GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-07-26 14:28:19 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAKS-00L9A0 rev.01.03E01 Running: Gmer.exe; Driver: C:\DOCUME~1\Pawel\USTAWI~1\Temp\kweiifow.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB51A13A0, 0x88C445, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Documents and Settings\Pawel\Pulpit\Gmer.exe[156] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\Documents and Settings\Pawel\Pulpit\Gmer.exe[156] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\Documents and Settings\Pawel\Pulpit\Gmer.exe[156] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\Documents and Settings\Pawel\Pulpit\Gmer.exe[156] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\Documents and Settings\Pawel\Pulpit\Gmer.exe[156] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\Documents and Settings\Pawel\Pulpit\Gmer.exe[156] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\services.exe[696] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\services.exe[696] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\services.exe[696] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\services.exe[696] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\services.exe[696] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\services.exe[696] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\savedump.exe[724] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\savedump.exe[724] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\savedump.exe[724] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\savedump.exe[724] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\savedump.exe[724] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\savedump.exe[724] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\lsass.exe[732] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF96591 .text C:\WINDOWS\system32\lsass.exe[732] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF96620 .text C:\WINDOWS\system32\lsass.exe[732] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF9662D .text C:\WINDOWS\system32\lsass.exe[732] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FF968B1 .text C:\WINDOWS\system32\lsass.exe[732] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF96616 .text C:\WINDOWS\system32\lsass.exe[732] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9666E .rsrc C:\WINDOWS\system32\svchost.exe[924] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\system32\svchost.exe[924] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100BED1] iugwkhg C:\WINDOWS\system32\svchost.exe[924] C:\WINDOWS\system32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\system32\svchost.exe[924] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[924] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[924] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[924] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[924] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[924] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\system32\svchost.exe[968] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\system32\svchost.exe[968] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100BED1] iugwkhg C:\WINDOWS\system32\svchost.exe[968] C:\WINDOWS\system32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[968] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\System32\svchost.exe[1004] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\System32\svchost.exe[1004] C:\WINDOWS\System32\svchost.exe entry point in ".rsrc" section [0x0100BED1] iugwkhg C:\WINDOWS\System32\svchost.exe[1004] C:\WINDOWS\System32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\System32\svchost.exe[1004] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\system32\svchost.exe[1064] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\system32\svchost.exe[1064] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100BED1] iugwkhg C:\WINDOWS\system32\svchost.exe[1064] C:\WINDOWS\system32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\system32\svchost.exe[1064] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[1064] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[1064] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[1064] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[1064] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[1064] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\system32\svchost.exe[1128] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\system32\svchost.exe[1128] C:\WINDOWS\system32\svchost.exe entry point in ".rsrc" section [0x0100BED1] iugwkhg C:\WINDOWS\system32\svchost.exe[1128] C:\WINDOWS\system32\svchost.exe unknown last section [0x0100D000, 0x1000, 0xC0000000] .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[1128] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .reloc C:\WINDOWS\Explorer.EXE[1456] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0xA800, 0xE0000060] .reloc C:\WINDOWS\Explorer.EXE[1456] C:\WINDOWS\Explorer.EXE entry point in ".reloc" section [0x01104F43] ohyqysr C:\WINDOWS\Explorer.EXE[1456] C:\WINDOWS\Explorer.EXE unknown last section [0x01106000, 0x1000, 0xC0000000] .text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\Explorer.EXE[1456] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1612] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1612] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1612] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1612] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1612] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1612] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1628] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1628] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1628] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1628] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1628] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1628] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\nvsvc32.exe[1692] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\nvsvc32.exe[1692] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\nvsvc32.exe[1692] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\nvsvc32.exe[1692] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\nvsvc32.exe[1692] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\nvsvc32.exe[1692] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1764] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1764] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1764] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1764] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1764] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1764] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\Documents and Settings\Pawel\Pulpit\OTL.exe[1816] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\Documents and Settings\Pawel\Pulpit\OTL.exe[1816] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\Documents and Settings\Pawel\Pulpit\OTL.exe[1816] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\Documents and Settings\Pawel\Pulpit\OTL.exe[1816] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\Documents and Settings\Pawel\Pulpit\OTL.exe[1816] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\Documents and Settings\Pawel\Pulpit\OTL.exe[1816] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\RUNDLL32.EXE[1996] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\RUNDLL32.EXE[1996] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\RUNDLL32.EXE[1996] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\RUNDLL32.EXE[1996] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\RUNDLL32.EXE[1996] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\RUNDLL32.EXE[1996] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\WINDOWS\RTHDCPL.EXE[2016] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\RTHDCPL.EXE[2016] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\RTHDCPL.EXE[2016] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\RTHDCPL.EXE[2016] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\RTHDCPL.EXE[2016] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\RTHDCPL.EXE[2016] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E