GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-12 18:53:43 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12 ST3160812A rev.3.AAJ 149,05GB Running: 9wp1nwje.exe; Driver: C:\DOCUME~1\Mariusz\USTAWI~1\Temp\pxtdqpoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwAdjustPrivilegesToken [0xF645DAD0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwConnectPort [0xF6460C90] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwCreateFile [0xF645FED0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwCreateKey [0xF645D760] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwCreatePort [0xF6460FE0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwCreateProcessEx [0xF6461AE0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwCreateSection [0xF6461240] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwCreateSymbolicLinkObject [0xF6460460] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwCreateThread [0xF64616E0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwDebugActiveProcess [0xF645D230] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwDeleteKey [0xF645F920] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwDeleteValueKey [0xF645FA80] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwDuplicateObject [0xF645D330] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwOpenFile [0xF64601D0] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwOpenKey [0xF645D560] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwOpenProcess [0xF645FC40] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwOpenSection [0xF645CD80] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwOpenThread [0xF645D980] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwResumeThread [0xF6460730] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwSecureConnectPort [0xF6460E30] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwSetInformationFile [0xF6460580] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwSetValueKey [0xF645F750] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwTerminateProcess [0xF645F640] SSDT \SystemRoot\system32\DRIVERS\pwipf6.sys ZwTerminateThread [0xF645FDB0] ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF65953C0, 0x84E4FA, 0xE8000020] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip pwipf6.sys AttachedDevice \Driver\Tcpip \Device\Tcp pwipf6.sys AttachedDevice \Driver\Tcpip \Device\Udp pwipf6.sys AttachedDevice \Driver\Tcpip \Device\RawIp pwipf6.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{2BC1B1F6-3FD0-48B1-8F88-48D94301B0BC}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{B4DA2243-BDB6-47C7-BBF8-70307F812B56}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet003\Control\Video\{2BC1B1F6-3FD0-48B1-8F88-48D94301B0BC}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet003\Control\Video\{B4DA2243-BDB6-47C7-BBF8-70307F812B56}\0000@D3D_\x3332\x3331 2089309684 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\C@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\D@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\E@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\F@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\G@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ef11022-6b57-11df-8d4a-0018f3e074ea} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{2ef11022-6b57-11df-8d4a-0018f3e074ea}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39d81198-6aa9-11e0-89ab-4d6564696130} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39d81198-6aa9-11e0-89ab-4d6564696130}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{39d81198-6aa9-11e0-89ab-4d6564696130}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{473869bc-338e-11df-8ca0-4d6564696130} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{473869bc-338e-11df-8ca0-4d6564696130}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{473869bc-338e-11df-8ca0-4d6564696130}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{47b51838-629c-11df-8d2c-0018f3e074ea} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{47b51838-629c-11df-8d2c-0018f3e074ea}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{47b51838-629c-11df-8d2c-0018f3e074ea}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a6cbda6-6288-11de-89d1-0018f3e074ea} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a6cbda6-6288-11de-89d1-0018f3e074ea}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{5a6cbda6-6288-11de-89d1-0018f3e074ea}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{712465f4-435e-11e0-892b-4d6564696130} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{712465f4-435e-11e0-892b-4d6564696130}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{712465f4-435e-11e0-892b-4d6564696130}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cdc2606-0c5f-11e0-883a-4d6564696130} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cdc2606-0c5f-11e0-883a-4d6564696130}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cdc2606-0c5f-11e0-883a-4d6564696130}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cdc2607-0c5f-11e0-883a-4d6564696130} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cdc2607-0c5f-11e0-883a-4d6564696130}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cdc2607-0c5f-11e0-883a-4d6564696130}@_LabelFromReg ANDY 2 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{7cdc2607-0c5f-11e0-883a-4d6564696130}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ec8e6d-8bfc-11df-866c-0018f3e074ea} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ec8e6d-8bfc-11df-866c-0018f3e074ea}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{81ec8e6d-8bfc-11df-866c-0018f3e074ea}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{830c5e46-71f2-11de-89f6-4d6564696130} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{830c5e46-71f2-11de-89f6-4d6564696130}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{830c5e46-71f2-11de-89f6-4d6564696130}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{998ddc70-628f-11de-af16-806d6172696f} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{998ddc70-628f-11de-af16-806d6172696f}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{998ddc70-628f-11de-af16-806d6172696f}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{998ddc71-628f-11de-af16-806d6172696f} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{998ddc71-628f-11de-af16-806d6172696f}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{998ddc72-628f-11de-af16-806d6172696f} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{998ddc72-628f-11de-af16-806d6172696f}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bb1779db-c2ac-11e0-8ad7-4d6564696130} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bb1779db-c2ac-11e0-8ad7-4d6564696130}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bb1779db-c2ac-11e0-8ad7-4d6564696130}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bb1779dc-c2ac-11e0-8ad7-4d6564696130} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bb1779dc-c2ac-11e0-8ad7-4d6564696130}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{bb1779dc-c2ac-11e0-8ad7-4d6564696130}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c89d3520-62a7-11de-89d7-0018f3e074ea} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c89d3520-62a7-11de-89d7-0018f3e074ea}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c89d3520-62a7-11de-89d7-0018f3e074ea}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c89d3520-62a7-11de-89d7-0018f3e074ea}@_LabelFromReg KINGSTON Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d09a0f24-defa-11e0-8b51-4d6564696130} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d09a0f24-defa-11e0-8b51-4d6564696130}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d09a0f24-defa-11e0-8b51-4d6564696130}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0a75876-6bf8-11df-861a-806d6172696f} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0a75876-6bf8-11df-861a-806d6172696f}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0a75876-6bf8-11df-861a-806d6172696f}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0a75877-6bf8-11df-861a-4d6564696130} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d0a75877-6bf8-11df-861a-4d6564696130}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d5b4abcb-659d-11df-8d3b-4d6564696130} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d5b4abcb-659d-11df-8d3b-4d6564696130}@BaseClass Drive Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{d5b4abcb-659d-11df-8d3b-4d6564696130}@_AutorunStatus 0x01 0x01 0xFF 0xFF ... ---- EOF - GMER 2.1 ----