GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-15 23:53:17 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465,76GB Running: m2ggc9w3.exe; Driver: C:\Users\Jacek\AppData\Local\Temp\pxldrpob.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 83884A35 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 838BE392 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[3124] shell32.DLL!RealDriveType + 173D 758FFD70 4 Bytes [E0, C4, EA, 6B] .text C:\Program Files\Internet Explorer\iexplore.exe[3124] shell32.DLL!RealDriveType + 1745 758FFD78 8 Bytes JMP EAC5B06B .text C:\Program Files\Internet Explorer\iexplore.exe[4040] shell32.DLL!RealDriveType + 173D 758FFD70 4 Bytes [E0, C4, EA, 6B] .text C:\Program Files\Internet Explorer\iexplore.exe[4040] shell32.DLL!RealDriveType + 1745 758FFD78 8 Bytes JMP EAC5B06B .text C:\Program Files\Internet Explorer\iexplore.exe[4512] shell32.DLL!RealDriveType + 173D 758FFD70 4 Bytes [E0, C4, EA, 6B] .text ... ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [72F7249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [72F55652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [72F55710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [72F7251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [72F6857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [72F64D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [72F650D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [72F651AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [72F666DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [72F682D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [72F68824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [72F69085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [72F6E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2172] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [72F64C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp tcpipBM.sys AttachedDevice \Driver\tdx \Device\Udp ccnfd_1_10_0_4.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076cc706f Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{A0FA5ECB-A510-4223-A163-9688F619EAF4}@LeaseObtainedTime 1418681542 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{A0FA5ECB-A510-4223-A163-9688F619EAF4}@T1 1418683342 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{A0FA5ECB-A510-4223-A163-9688F619EAF4}@T2 1418684692 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{A0FA5ECB-A510-4223-A163-9688F619EAF4}@LeaseTerminatesTime 1418685142 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076cc706f (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@58581E4C 6616 ---- EOF - GMER 2.1 ----