GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-29 15:49:53 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-9 SAMSUNG_HD502IJ rev.1AA01113 465,76GB Running: rk08s02w.exe; Driver: C:\DOCUME~1\adm\USTAWI~1\Temp\kwniiaod.sys ---- System - GMER 2.1 ---- SSDT AF70F244 ZwClose SSDT AF70F1FE ZwCreateKey SSDT AF70F24E ZwCreateSection SSDT AF70F1F4 ZwCreateThread SSDT AF70F203 ZwDeleteKey SSDT AF70F20D ZwDeleteValueKey SSDT AF70F23F ZwDuplicateObject SSDT AF70F212 ZwLoadKey SSDT AF70F1E0 ZwOpenProcess SSDT AF70F1E5 ZwOpenThread SSDT AF70F267 ZwQueryValueKey SSDT AF70F21C ZwReplaceKey SSDT AF70F258 ZwRequestWaitReplyPort SSDT AF70F217 ZwRestoreKey SSDT AF70F253 ZwSetContextThread SSDT AF70F25D ZwSetSecurityObject SSDT AF70F208 ZwSetValueKey SSDT AF70F262 ZwSystemDebugControl SSDT AF70F1EF ZwTerminateProcess ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5BF53C0, 0x706FCA, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\winlogon.exe[720] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004720 c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll .text C:\WINDOWS\system32\services.exe[764] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004720 c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll .text C:\WINDOWS\system32\lsass.exe[776] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004720 c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll .text C:\WINDOWS\system32\nvsvc32.exe[928] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004720 c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll .text C:\WINDOWS\system32\svchost.exe[956] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 10004720 c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll .text ... ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\winlogon.exe[720] @ C:\WINDOWS\system32\winlogon.exe [KERNEL32.dll!LoadLibraryW] [10009FA0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[720] @ C:\WINDOWS\system32\winlogon.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[720] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtOpenFile] [1000A110] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[720] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[720] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtQueryValueKey] [1000DDF0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[720] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[720] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtSetValueKey] [1000DE60] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\winlogon.exe[720] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtCreateKey] [1000DED0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!LoadLibraryW] [10009FA0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtCreateKey] [1000DED0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryValueKey] [1000DDF0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtSetValueKey] [1000DE60] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteValueKey] [1000E0D0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtEnumerateKey] [1000DD10] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteKey] [1000E080] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtSetInformationFile] [1000A2C0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryInformationFile] [10009990] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtDeleteFile] [1000A270] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtOpenFile] [1000A110] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtQueryKey] [10009950] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[956] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[956] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[956] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1024] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1024] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1024] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1120] @ C:\WINDOWS\System32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1120] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\System32\svchost.exe[1120] @ C:\WINDOWS\System32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1160] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1160] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1160] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1224] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1224] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1224] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1320] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1320] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1320] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\Explorer.EXE[1760] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\Explorer.EXE[1760] @ C:\WINDOWS\Explorer.EXE [KERNEL32.dll!LoadLibraryW] [10009FA0] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1872] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1872] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[1872] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[2832] @ C:\WINDOWS\system32\svchost.exe [KERNEL32.dll!LoadLibraryA] [10009F50] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[2832] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtOpenKey] [1000DF40] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll IAT C:\WINDOWS\system32\svchost.exe[2832] @ C:\WINDOWS\system32\svchost.exe [ntdll.dll!NtClose] [1000E000] c:\docume~1\alluse~1\daneap~1\browse~1\261249~1.132\{c16c1~1\browse~1.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{BF5A7712-F4A2-4403-A982-E06341764FCA}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{FD6918F0-7429-4888-A6E3-CDFD5261EA2E}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet002\Control\Video\{BF5A7712-F4A2-4403-A982-E06341764FCA}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet002\Control\Video\{FD6918F0-7429-4888-A6E3-CDFD5261EA2E}\0000@D3D_\x3332\x3331 2089309684 ---- EOF - GMER 2.1 ----