GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-18 21:08:34 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.0000 37,26GB Running: liexismm.exe; Driver: C:\DOCUME~1\SAWOMI~1\USTAWI~1\Temp\awdyrpow.sys ---- System - GMER 2.0 ---- SSDT 825AE6A8 ZwAlertResumeThread SSDT 825AE768 ZwAlertThread SSDT 81E9EEE8 ZwAllocateVirtualMemory SSDT 82579840 ZwConnectPort SSDT 825A4E20 ZwCreateMutant SSDT 825897C8 ZwCreateThread SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA75A350] SSDT 81F68588 ZwFreeVirtualMemory SSDT 81F64A00 ZwImpersonateAnonymousToken SSDT 81F64AC0 ZwImpersonateThread SSDT 825A9F18 ZwMapViewOfSection SSDT 825A4D60 ZwOpenEvent SSDT 81F67588 ZwOpenProcessToken SSDT 81E88410 ZwOpenThreadToken SSDT 825A4C90 ZwQueryValueKey SSDT 82599BE8 ZwResumeThread SSDT 81E88350 ZwSetContextThread SSDT 81F638C8 ZwSetInformationProcess SSDT 81E88290 ZwSetInformationThread SSDT \??\C:\Program Files\Symantec\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA75A580] SSDT 825C0808 ZwSuspendProcess SSDT 81F95B20 ZwSuspendThread SSDT 8257E700 ZwTerminateProcess SSDT 81F95BE0 ZwTerminateThread SSDT 81F63988 ZwUnmapViewOfSection SSDT 81E9EE58 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.0 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 23C0 80501C10 4 Bytes [E8, EE, E9, 81] .text ntkrnlpa.exe!ZwCallbackReturn + 252C 80501D7C 2 Bytes [18, 9F] .text ntkrnlpa.exe!ZwCallbackReturn + 26B4 80501F04 4 Bytes CALL E2D278A4 .text ntkrnlpa.exe!ZwCallbackReturn + 2770 80501FC0 2 Bytes [08, 08] {OR [EAX], CL} .text ntkrnlpa.exe!ZwCallbackReturn + 2773 80501FC3 5 Bytes [82, 20, 5B, F9, 81] init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF6137ABF] ---- User code sections - GMER 2.0 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[3428] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 4059F4C9 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3428] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 40714846 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3428] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407147C7 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3428] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 4071480B C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3428] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 40714753 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3428] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 4071478D C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3428] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 1 Byte [E9] .text C:\Program Files\Internet Explorer\iexplore.exe[3428] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 40714881 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3428] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 405C177A C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[3428] ole32.dll!OleLoadFromStream 7751983B 5 Bytes JMP 40714A43 C:\WINDOWS\system32\IEFRAME.dll (Internet Explorer/Microsoft Corporation) ---- EOF - GMER 2.0 ----