GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-10 13:53:51 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST916031 rev.0002 149,05GB Running: 6urqxryv.exe; Driver: C:\DOCUME~1\dd\USTAWI~1\Temp\pxtdapob.sys ---- System - GMER 2.1 ---- SSDT 855ACA18 ZwAlertResumeThread SSDT 855ACAB0 ZwAlertThread SSDT 856A59A8 ZwAllocateVirtualMemory SSDT 8591F6C8 ZwAssignProcessToJobObject SSDT 864FA300 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey [0xA52B3ED0] SSDT 85684A40 ZwCreateMutant SSDT 855FF920 ZwCreateSymbolicLinkObject SSDT 8593E2B8 ZwCreateThread SSDT 8591F760 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey [0xA52B4150] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey [0xA52B4810] SSDT 855F7170 ZwDuplicateObject SSDT 855C1540 ZwFreeVirtualMemory SSDT 85684AE8 ZwImpersonateAnonymousToken SSDT 85684B80 ZwImpersonateThread SSDT 85A3C258 ZwLoadDriver SSDT 8593D790 ZwMapViewOfSection SSDT 855B2568 ZwOpenEvent SSDT 856253E0 ZwOpenProcess SSDT 85944650 ZwOpenProcessToken SSDT 855B2458 ZwOpenSection SSDT 85679160 ZwOpenThread SSDT 855FF9A8 ZwProtectVirtualMemory SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwRenameKey [0xA52B4D70] SSDT 855ACB48 ZwResumeThread SSDT 855F27E0 ZwSetContextThread SSDT 855F2878 ZwSetInformationProcess SSDT 855B23E0 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey [0xA52B4A90] SSDT 855B24F0 ZwSuspendProcess SSDT 855ACBC0 ZwSuspendThread SSDT 85680368 ZwTerminateProcess SSDT 855F2748 ZwTerminateThread SSDT 855C1448 ZwUnmapViewOfSection SSDT 856A58E0 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2DEC 805046D4 4 Bytes [E8, 4A, 68, 85] ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\drivers\oreans32.sys section is writeable [0xA85C3280, 0x7B1C, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3932] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 005F0048 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3932] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C0050 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3932] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 005F020E .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3932] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 005F012A .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3932] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 005F0682 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3932] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 005F059E .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3932] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 005F03D6 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3932] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 005F02F2 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3932] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [7C, 88, EB, F9] {JL 0xffffff8a; JMP 0xfffffffd} .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3932] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 005F04BA .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3932] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 005F0766 .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3932] USER32.dll!CreateSystemThreads + 10A 7E3817F2 7 Bytes JMP 005F092C .text C:\Documents and Settings\dd\Moje dokumenty\Downloads\6urqxryv.exe[3932] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 005F084A ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Ip fssfltr_tdi.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp fssfltr_tdi.sys AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp fssfltr_tdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp fssfltr_tdi.sys Device mrxsmb.sys Device A32A9D20 AttachedDevice fltMgr.sys ---- EOF - GMER 2.1 ----