GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-20 15:35:25 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 SAMSUNG_SP0802N rev.TK100-24 74,56GB Running: 41l3ml9k.exe; Driver: C:\DOCUME~1\MICHA~1\USTAWI~1\Temp\pwldqaoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwClose [0xAA53F580] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwCreateKey [0xAA53F678] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDeleteKey [0xAA53F40C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDeleteValueKey [0xAA53F314] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwDuplicateObject [0xAA53E9BC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenKey [0xAA53EEA0] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenProcess [0xAA53E8A6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwOpenThread [0xAA53E932] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwQueryValueKey [0xAA53EF3E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwRenameKey [0xAA53F4DA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwRestoreKey [0xAA53F7B2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwSetValueKey [0xAA53F146] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 248C 80501CEC 4 Bytes JMP BA68C744 .text ntkrnlpa.exe!ZwCallbackReturn + 2564 80501DC4 4 Bytes CALL C402C81C .text ntkrnlpa.exe!ZwCallbackReturn + 257C 80501DDC 4 Bytes JMP C420C834 .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6C7E3C0, 0x84E2FA, 0xE8000020] ? C:\DOCUME~1\MICHA~1\USTAWI~1\Temp\mbr.sys Nazwa pliku, nazwa katalogu lub składnia etykiety woluminu jest niepoprawna. ! ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\Explorer.EXE[476] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[476] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[596] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[660] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[660] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[684] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[684] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\services.exe[728] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[728] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[740] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[740] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[908] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[908] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[964] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[964] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1060] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1060] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1156] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1156] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[1184] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[1184] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1288] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1288] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1452] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1452] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1540] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1540] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1648] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[1648] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1680] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1680] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\RunDLL32.exe[1696] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\RunDLL32.exe[1696] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1708] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[1708] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1712] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\NVIDIA Update Core\daemonu.exe[1712] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\SOUNDMAN.EXE[1736] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\SOUNDMAN.EXE[1736] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Documents and Settings\Michał\Pulpit\41l3ml9k.exe[2092] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Michał\Pulpit\41l3ml9k.exe[2092] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3640] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3640] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[728] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Tcp AswRdr.SYS ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{96230E32-A557-4B34-8676-5AAC2BF06397}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet002\Control\Video\{96230E32-A557-4B34-8676-5AAC2BF06397}\0000@D3D_\x3332\x3331 2089309684 ---- Files - GMER 2.1 ---- File C:\WINDOWS\system32\NtmsData 0 bytes File C:\WINDOWS\system32\NtmsData\NTMSDATA 118784 bytes File C:\WINDOWS\system32\NtmsData\NTMSDATA.BAK 118784 bytes File C:\WINDOWS\system32\NtmsData\NTMSIDX 81944 bytes File C:\WINDOWS\system32\NtmsData\NTMSREG 816 bytes ---- EOF - GMER 2.1 ----