GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-05 17:34:31 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-16 WDC_WD2500YS-01SHB1 rev.20.06C06 Running: e4oxdw59.exe; Driver: C:\DOCUME~1\WACICI~1\USTAWI~1\Temp\kwrciaob.sys ---- System - GMER 1.0.15 ---- SSDT B87BCBFC ZwClose SSDT B87BCBB6 ZwCreateKey SSDT B87BCC06 ZwCreateSection SSDT B87BCBAC ZwCreateThread SSDT B87BCBBB ZwDeleteKey SSDT B87BCBC5 ZwDeleteValueKey SSDT B87BCBF7 ZwDuplicateObject SSDT B87BCBCA ZwLoadKey SSDT B87BCB98 ZwOpenProcess SSDT B87BCB9D ZwOpenThread SSDT B87BCC1F ZwQueryValueKey SSDT B87BCBD4 ZwReplaceKey SSDT B87BCC10 ZwRequestWaitReplyPort SSDT B87BCBCF ZwRestoreKey SSDT B87BCC0B ZwSetContextThread SSDT B87BCC15 ZwSetSecurityObject SSDT B87BCBC0 ZwSetValueKey SSDT B87BCC1A ZwSystemDebugControl SSDT B87BCBA7 ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB74493A0, 0x5FE082, 0xE8000020] ---- Processes - GMER 1.0.15 ---- Library c:\windows\system32\n (*** hidden *** ) @ C:\WINDOWS\System32\svchost.exe [1188] 0x45670000 ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2A 0xF1 0xEC 0x3B ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x2A 0xF1 0xEC 0x3B ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{021d59e4-df0c-11dd-9140-8d355cf584b9} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{021d59e4-df0c-11dd-9140-8d355cf584b9}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{021d59e4-df0c-11dd-9140-8d355cf584b9}@_AutorunStatus 0x01 0x00 0x01 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{021d59e4-df0c-11dd-9140-8d355cf584b9}\shell Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{021d59e4-df0c-11dd-9140-8d355cf584b9}\shell@ None Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{021d59e4-df0c-11dd-9140-8d355cf584b9}\shell\Autoplay Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{021d59e4-df0c-11dd-9140-8d355cf584b9}\shell\Autoplay@MUIVerb @shell32.dll,-8504 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{021d59e4-df0c-11dd-9140-8d355cf584b9}\shell\Autoplay\DropTarget Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{021d59e4-df0c-11dd-9140-8d355cf584b9}\shell\Autoplay\DropTarget@CLSID {f26a669a-bcbb-4e37-abf9-7325da15f931} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0fd3fb64-8c0b-11dd-bbe0-001fd088c4ba} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0fd3fb64-8c0b-11dd-bbe0-001fd088c4ba}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0fd3fb64-8c0b-11dd-bbe0-001fd088c4ba}@_AutorunStatus 0x01 0x00 0x01 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0fd3fb64-8c0b-11dd-bbe0-001fd088c4ba}\shell Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0fd3fb64-8c0b-11dd-bbe0-001fd088c4ba}\shell@ None Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0fd3fb64-8c0b-11dd-bbe0-001fd088c4ba}\shell\Autoplay Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0fd3fb64-8c0b-11dd-bbe0-001fd088c4ba}\shell\Autoplay@MUIVerb @shell32.dll,-8504 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0fd3fb64-8c0b-11dd-bbe0-001fd088c4ba}\shell\Autoplay\DropTarget Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{0fd3fb64-8c0b-11dd-bbe0-001fd088c4ba}\shell\Autoplay\DropTarget@CLSID {f26a669a-bcbb-4e37-abf9-7325da15f931} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45b15d42-9a04-11dd-90b1-00304f38d8cc} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45b15d42-9a04-11dd-90b1-00304f38d8cc}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45b15d42-9a04-11dd-90b1-00304f38d8cc}@_AutorunStatus 0x01 0x00 0x01 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45b15d42-9a04-11dd-90b1-00304f38d8cc}\shell Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45b15d42-9a04-11dd-90b1-00304f38d8cc}\shell@ None Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45b15d42-9a04-11dd-90b1-00304f38d8cc}\shell\Autoplay Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45b15d42-9a04-11dd-90b1-00304f38d8cc}\shell\Autoplay@MUIVerb @shell32.dll,-8504 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45b15d42-9a04-11dd-90b1-00304f38d8cc}\shell\Autoplay\DropTarget Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{45b15d42-9a04-11dd-90b1-00304f38d8cc}\shell\Autoplay\DropTarget@CLSID {f26a669a-bcbb-4e37-abf9-7325da15f931} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6db4a94c-9b97-11dd-90b5-00304f38d8cc} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6db4a94c-9b97-11dd-90b5-00304f38d8cc}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6db4a94c-9b97-11dd-90b5-00304f38d8cc}@_AutorunStatus 0x01 0x00 0x01 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6db4a94c-9b97-11dd-90b5-00304f38d8cc}\Name Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6db4a94c-9b97-11dd-90b5-00304f38d8cc}\Name@ The Sims 2 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6db4a94c-9b97-11dd-90b5-00304f38d8cc}\_Autorun Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6db4a94c-9b97-11dd-90b5-00304f38d8cc}\_Autorun\DefaultIcon Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{6db4a94c-9b97-11dd-90b5-00304f38d8cc}\_Autorun\DefaultIcon@ F:\Sims2.ico Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7957340e-5062-11de-921d-001fd088c4ba} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7957340e-5062-11de-921d-001fd088c4ba}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7957340e-5062-11de-921d-001fd088c4ba}@_AutorunStatus 0x01 0x00 0x01 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7957340e-5062-11de-921d-001fd088c4ba}\shell Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7957340e-5062-11de-921d-001fd088c4ba}\shell@ None Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7957340e-5062-11de-921d-001fd088c4ba}\shell\Autoplay Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7957340e-5062-11de-921d-001fd088c4ba}\shell\Autoplay@MUIVerb @shell32.dll,-8504 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7957340e-5062-11de-921d-001fd088c4ba}\shell\Autoplay\DropTarget Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7957340e-5062-11de-921d-001fd088c4ba}\shell\Autoplay\DropTarget@CLSID {f26a669a-bcbb-4e37-abf9-7325da15f931} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f}@_AutorunStatus 0x01 0x00 0x01 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f}\Name Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f}\Name@ FIFA 09 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f}\Shell Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f}\Shell@ AutoRun Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f}\Shell\AutoRun Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f}\Shell\AutoRun@ &Autoodtwarzanie Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f}\Shell\AutoRun\command Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f}\Shell\AutoRun\command@ E:\Autorun.exe Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f}\_Autorun Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f}\_Autorun\DefaultIcon Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{86ce82f0-8cd0-11dd-9076-806d6172696f}\_Autorun\DefaultIcon@ E:\fifapc.ico Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e95040-0420-11de-9178-001fd088c4ba} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e95040-0420-11de-9178-001fd088c4ba}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e95040-0420-11de-9178-001fd088c4ba}@_AutorunStatus 0x01 0x00 0x01 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e95040-0420-11de-9178-001fd088c4ba}\shell Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e95040-0420-11de-9178-001fd088c4ba}\shell@ None Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e95040-0420-11de-9178-001fd088c4ba}\shell\Autoplay Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e95040-0420-11de-9178-001fd088c4ba}\shell\Autoplay@MUIVerb @shell32.dll,-8504 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e95040-0420-11de-9178-001fd088c4ba}\shell\Autoplay\DropTarget Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{87e95040-0420-11de-9178-001fd088c4ba}\shell\Autoplay\DropTarget@CLSID {f26a669a-bcbb-4e37-abf9-7325da15f931} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9bea0481-8c0e-11dd-851e-806d6172696f} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9bea0481-8c0e-11dd-851e-806d6172696f}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9bea0482-8c0e-11dd-851e-806d6172696f} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{9bea0482-8c0e-11dd-851e-806d6172696f}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba102041-8c0f-11dd-bbdd-806d6172696f} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba102041-8c0f-11dd-bbdd-806d6172696f}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba102041-8c0f-11dd-bbdd-806d6172696f}\Shell Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba102041-8c0f-11dd-bbdd-806d6172696f}\Shell@ AutoRun Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba102041-8c0f-11dd-bbdd-806d6172696f}\Shell\AutoRun Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba102041-8c0f-11dd-bbdd-806d6172696f}\Shell\AutoRun@ &Autoodtwarzanie Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba102041-8c0f-11dd-bbdd-806d6172696f}\Shell\AutoRun\command Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba102041-8c0f-11dd-bbdd-806d6172696f}\Shell\AutoRun\command@ E:\Run.exe Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba102041-8c0f-11dd-bbdd-806d6172696f}\_Autorun Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba102041-8c0f-11dd-bbdd-806d6172696f}\_Autorun\DefaultIcon Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{ba102041-8c0f-11dd-bbdd-806d6172696f}\_Autorun\DefaultIcon@ E:\Run.exe Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d9353bec-8d63-11dd-9084-00304f38d8cc} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d9353bec-8d63-11dd-9084-00304f38d8cc}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d9353bec-8d63-11dd-9084-00304f38d8cc}@_AutorunStatus 0x01 0x00 0x01 0x00 ... ---- EOF - GMER 1.0.15 ----