GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-08-08 17:36:01 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HD160JJ rev.ZM100-47 Running: cvh6l4vh.exe; Driver: C:\DOCUME~1\KRZYSI~1\USTAWI~1\Temp\kxloqpow.sys ---- System - GMER 1.0.15 ---- SSDT BA718E24 ZwClose SSDT BA718DDE ZwCreateKey SSDT BA718E2E ZwCreateSection SSDT BA718DD4 ZwCreateThread SSDT BA718DE3 ZwDeleteKey SSDT BA718DED ZwDeleteValueKey SSDT BA718E1F ZwDuplicateObject SSDT BA718DF2 ZwLoadKey SSDT BA718DC0 ZwOpenProcess SSDT BA718DC5 ZwOpenThread SSDT BA718E47 ZwQueryValueKey SSDT BA718DFC ZwReplaceKey SSDT BA718E38 ZwRequestWaitReplyPort SSDT BA718DF7 ZwRestoreKey SSDT BA718E33 ZwSetContextThread SSDT BA718E3D ZwSetSecurityObject SSDT BA718DE8 ZwSetValueKey SSDT BA718E42 ZwSystemDebugControl SSDT BA718DCF ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2758 80501F68 4 Bytes [E8, 8D, 71, BA] .text C:\WINNT\system32\DRIVERS\nv4_mini.sys section is writeable [0xB8E99360, 0x24526E, 0xE8000020] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtCreateFile] [018F2F20] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [018F2C90] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtClose] [018F2CF0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [018F2CC0] C:\WINNT\TEMP\logishrd\LVPrcInj01.dll (Camera Helper Library./Logitech Inc.) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\ADVAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\RPCRT4.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\Secur32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\GDI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\USER32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\msvcrt.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\ole32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\SHLWAPI.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\CRYPT32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\NETAPI32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\WININET.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\SHELL32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\USERENV.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\ws2_32.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\WS2HELP.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) IAT C:\WINNT\Explorer.EXE[1328] @ C:\WINNT\system32\iphlpapi.dll [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINNT\system32\ShimEng.dll (Shim Engine DLL/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF3 0xC3 0x0B 0x6D ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF3 0xC3 0x0B 0x6D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0xF3 0xC3 0x0B 0x6D ... ---- Files - GMER 1.0.15 ---- File C:\WINNT\$NtUninstallKB50032$\1927040595 0 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\@ 2048 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\L 0 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\L\eavokvcy 138496 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\loader.tlb 2632 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U 0 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@00000001 45968 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@000000c0 2560 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@000000cb 704 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@000000cf 1536 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@80000000 73728 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@800000c0 43008 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@800000cb 25600 bytes File C:\WINNT\$NtUninstallKB50032$\1927040595\U\@800000cf 31232 bytes File C:\WINNT\$NtUninstallKB50032$\3677352482 0 bytes ---- EOF - GMER 1.0.15 ----