GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-02-28 13:42:05 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD16 rev.13.0 Running: gmer.exe; Driver: C:\Users\Krysia\AppData\Local\Temp\pwdiipoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwCreateThread [0x8D34C7F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwLoadDriver [0x8D34C8B0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSetSystemInformation [0x8D34C870] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys (ESET Helper driver/ESET) ZwSystemDebugControl [0x8D34C830] ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!KeSetEvent + 221 828E59A4 4 Bytes [F0, C7, 34, 8D] .text ntkrnlpa.exe!KeSetEvent + 37D 828E5B00 4 Bytes [B0, C8, 34, 8D] {MOV AL, 0xc8; XOR AL, 0x8d} .text ntkrnlpa.exe!KeSetEvent + 5DD 828E5D60 4 Bytes [70, C8, 34, 8D] {JO 0xffffffffffffffca; XOR AL, 0x8d} .text ntkrnlpa.exe!KeSetEvent + 619 828E5D9C 4 Bytes [30, C8, 34, 8D] {XOR AL, CL; XOR AL, 0x8d} ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[2020] kernel32.dll!SetUnhandledExceptionFilter 765BA8C5 4 Bytes [C2, 04, 00, 00] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [745C7817] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [7461A86D] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [745CBB22] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [745BF695] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [745C75E9] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [745BE7CA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [745F8395] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [745CDA60] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [745BFFFA] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [745BFF61] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [745B71CF] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [7464CAE2] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [745EC8D8] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [745BD968] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipFree] [745B6853] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [745B687E] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) IAT C:\windows\Explorer.EXE[2868] @ C:\windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [745C2AD1] C:\windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.18342_none_9e54f8aaca13c773\gdiplus.dll (Microsoft GDI+/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\002186d1a2c6 Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\002186d1a2c6 (not active ControlSet) ---- EOF - GMER 1.0.15 ----