GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-23 13:07:03 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST3250310AS rev.3.AAC 232,89GB Running: gmer.exe; Driver: C:\DOCUME~1\Sonic\USTAWI~1\Temp\pwairfob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6DA43C0, 0x9B091A, 0xE8000020] ? C:\WINDOWS\System32\drivers\afd.sys suspicious PE modification .text C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl section is writeable [0xACC23000, 0x2892, 0xE8000020] .vmp2 C:\Program Files\CyberLink\PowerDVD10\NavFilter\000.fcl entry point in ".vmp2" section [0xACC46050] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\svchost.exe[172] USER32.dll!DialogBoxIndirectParamAorW 7E3749D0 5 Bytes JMP 0093000A .text C:\WINDOWS\System32\svchost.exe[172] USER32.dll!GetCursorPos 7E37974E 5 Bytes JMP 0092000A .text C:\WINDOWS\System32\svchost.exe[172] ole32.dll!CoCreateInstance 774EF1BC 5 Bytes JMP 0091000A ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0x89910698]<< 89910698 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x8a43cab8] 8a43cab8 Trace 3 CLASSPNP.SYS[f7637fd7] -> nt!IofCallDriver -> [0x8a155030] 8a155030 Trace \Driver\00004896[0x8a15c4a0] -> IRP_MJ_CREATE -> 0x89910698 89910698 ---- Modules - GMER 2.1 ---- Module (noname) (*** hidden *** ) B3F9B000-B3FB2000 (94208 bytes) ---- Processes - GMER 2.1 ---- Process C:\WINDOWS\System32\svchost.exe (*** hidden *** ) 172 ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG12.00.00.01PROFESSIONAL 08692E143D8F61C2BE466AF6A5AC838A98F25A64CAFD8D9586D614393C7F9FCC734101A9087988DF879369202FAAB5654576CEA3E58D0110EE9E9C5923213DEBBEA51F0601C91EB8F3EF56306FC16C4525238BC430928965ED2A4557AB2944F3E2CFFE6710EF7E65DF65B33EC07E9FE91972BF57995C5B9E0A830D5D7A484455AB7C09302D1AB25FFA00F886143576F45664110FA6FD5BA89E3C6336C9F10265B86C1E6568BFFD844CD191FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74C5D575E7D6A3B9808A6171C11EC38DE3DC038D530D6EB34525D575E7D6A3B9808D720B8555F9F0F8B6A85A1F1071B8448E455781A9EDBF0966054BCD292B71284D2BB6939CF8A60015ED5962ADA80B66B2AECA5336F2C846BCA117F5C32739822BEA265B777C4F4A379B6CBC58F9E35C47DC6CCAEAFED87B7052FA241602DB078BE84B9CB8065230718AE4F3F59F3A8F7965B9A203F2091CC413F9252458803259EA736A57E584AB5BD58F0C153CE3F1ACE3B02D2E19BC3EDD0E503166C04C2B949656FA867DDC82F8FE0C5AD7D552B39A70AB9C33E8840D22ED9EBC848EC2139502B3CEB928983E3D68CA99938002251427D3C2560E4AC2974E988D62DE4569F68783A3C3F4364B982AF37CB4B1C5CD7E5E246DB3702B48E62F357E4D0641E576A65C9978 ---- Files - GMER 2.1 ---- File C:\Documents and Settings\LocalService\Cookies\R6C9LNP7.txt 0 bytes File C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\4I47P1JE\stCA0XRCB4 0 bytes File C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\4I47P1JE\config[3].js 0 bytes File C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\4KOIVXDZ\info_48[1] 6993 bytes File C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\4KOIVXDZ\errorPageStrings[1] 1998 bytes File C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\4KOIVXDZ\dnserrordiagoff_webOC[1] 0 bytes File C:\Documents and Settings\LocalService\Ustawienia lokalne\Temporary Internet Files\Content.IE5\4KOIVXDZ\bullet[1] 0 bytes File C:\Program Files\Microsoft Security Client\Backup\EppManifest.dll 182224 bytes executable File C:\Program Files\Microsoft Security Client\Backup\pl-pl 0 bytes File C:\Program Files\Microsoft Security Client\Backup\pl-pl\EULA.RTF 171322 bytes File C:\Program Files\Microsoft Security Client\Backup\pl-pl\setupres.dll.mui 49208 bytes executable File C:\Program Files\Microsoft Security Client\Backup\setupres.dll 8760 bytes executable File C:\Program Files\Microsoft Security Client\Backup\x86 0 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\dw20shared.msi 1850368 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\epp.msi 7106560 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\LegitLib.dll 707448 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\setup.exe 847920 bytes executable File C:\Program Files\Microsoft Security Client\Backup\x86\sqmapi.dll 196416 bytes executable File C:\Program Files\Microsoft Security Client\Backup\x86\Windows6.0-KB981889-v2.msu 1241780 bytes File C:\Program Files\Microsoft Security Client\Backup\x86\Windows6.1-KB981889.msu 907883 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter 0 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.cat 7679 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.inf 3137 bytes File C:\Program Files\Microsoft Security Client\Drivers\mpfilter\mpfilter.sys 195296 bytes executable File C:\Program Files\Microsoft Security Client\en-us\EULA.RTF 143927 bytes File C:\Program Files\Microsoft Security Client\en-us\MpAsDesc.dll.mui 47672 bytes executable File C:\Program Files\Microsoft Security Client\en-us\mpevmsg.dll.mui 37968 bytes executable File C:\Program Files\Microsoft Security Client\en-us\MsMpRes.dll.mui 93752 bytes executable File C:\Program Files\Microsoft Security Client\en-us\setupres.dll.mui 43088 bytes executable File C:\Program Files\Microsoft Security Client\en-us\shellext.dll.mui 9296 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\EULA.RTF 171322 bytes File C:\Program Files\Microsoft Security Client\pl-pl\MsMpRes.dll.mui 107600 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\setupres.dll.mui 49208 bytes executable File C:\Program Files\Microsoft Security Client\pl-pl\shellext.dll.mui 9296 bytes executable File C:\WINDOWS\$NtUninstallKB30729$\2369647924 0 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\@ 2048 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\Desktop.ini 4608 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\L 0 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\L\00000004.@ 804 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\L\201d3dde 0 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\L\6715e287 107 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\L\76603ac3 2416 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\L\exspopvu 138496 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\U 0 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\U\00000004.@ 2048 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\U\00000008.@ 1024 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\U\000000cb.@ 1632 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\U\80000000.@ 11776 bytes File C:\WINDOWS\$NtUninstallKB30729$\2369647924\U\80000032.@ 90624 bytes File C:\WINDOWS\$NtUninstallKB30729$\2794193621 0 bytes ---- EOF - GMER 2.1 ----