GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-07-26 14:58:52 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAKS-00L9A0 rev.01.03E01 Running: Gmer.exe; Driver: C:\DOCUME~1\Pawel\USTAWI~1\Temp\kweiifow.sys ---- Kernel code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB51A13A0, 0x88C445, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF96591 .text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF96620 .text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF9662D .text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FF968B1 .text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF96616 .text C:\WINDOWS\system32\winlogon.exe[652] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9666E .text C:\WINDOWS\system32\services.exe[696] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF96591 .text C:\WINDOWS\system32\services.exe[696] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF96620 .text C:\WINDOWS\system32\services.exe[696] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF9662D .text C:\WINDOWS\system32\services.exe[696] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FF968B1 .text C:\WINDOWS\system32\services.exe[696] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF96616 .text C:\WINDOWS\system32\services.exe[696] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9666E .text C:\WINDOWS\system32\lsass.exe[708] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FF96591 .text C:\WINDOWS\system32\lsass.exe[708] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FF96620 .text C:\WINDOWS\system32\lsass.exe[708] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FF9662D .text C:\WINDOWS\system32\lsass.exe[708] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FF968B1 .text C:\WINDOWS\system32\lsass.exe[708] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FF96616 .text C:\WINDOWS\system32\lsass.exe[708] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FF9666E .rsrc C:\WINDOWS\system32\svchost.exe[852] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\system32\svchost.exe[852] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\svchost.exe[852] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\svchost.exe[852] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\svchost.exe[852] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\svchost.exe[852] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\svchost.exe[852] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\system32\svchost.exe[908] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\System32\svchost.exe[944] C:\WINDOWS\System32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\WINDOWS\System32\svchost.exe[944] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\System32\svchost.exe[944] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\System32\svchost.exe[944] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\System32\svchost.exe[944] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\System32\svchost.exe[944] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\System32\svchost.exe[944] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .rsrc C:\WINDOWS\system32\svchost.exe[1004] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .rsrc C:\WINDOWS\system32\svchost.exe[1044] C:\WINDOWS\system32\svchost.exe section is executable [0x01005000, 0x7600, 0xE0000060] .text C:\Documents and Settings\Pawel\Pulpit\Gmer.exe[1072] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\Documents and Settings\Pawel\Pulpit\Gmer.exe[1072] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\Documents and Settings\Pawel\Pulpit\Gmer.exe[1072] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\Documents and Settings\Pawel\Pulpit\Gmer.exe[1072] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\Documents and Settings\Pawel\Pulpit\Gmer.exe[1072] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\Documents and Settings\Pawel\Pulpit\Gmer.exe[1072] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .reloc C:\WINDOWS\Explorer.EXE[1468] C:\WINDOWS\Explorer.EXE section is executable [0x010FB000, 0xA800, 0xE0000060] .text C:\WINDOWS\Explorer.EXE[1468] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\Explorer.EXE[1468] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\Explorer.EXE[1468] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\Explorer.EXE[1468] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\Explorer.EXE[1468] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\Explorer.EXE[1468] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1608] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1608] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1608] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1608] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1608] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\Program Files\Application Updater\ApplicationUpdater.exe[1608] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1624] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1624] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1624] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1624] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1624] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe[1624] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\nvsvc32.exe[1704] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\nvsvc32.exe[1704] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\nvsvc32.exe[1704] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\nvsvc32.exe[1704] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\nvsvc32.exe[1704] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\nvsvc32.exe[1704] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1780] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1780] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1780] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1780] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1780] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[1780] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\WINDOWS\system32\RUNDLL32.EXE[1788] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\system32\RUNDLL32.EXE[1788] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\system32\RUNDLL32.EXE[1788] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\system32\RUNDLL32.EXE[1788] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\system32\RUNDLL32.EXE[1788] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\system32\RUNDLL32.EXE[1788] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E .text C:\WINDOWS\RTHDCPL.EXE[1804] ntdll.dll!NtCreateFile 7C90D682 5 Bytes CALL 7FFA6591 .text C:\WINDOWS\RTHDCPL.EXE[1804] ntdll.dll!NtCreateProcess 7C90D754 5 Bytes CALL 7FFA6620 .text C:\WINDOWS\RTHDCPL.EXE[1804] ntdll.dll!NtCreateProcessEx 7C90D769 5 Bytes CALL 7FFA662D .text C:\WINDOWS\RTHDCPL.EXE[1804] ntdll.dll!NtDeviceIoControlFile 7C90D8E3 5 Bytes CALL 7FFA68B1 .text C:\WINDOWS\RTHDCPL.EXE[1804] ntdll.dll!NtOpenFile 7C90DCFD 5 Bytes CALL 7FFA6616 .text C:\WINDOWS\RTHDCPL.EXE[1804] ntdll.dll!NtQueryInformationProcess 7C90E01B 5 Bytes CALL 7FFA666E