GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-07 23:30:07 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST340014A rev.3.04 37,27GB Running: p9vjul5v.exe; Driver: C:\DOCUME~1\ABC\USTAWI~1\Temp\kwldrpog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\windows\System32\DRIVERS\nv4_mini.sys section is writeable [0xF7A83360, 0x37388D, 0xE8000020] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 snapman.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 snapman.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryCount 9 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security@TypesSupported 28 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Channel 5120 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Device 4352 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Directory 4368 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Event 4384 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@File 4416 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Job 5136 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Key 4432 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Port 4464 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Process 4480 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Profile 4496 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Section 4512 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Thread 4560 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Timer 4576 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Token 4592 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@Type 4608 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@TypesSupported 31 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@ParameterMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryCount 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventSourceFlags 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928 Reg HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\DS@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\DS\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\DS\ObjectNames@Directory Service Object 7680 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames@PolicyObject 5632 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames@SecretObject 5648 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames@TrustedDomainObject 5664 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\LSA\ObjectNames@UserAccountObject 5680 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\NetDDE Object@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\NetDDE Object\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\NetDDE Object\ObjectNames@DDE Share 7424 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager\ObjectNames@SC_MANAGER Object 7168 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\SC Manager\ObjectNames@SERVICE Object 7184 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@CategoryCount 9 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@GuidMessageFile %SystemRoot%\System32\NtMarta.dll Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@EventMessageFile %SystemRoot%\System32\MsAuditE.dll;%SystemRoot%\System32\xpsp2res.dll;%SystemRoot%\System32\xpsp3res.dll Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security@TypesSupported 28 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Channel 5120 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Desktop 6672 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Device 4352 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Directory 4368 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Event 4384 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@EventPair 4400 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@File 4416 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@IoCompletion 4864 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Job 5136 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Key 4432 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@MailSlot 4416 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Mutant 4448 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@NamedPipe 4416 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Port 4464 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Process 4480 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Profile 4496 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Section 4512 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Semaphore 4528 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@SymbolicLink 4544 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Thread 4560 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Timer 4576 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Token 4592 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@Type 4608 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@WaitablePort 4464 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security\ObjectNames@WindowStation 6656 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_ALIAS 5424 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_DOMAIN 5392 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_GROUP 5408 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_SERVER 5376 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Security Account Manager\ObjectNames@SAM_USER 5440 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\ServiceModel 3.0.0.0@TypesSupported 31 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\ServiceModel 3.0.0.0@ParameterMessageFile C:\WINDOWS\Microsoft.NET\Framework\v3.0\Windows Communication Foundation\ServiceModelEvents.dll.mui Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryCount 3 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\ServiceModel 3.0.0.0@EventSourceFlags 1 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\ServiceModel 3.0.0.0@CategoryMessageFile %SystemRoot%\System32\MsAuditE.dll Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler@ParameterMessageFile %SystemRoot%\System32\MsObjs.dll Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler\ObjectNames (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler\ObjectNames@Document 6944 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler\ObjectNames@Printer 6928 Reg HKLM\SYSTEM\ControlSet003\Services\Eventlog\Security\Spooler\ObjectNames@Server 6912 Reg HKLM\SOFTWARE\Classes\CLSID\{F043A88F-2446-2DEA-2AD2-36DE2210668A}\InProcServer32@ "C:\Program Files\NetMeeting\nmcom.dll" Reg HKLM\SOFTWARE\Classes\CLSID\{F043A88F-2446-2DEA-2AD2-36DE2210668A}\InProcServer32@ThreadingModel Apartment Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{64FE8A45-5F03-F006-3F88-A70A748710D7} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{64FE8A45-5F03-F006-3F88-A70A748710D7}@iakomadmglgnledehg 0x6B 0x61 0x68 0x64 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{64FE8A45-5F03-F006-3F88-A70A748710D7}@haaoceajmeppdpej 0x6B 0x61 0x68 0x64 ... ---- EOF - GMER 2.1 ----