E7142 3 Bytes JMP 002F00C9 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + BD 769E7146 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 94 769ECC3A 3 Bytes JMP 002F0061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 98 769ECC3E 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtCreateFile 76E25608 5 Bytes JMP 59A5D620 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtFlushBuffersFile 76E25998 5 Bytes JMP 59A44454 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtQueryFullAttributesFile 76E26028 5 Bytes JMP 59A44170 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFile 76E262F8 5 Bytes JMP 59A44350 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFileScatter 76E26308 5 Bytes JMP 5A3891E4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFile 76E26AA8 5 Bytes JMP 59A5E4F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFileGather 76E26AB8 5 Bytes JMP 5A389193 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!LdrLoadDll 76E422AE 5 Bytes JMP 5F641F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76F694E6 7 Bytes JMP 5A2F0A09 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!QueryPerformanceCounter + 13 76F6C4E5 7 Bytes JMP 5A2F0A2C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!LoadAppInitDlls + 355 76F6F5A6 7 Bytes JMP 59A5A0C0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] USER32.dll!GetWindowInfo 75274B5E 5 Bytes JMP 5A1F7F61 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] GDI32.dll!GetViewportOrgEx + 26C 7637884B 7 Bytes JMP 5A2F098A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00360095 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0036002D .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003600C9 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00360061 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73A3249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73A15652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73A15710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73A3251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73A2857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73A24D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73A250D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73A251AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73A266DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73A282D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73A28824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73A29085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73A2E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73A24C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-18 17:53:36 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000AAKX-001CA0 rev.15.01H15 465.76GB Running: gmer.exe; Driver: C:\Users\Tadeusz\AppData\Local\Temp\pwniipob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8A3D3260] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8A3D3320] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8A3D32E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8A3D32A0] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1419 8303C995 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8305C5F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 14CB 83063BA0 4 Bytes [60, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 15DB 83063CB0 4 Bytes [20, 33, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 18E7 83063FBC 4 Bytes [E0, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 192F 83064004 4 Bytes [A0, 32, 3D, 8A] ---- User code sections - GMER 2.1 ---- .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 003F0095 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 003F002D .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003F00C9 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 003F0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01E90095 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01E9002D .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01E900C9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01E90061 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 026A0095 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 026A002D .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 026A00C9 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 026A0061 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 040C0095 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 040C002D .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 040C00C9 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 040C0061 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 030B0095 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 030B002D .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 030B00C9 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 030B0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1460] kernel32.dll!SetUnhandledExceptionFilter 76F6F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01F40095 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01F4002D .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01F400C9 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01F40061 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00D80095 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 00D8002D .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 00D800C9 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00D80061 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 03510095 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0351002D .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 035100C9 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 03510061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 26 769E30AA 3 Bytes JMP 002F0095 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 2A 769E30AE 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CA 769E6BD8 3 Bytes JMP 002F002D .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CE 769E6BDC 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + B9 769E7142 3 Bytes JMP 002F00C9 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + BD 769E7146 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 94 769ECC3A 3 Bytes JMP 002F0061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 98 769ECC3E 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtCreateFile 76E25608 5 Bytes JMP 59A5D620 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtFlushBuffersFile 76E25998 5 Bytes JMP 59A44454 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtQueryFullAttributesFile 76E26028 5 Bytes JMP 59A44170 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFile 76E262F8 5 Bytes JMP 59A44350 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFileScatter 76E26308 5 Bytes JMP 5A3891E4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFile 76E26AA8 5 Bytes JMP 59A5E4F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFileGather 76E26AB8 5 Bytes JMP 5A389193 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!LdrLoadDll 76E422AE 5 Bytes JMP 5F641F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76F694E6 7 Bytes JMP 5A2F0A09 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!QueryPerformanceCounter + 13 76F6C4E5 7 Bytes JMP 5A2F0A2C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!LoadAppInitDlls + 355 76F6F5A6 7 Bytes JMP 59A5A0C0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] USER32.dll!GetWindowInfo 75274B5E 5 Bytes JMP 5A1F7F61 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] GDI32.dll!GetViewportOrgEx + 26C 7637884B 7 Bytes JMP 5A2F098A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00360095 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0036002D .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003600C9 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00360061 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73A3249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73A15652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73A15710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73A3251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73A2857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73A24D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73A250D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73A251AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73A266DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73A282D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73A28824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73A29085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73A2E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73A24C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-18 17:53:36 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000AAKX-001CA0 rev.15.01H15 465.76GB Running: gmer.exe; Driver: C:\Users\Tadeusz\AppData\Local\Temp\pwniipob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8A3D3260] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8A3D3320] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8A3D32E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8A3D32A0] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1419 8303C995 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8305C5F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 14CB 83063BA0 4 Bytes [60, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 15DB 83063CB0 4 Bytes [20, 33, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 18E7 83063FBC 4 Bytes [E0, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 192F 83064004 4 Bytes [A0, 32, 3D, 8A] ---- User code sections - GMER 2.1 ---- .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 003F0095 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 003F002D .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003F00C9 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 003F0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01E90095 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01E9002D .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01E900C9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01E90061 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 026A0095 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 026A002D .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 026A00C9 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 026A0061 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 040C0095 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 040C002D .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 040C00C9 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 040C0061 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 030B0095 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 030B002D .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 030B00C9 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 030B0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1460] kernel32.dll!SetUnhandledExceptionFilter 76F6F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01F40095 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01F4002D .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01F400C9 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01F40061 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00D80095 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 00D8002D .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 00D800C9 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00D80061 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 03510095 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0351002D .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 035100C9 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 03510061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 26 769E30AA 3 Bytes JMP 002F0095 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 2A 769E30AE 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CA 769E6BD8 3 Bytes JMP 002F002D .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CE 769E6BDC 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + B9 769E7142 3 Bytes JMP 002F00C9 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + BD 769E7146 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 94 769ECC3A 3 Bytes JMP 002F0061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 98 769ECC3E 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtCreateFile 76E25608 5 Bytes JMP 59A5D620 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtFlushBuffersFile 76E25998 5 Bytes JMP 59A44454 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtQueryFullAttributesFile 76E26028 5 Bytes JMP 59A44170 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFile 76E262F8 5 Bytes JMP 59A44350 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFileScatter 76E26308 5 Bytes JMP 5A3891E4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFile 76E26AA8 5 Bytes JMP 59A5E4F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFileGather 76E26AB8 5 Bytes JMP 5A389193 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!LdrLoadDll 76E422AE 5 Bytes JMP 5F641F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76F694E6 7 Bytes JMP 5A2F0A09 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!QueryPerformanceCounter + 13 76F6C4E5 7 Bytes JMP 5A2F0A2C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!LoadAppInitDlls + 355 76F6F5A6 7 Bytes JMP 59A5A0C0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] USER32.dll!GetWindowInfo 75274B5E 5 Bytes JMP 5A1F7F61 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] GDI32.dll!GetViewportOrgEx + 26C 7637884B 7 Bytes JMP 5A2F098A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00360095 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0036002D .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003600C9 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00360061 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73A3249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73A15652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73A15710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73A3251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73A2857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73A24D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73A250D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73A251AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73A266DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73A282D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73A28824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73A29085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73A2E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73A24C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-18 17:53:36 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000AAKX-001CA0 rev.15.01H15 465.76GB Running: gmer.exe; Driver: C:\Users\Tadeusz\AppData\Local\Temp\pwniipob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8A3D3260] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8A3D3320] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8A3D32E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8A3D32A0] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1419 8303C995 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8305C5F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 14CB 83063BA0 4 Bytes [60, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 15DB 83063CB0 4 Bytes [20, 33, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 18E7 83063FBC 4 Bytes [E0, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 192F 83064004 4 Bytes [A0, 32, 3D, 8A] ---- User code sections - GMER 2.1 ---- .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 003F0095 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 003F002D .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003F00C9 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 003F0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01E90095 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01E9002D .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01E900C9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01E90061 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 026A0095 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 026A002D .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 026A00C9 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 026A0061 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 040C0095 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 040C002D .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 040C00C9 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 040C0061 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 030B0095 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 030B002D .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 030B00C9 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 030B0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1460] kernel32.dll!SetUnhandledExceptionFilter 76F6F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01F40095 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01F4002D .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01F400C9 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01F40061 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00D80095 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 00D8002D .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 00D800C9 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00D80061 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 03510095 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0351002D .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 035100C9 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 03510061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 26 769E30AA 3 Bytes JMP 002F0095 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 2A 769E30AE 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CA 769E6BD8 3 Bytes JMP 002F002D .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CE 769E6BDC 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + B9 769E7142 3 Bytes JMP 002F00C9 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + BD 769E7146 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 94 769ECC3A 3 Bytes JMP 002F0061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 98 769ECC3E 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtCreateFile 76E25608 5 Bytes JMP 59A5D620 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtFlushBuffersFile 76E25998 5 Bytes JMP 59A44454 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtQueryFullAttributesFile 76E26028 5 Bytes JMP 59A44170 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFile 76E262F8 5 Bytes JMP 59A44350 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFileScatter 76E26308 5 Bytes JMP 5A3891E4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFile 76E26AA8 5 Bytes JMP 59A5E4F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFileGather 76E26AB8 5 Bytes JMP 5A389193 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!LdrLoadDll 76E422AE 5 Bytes JMP 5F641F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76F694E6 7 Bytes JMP 5A2F0A09 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!QueryPerformanceCounter + 13 76F6C4E5 7 Bytes JMP 5A2F0A2C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!LoadAppInitDlls + 355 76F6F5A6 7 Bytes JMP 59A5A0C0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] USER32.dll!GetWindowInfo 75274B5E 5 Bytes JMP 5A1F7F61 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] GDI32.dll!GetViewportOrgEx + 26C 7637884B 7 Bytes JMP 5A2F098A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00360095 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0036002D .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003600C9 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00360061 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73A3249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73A15652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73A15710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73A3251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73A2857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73A24D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73A250D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73A251AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73A266DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73A282D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73A28824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73A29085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73A2E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73A24C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-18 17:53:36 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000AAKX-001CA0 rev.15.01H15 465.76GB Running: gmer.exe; Driver: C:\Users\Tadeusz\AppData\Local\Temp\pwniipob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8A3D3260] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8A3D3320] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8A3D32E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8A3D32A0] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1419 8303C995 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8305C5F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 14CB 83063BA0 4 Bytes [60, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 15DB 83063CB0 4 Bytes [20, 33, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 18E7 83063FBC 4 Bytes [E0, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 192F 83064004 4 Bytes [A0, 32, 3D, 8A] ---- User code sections - GMER 2.1 ---- .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 003F0095 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 003F002D .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003F00C9 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 003F0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01E90095 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01E9002D .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01E900C9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01E90061 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 026A0095 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 026A002D .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 026A00C9 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 026A0061 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 040C0095 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 040C002D .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 040C00C9 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 040C0061 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 030B0095 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 030B002D .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 030B00C9 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 030B0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1460] kernel32.dll!SetUnhandledExceptionFilter 76F6F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01F40095 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01F4002D .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01F400C9 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01F40061 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00D80095 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 00D8002D .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 00D800C9 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00D80061 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 03510095 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0351002D .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 035100C9 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 03510061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 26 769E30AA 3 Bytes JMP 002F0095 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 2A 769E30AE 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CA 769E6BD8 3 Bytes JMP 002F002D .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CE 769E6BDC 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + B9 769E7142 3 Bytes JMP 002F00C9 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + BD 769E7146 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 94 769ECC3A 3 Bytes JMP 002F0061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 98 769ECC3E 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtCreateFile 76E25608 5 Bytes JMP 59A5D620 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtFlushBuffersFile 76E25998 5 Bytes JMP 59A44454 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtQueryFullAttributesFile 76E26028 5 Bytes JMP 59A44170 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFile 76E262F8 5 Bytes JMP 59A44350 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFileScatter 76E26308 5 Bytes JMP 5A3891E4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFile 76E26AA8 5 Bytes JMP 59A5E4F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFileGather 76E26AB8 5 Bytes JMP 5A389193 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!LdrLoadDll 76E422AE 5 Bytes JMP 5F641F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76F694E6 7 Bytes JMP 5A2F0A09 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!QueryPerformanceCounter + 13 76F6C4E5 7 Bytes JMP 5A2F0A2C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!LoadAppInitDlls + 355 76F6F5A6 7 Bytes JMP 59A5A0C0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] USER32.dll!GetWindowInfo 75274B5E 5 Bytes JMP 5A1F7F61 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] GDI32.dll!GetViewportOrgEx + 26C 7637884B 7 Bytes JMP 5A2F098A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00360095 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0036002D .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003600C9 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00360061 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73A3249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73A15652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73A15710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73A3251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73A2857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73A24D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73A250D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73A251AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73A266DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73A282D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73A28824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73A29085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73A2E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73A24C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-18 17:53:36 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 WDC_WD5000AAKX-001CA0 rev.15.01H15 465.76GB Running: gmer.exe; Driver: C:\Users\Tadeusz\AppData\Local\Temp\pwniipob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x8A3D3260] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x8A3D3320] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x8A3D32E0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x8A3D32A0] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1419 8303C995 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8305C5F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 14CB 83063BA0 4 Bytes [60, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 15DB 83063CB0 4 Bytes [20, 33, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 18E7 83063FBC 4 Bytes [E0, 32, 3D, 8A] .text ntoskrnl.exe!KeRemoveQueueEx + 192F 83064004 4 Bytes [A0, 32, 3D, 8A] ---- User code sections - GMER 2.1 ---- .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 003F0095 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 003F002D .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003F00C9 .text D:\dysk H\internet\OTL.com[188] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 003F0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01E90095 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01E9002D .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01E900C9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\egui.exe[388] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01E90061 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 026A0095 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 026A002D .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 026A00C9 .text C:\Program Files\IncrediMail\Bin\IncMail.exe[612] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 026A0061 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 040C0095 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 040C002D .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 040C00C9 .text D:\dysk D\prog.poz\Clock\HTC Home\Clock.exe[1028] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 040C0061 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 030B0095 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 030B002D .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 030B00C9 .text C:\Program Files\IncrediMail\Bin\ImApp.exe[1400] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 030B0061 .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1460] kernel32.dll!SetUnhandledExceptionFilter 76F6F5AB 4 Bytes [C2, 04, 00, 00] .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 01F40095 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 01F4002D .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 01F400C9 .text C:\Windows\system32\taskhost.exe[1640] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 01F40061 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00D80095 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 00D8002D .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 00D800C9 .text C:\Windows\system32\Dwm.exe[1788] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00D80061 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 03510095 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0351002D .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 035100C9 .text C:\Windows\Explorer.EXE[1828] ws2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 03510061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 26 769E30AA 3 Bytes JMP 002F0095 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!ioctlsocket + 2A 769E30AE 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CA 769E6BD8 3 Bytes JMP 002F002D .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!recv + CE 769E6BDC 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + B9 769E7142 3 Bytes JMP 002F00C9 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecv + BD 769E7146 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 94 769ECC3A 3 Bytes JMP 002F0061 .text D:\dysk H\internet\gmer.exe[2616] ws2_32.dll!WSARecvFrom + 98 769ECC3E 3 Bytes [89, EB, F9] {MOV EBX, EBP; STC } .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtCreateFile 76E25608 5 Bytes JMP 59A5D620 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtFlushBuffersFile 76E25998 5 Bytes JMP 59A44454 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtQueryFullAttributesFile 76E26028 5 Bytes JMP 59A44170 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFile 76E262F8 5 Bytes JMP 59A44350 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtReadFileScatter 76E26308 5 Bytes JMP 5A3891E4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFile 76E26AA8 5 Bytes JMP 59A5E4F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!NtWriteFileGather 76E26AB8 5 Bytes JMP 5A389193 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] ntdll.dll!LdrLoadDll 76E422AE 5 Bytes JMP 5F641F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76F694E6 7 Bytes JMP 5A2F0A09 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!QueryPerformanceCounter + 13 76F6C4E5 7 Bytes JMP 5A2F0A2C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] kernel32.dll!LoadAppInitDlls + 355 76F6F5A6 7 Bytes JMP 59A5A0C0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] USER32.dll!GetWindowInfo 75274B5E 5 Bytes JMP 5A1F7F61 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] GDI32.dll!GetViewportOrgEx + 26C 7637884B 7 Bytes JMP 5A2F098A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!ioctlsocket + 26 769E30AA 7 Bytes JMP 00360095 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!recv + CA 769E6BD8 7 Bytes JMP 0036002D .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecv + B9 769E7142 7 Bytes JMP 003600C9 .text C:\Program Files\Mozilla Firefox\firefox.exe[4064] WS2_32.dll!WSARecvFrom + 94 769ECC3A 7 Bytes JMP 00360061 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73A3249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73A15652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73A15710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73A3251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73A2857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73A24D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73A250D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73A251AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [73A266DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73A282D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73A28824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73A29085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73A2E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[1828] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73A24C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys