GMER 2.1.18952 - http://www.gmer.net Rootkit scan 2013-03-01 13:54:41 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 SAMSUNG_SP0812N rev.TK100-30 74,56GB Running: zejd9idq.exe; Driver: C:\DOCUME~1\NAUCZY~1\USTAWI~1\Temp\uxliapod.sys ---- System - GMER 2.1 ---- SSDT 867DBE50 ZwAlertResumeThread SSDT 867DBF10 ZwAlertThread SSDT 8679B188 ZwAllocateVirtualMemory SSDT 86814C08 ZwAssignProcessToJobObject SSDT 86853958 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAA0BFED0] SSDT 867DBBA0 ZwCreateMutant SSDT 86814A28 ZwCreateSymbolicLinkObject SSDT 8679C258 ZwCreateThread SSDT 86814CE8 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAA0C0150] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA0C0810] SSDT 8679B2E0 ZwDuplicateObject SSDT 866ADF38 ZwFreeVirtualMemory SSDT 867DBC90 ZwImpersonateAnonymousToken SSDT 867DBD70 ZwImpersonateThread SSDT 86DCC950 ZwLoadDriver SSDT 866ADE58 ZwMapViewOfSection SSDT 867DBAC0 ZwOpenEvent SSDT 8679B480 ZwOpenProcess SSDT 867BF250 ZwOpenProcessToken SSDT 86814F10 ZwOpenSection SSDT 8679B3B0 ZwOpenThread SSDT 86814B18 ZwProtectVirtualMemory SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwRenameKey [0xAA0C0D80] SSDT 867DBFD0 ZwResumeThread SSDT 866ADC08 ZwSetContextThread SSDT 866ADCC8 ZwSetInformationProcess SSDT 86814DC8 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA0C0AA0] SSDT 86814FD0 ZwSuspendProcess SSDT 866ADA88 ZwSuspendThread SSDT 867D8660 ZwTerminateProcess SSDT 866ADB48 ZwTerminateThread SSDT 866ADD98 ZwUnmapViewOfSection SSDT 8679B070 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2CC0 805045B8 4 Bytes [E8, 4C, 81, 86] ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1716] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00380048 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1716] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0036004C .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1716] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 0038020E .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1716] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 0038012A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1716] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 00380682 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1716] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 0038059E .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1716] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003803D6 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1716] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003802F2 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1716] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC } .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1716] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003804BA .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1716] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 00380766 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamscheduler.exe[1716] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 0038084A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1824] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00390048 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1824] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0037004C .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1824] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 0039020E .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1824] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 0039012A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1824] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 00390682 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1824] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 0039059E .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1824] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003903D6 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1824] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003902F2 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1824] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [56, 88, EB, F9] {PUSH ESI; MOV BL, CH; STC } .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1824] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003904BA .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1824] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 00390766 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamservice.exe[1824] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 0039084A .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1864] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003D0048 .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1864] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003B004C .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1864] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003D020E .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1864] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003D012A .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1864] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003D0682 .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1864] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003D059E .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1864] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003D03D6 .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1864] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003D02F2 .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1864] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5A, 88, EB, F9] {POP EDX; MOV BL, CH; STC } .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1864] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003D04BA .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1864] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003D0766 .text C:\Program Files\Common Files\Microsoft Shared\VS7Debug\mdm.exe[1864] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003D084A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1872] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 00380048 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1872] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 0036004C .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1872] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 0038020E .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1872] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 0038012A .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1872] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 00380682 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1872] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 0038059E .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1872] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003803D6 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1872] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003802F2 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1872] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [55, 88, EB, F9] {PUSH EBP; MOV BL, CH; STC } .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1872] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003804BA .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1872] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 00380766 .text C:\Program Files\Malwarebytes' Anti-Malware\mbamgui.exe[1872] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 0038084A .text C:\Documents and Settings\Nauczyciele\Pulpit\111\zejd9idq.exe[3680] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003E0048 .text C:\Documents and Settings\Nauczyciele\Pulpit\111\zejd9idq.exe[3680] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C004C .text C:\Documents and Settings\Nauczyciele\Pulpit\111\zejd9idq.exe[3680] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003E020E .text C:\Documents and Settings\Nauczyciele\Pulpit\111\zejd9idq.exe[3680] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003E012A .text C:\Documents and Settings\Nauczyciele\Pulpit\111\zejd9idq.exe[3680] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003E0682 .text C:\Documents and Settings\Nauczyciele\Pulpit\111\zejd9idq.exe[3680] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003E059E .text C:\Documents and Settings\Nauczyciele\Pulpit\111\zejd9idq.exe[3680] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003E03D6 .text C:\Documents and Settings\Nauczyciele\Pulpit\111\zejd9idq.exe[3680] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003E02F2 .text C:\Documents and Settings\Nauczyciele\Pulpit\111\zejd9idq.exe[3680] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5B, 88, EB, F9] {POP EBX; MOV BL, CH; STC } .text C:\Documents and Settings\Nauczyciele\Pulpit\111\zejd9idq.exe[3680] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003E04BA .text C:\Documents and Settings\Nauczyciele\Pulpit\111\zejd9idq.exe[3680] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003E0766 .text C:\Documents and Settings\Nauczyciele\Pulpit\111\zejd9idq.exe[3680] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003E084A ---- Devices - GMER 2.1 ---- Device Ntfs.sys (NT File System Driver/Microsoft Corporation) Device Fastfat.SYS (Fast FAT File System Driver/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) AttachedDevice fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 2.1 ----