GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-01-31 19:58:14 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST932032 rev.0003 298,09GB Running: 5wov9n0g.exe; Driver: C:\Users\PATRYC~1\AppData\Local\Temp\kwlyyuod.sys ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!memcpy] [8b48d98b48105d89] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!_amsg_exit] [448d48000051a4] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!free] [d03b480f508d4840] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!_initterm] [fffffff0ba480a77] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!malloc] [f0e283480fffffff] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!_XcptFilter] [4d12e8c28b48] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!memmove] [48e22b4840438b4c] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[msvcrt.dll!memset] [8d158d4820247c8d] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[ntdll.dll!RtlCaptureContext] [200448d0000515c] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[ntdll.dll!RtlLookupFunctionEntry] [522715ffc86348] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[ntdll.dll!RtlVirtualUnwind] [74c08548d88b4800] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!Sleep] [74894808245c8948] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!TerminateProcess] [4820ec8348571024] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetSystemTimeAsFileTime] [d98b48f88b49f28b] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetCurrentProcessId] [4100005491158d48] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetCurrentThreadId] [ce8b4800000010b8] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetTickCount] [74c08500004dede8] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!QueryPerformanceCounter] [5488158d4824] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CreateThread] [8b4800000010b841] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CancelIo] [c08500004dd4e8ce] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CreateIoCompletionPort] [2b8002783480b74] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!DeviceIoControl] [1f89480aeb800040] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!PostQueuedCompletionStatus] [48c03301084383f0] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!DefineDosDeviceA] [24748b4830245c8b] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!SetUnhandledExceptionFilter] [ccc35f20c4834838] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!UnhandledExceptionFilter] [c10ff000000001b8] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!WaitForSingleObject] [ccccccc3c0ff0841] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!SetEvent] [83485708245c8948] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CreateEventA] [ffc7830879c10ff0] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!LocalAlloc] [5398058d4801] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CloseHandle] [4818418948000053] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!LocalFree] [8948000053b2058d] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!CreateFileA] [53bf058d482041] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetQueuedCompletionStatus] [498b482841894800] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!WideCharToMultiByte] [d2330e74c9854840] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!DisableThreadLibraryCalls] [15ff00008000b841] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!MultiByteToWideChar] [8b48000051c215ff] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!lstrlenW] [8b00004fa915ffcb] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetLastError] [834830245c8b48c7] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\kmddsp.tsp[KERNEL32.dll!GetCurrentProcess] [83485540c35f20c4] IAT C:\Windows\system32\svchost.exe[1364] @ C:\Windows\system32\mshtml.dll[USER32.dll!GetCursorPos] [21564] C:\Windows\system32\kmddsp.tsp ---- Threads - GMER 2.0 ---- Thread C:\Windows\system32\svchost.exe [792:884] 000000000051180c Thread C:\Windows\system32\svchost.exe [792:892] 00000000008d1670 Thread C:\Windows\system32\svchost.exe [792:896] 00000000008d1518 ---- Processes - GMER 2.0 ---- Library c:\windows\system32\z (*** suspicious ***) @ C:\Windows\system32\svchost.exe [792] 0000066656340000 Library c:\windows\system32\z (*** suspicious ***) @ C:\Windows\Explorer.EXE [680] 0000066656340000 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dc5ee10 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dc5ee10@6c9b028adcf0 0x50 0x16 0xE4 0x81 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dc5ee10@d0176aef4f27 0xE7 0x08 0x57 0xF7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dc5ee10@0007abe808de 0x6A 0x73 0x60 0x73 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dc5ee10@90cf15544441 0xA3 0x47 0x3D 0xD6 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dc5ee10@00247cfda28d 0x17 0xBC 0x8E 0x92 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dc5ee10@c8979f181841 0xDB 0x75 0xDF 0xC1 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dc5ee10@18e2c24b789b 0xA2 0x4D 0xB6 0x29 ... Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Export ????????????? ??????????????????????????????????#???????????????nm???????????C???????????-?-?-?@?;?_?_?_?_?e?k?o?o?s?s?s?t?t?t?t?t?t?t?u?u?u?u?u?u?u?v?y?y??? ?????????????????????-????????????&???????????????????????? ???????0?????F-9??? ???????}??????ne??????????????????????????????????????????????????? ???????|???????????k?:????????????&????????????????????8??????????????????????????????????????????????????????????@%??6.1.7600.17122??????????????????????n???????????????????? ???????N?????pip??? ??????????????n8??????????? ???????????e??usb\vid_19d2&pid_0031&mi_00?ic??? 4?????????????????ZTE Diagnostics Interface???????????????????????????????%SystemRoot%\System32\\imageres.dll,-32??????????????r??????tB??Microsoft???{00000000-0000-0000-FFFF-FFFFFFFFFFFF}??48???????????i??????????*pnp09ff????????????????????????????Microsoft???????????????????Wolumin uniwersalny?94??.NTAMD64?V???????????????????i??????????????? ?????????????????????,????????????????????? ??????????????????????????????????? ????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Export ???n?????n???????p???i?j?n?t?j??????????????Mi??disk?i??????????????????????t?????????????????????????????????????????P??n????????h?????\SystemRoot\system32\DRIVERS\cmdide.sys???????(??n??????p???System Bus Extender???????R??n???????????d??mshdc.inf_amd64_neutral_a69a58a4286f0b22?????n?n?n?n?n?n??????,??n??????????????? `??o??????????s???ZTEusbmdm6k??????????????n???n??????????????@%systemroot%\system32\drivers\hwpolicy.sys,-101????255.255.255.0?????N??o?????????D????Intel(R) Management Engine Interface???????????????????s????????????????t????n??*6to4mp?????????????????????WUDFRd???????????3??????System32\drivers\hwpolicy.sys???????????????????????????????????t???.NT?A8??Microsoft???system32\DRIVERS\JME.sys?????y???????????????????????????????????????????????????????????q?q?n??Microsoft UAA Bus Driver for High Definition Audio???????n???????i??????????????s????r?p?r?s?:??system32\DRIVERS\i8042prt.sys?8042prt.sys???system32\DRIVERS\iaStor.sys????????????????????????????? ????????????????????????????n????????? Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dc5ee10 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dc5ee10@6c9b028adcf0 0x50 0x16 0xE4 0x81 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dc5ee10@d0176aef4f27 0xE7 0x08 0x57 0xF7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dc5ee10@0007abe808de 0x6A 0x73 0x60 0x73 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dc5ee10@90cf15544441 0xA3 0x47 0x3D 0xD6 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dc5ee10@00247cfda28d 0x17 0xBC 0x8E 0x92 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dc5ee10@c8979f181841 0xDB 0x75 0xDF 0xC1 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dc5ee10@18e2c24b789b 0xA2 0x4D 0xB6 0x29 ... Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Export ???i?????????o????????????????????????????X??x???p???t????D??x????????????????????????????????????????????R??i????????h?????\SystemRoot\system32\DRIVERS\lsi_sas.sys?????h?h?y?y?y???????i??????p???SCSI Miniport?????V??i???????????d??lsi_sas.inf_amd64_neutral_a4d6780f72cbd5b4???????i?i?i?i?i?i?t??????????????t?????????????????????????????????????????T??i????????h?????\SystemRoot\system32\DRIVERS\lsi_sas2.sys????????i??????p???SCSI Miniport?????X??i???????????d??lsi_sas2.inf_amd64_neutral_e12a5c4cfbe49204??????i?i?i?i?i?i?i??????????????t?????????????????????????????????????????T??i????????h?????\SystemRoot\system32\DRIVERS\lsi_scsi.sys????????i??????p???SCSI Miniport?????X??i???????????d??lsi_scsi.inf_amd64_neutral_cfbbf0b0b66ba280??????i?i?i?i?i?i?i??@%SystemRoot%\system32\FirewallAPI.dll,-23093???????????????????mshdc.inf_amd64_neutral_a69a58a4286f0b22????????????????????????Base????iSCSI???????????????????????i?????????e?????????????i??????s????????i??????s???? `??x??????????????????????volsnap?????? ???????u?????.sy???????b???????????e??????????NOKIA????????????????????????3???????????i???????????????????????:???:???????????s??ep???????i???0?????????????????g?????????????j????\??i?????????n????????????????t??????????????g?????y???????????????????????2??@%systemroot%\system32\drivers\luafv.sys,-100???WimFltr??y????????????N??i????????h??????????????e???e??????????????????????@%systemroot%\system32\drivers\luafv.sys,-101????????????????????????????i???_??ps???????????????d???????????????????????T??????????ne???????????o??????????? ???e??system32\DRIVERS\mouclass.sys?ouclass.sys???System32\drivers\mpsdrv.sys????????n????MBRES???SCSI Miniport???\SystemRoot\system32\drivers\luafv.sys?????????????????????????????????????g?????????s??Sterownik klasy ---- EOF - GMER 2.0 ----