GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-08-15 21:07:46 Windows 6.0.6001 Service Pack 1 Harddisk0\DR0 -> \Device\Ide\IdePort0 Hitachi_HTS542512K9SA00 rev.BB2OC31P Running: gmer.exe; Driver: C:\Users\tuche\AppData\Local\Temp\kwdoipow.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E609000, 0x1F875A, 0xE8000020] ? C:\Users\tuche\AppData\Local\Temp\mbr.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.15 ---- .text C:\Windows\Explorer.exe[468] SHELL32.dll!InitNetworkAddressControl + 2939 7685006C 4 Bytes [F0, 1F, 00, 10] .text C:\Program Files\Internet Explorer\iexplore.exe[928] USER32.dll!SetWindowsHookExW 764F7B69 5 Bytes JMP 6E589A91 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[928] USER32.dll!CallNextHookEx 764F8C33 5 Bytes JMP 6E57D0CD C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[928] USER32.dll!DialogBoxIndirectParamW 764FBD25 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[928] USER32.dll!DialogBoxIndirectParamW 764FBD25 5 Bytes JMP 6E685329 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[928] USER32.dll!CreateWindowExW 76503D67 5 Bytes JMP 6E58DB04 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[928] USER32.dll!DialogBoxParamW 76511FD5 5 Bytes JMP 6E4B54C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[928] USER32.dll!UnhookWindowsHookEx 765208BE 5 Bytes JMP 6E4F466E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[928] USER32.dll!DialogBoxParamA 765380B2 5 Bytes JMP 6E6852C6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[928] USER32.dll!DialogBoxIndirectParamA 765383DD 5 Bytes JMP 6E68538C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[928] USER32.dll!MessageBoxIndirectA 7654D471 5 Bytes JMP 6E68525B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[928] USER32.dll!MessageBoxIndirectW 7654D56B 5 Bytes JMP 6E6851F0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[928] USER32.dll!MessageBoxExA 7654D5D1 5 Bytes JMP 6E68518E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[928] USER32.dll!MessageBoxExW 7654D5F5 5 Bytes JMP 6E68512C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[928] SHELL32.dll!InitNetworkAddressControl + 2939 7685006C 4 Bytes [F0, 1F, E9, 06] .text C:\Program Files\Internet Explorer\iexplore.exe[928] ole32.dll!OleLoadFromStream 76609794 5 Bytes JMP 6E685691 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[928] ole32.dll!CoCreateInstance 7663E2D8 5 Bytes JMP 6E58DB60 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1452] USER32.dll!DialogBoxIndirectParamW 764FBD25 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[1452] USER32.dll!DialogBoxIndirectParamW 764FBD25 5 Bytes JMP 6E685329 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1452] USER32.dll!CreateWindowExW 76503D67 5 Bytes JMP 6E58DB04 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1452] USER32.dll!DialogBoxParamW 76511FD5 5 Bytes JMP 6E4B54C5 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1452] USER32.dll!DialogBoxParamA 765380B2 5 Bytes JMP 6E6852C6 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1452] USER32.dll!DialogBoxIndirectParamA 765383DD 5 Bytes JMP 6E68538C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1452] USER32.dll!MessageBoxIndirectA 7654D471 5 Bytes JMP 6E68525B C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1452] USER32.dll!MessageBoxIndirectW 7654D56B 5 Bytes JMP 6E6851F0 C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1452] USER32.dll!MessageBoxExA 7654D5D1 5 Bytes JMP 6E68518E C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[1452] USER32.dll!MessageBoxExW 7654D5F5 5 Bytes JMP 6E68512C C:\Windows\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Windows\Explorer.EXE[2792] SHELL32.dll!InitNetworkAddressControl + 2939 7685006C 4 Bytes [F0, 1F, 00, 10] CODE C:\Windows\system\svchost.exe[3616] C:\Windows\system\svchost.exe entry point in "CODE" section [0x00401F90] ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys (WDF Dynamic/Microsoft Corporation) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \Device\Ide\IdeDeviceP0T0L0-0 -> \??\IDE#DiskHitachi_HTS542512K9SA00_________________BB2OC31P#5&2eebe7a5&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found ---- Disk sectors - GMER 1.0.15 ---- Disk \Device\Harddisk0\DR0 TDL4@MBR code has been found <-- ROOTKIT !!! Disk \Device\Harddisk0\DR0 sector 00: rootkit-like behavior ---- EOF - GMER 1.0.15 ----