GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-14 15:50:50 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2000JB-55GVA0 rev.08.02D08 186,31GB Running: 7sli2cm3.exe; Driver: C:\DOCUME~1\raddor71\USTAWI~1\Temp\pxtdrpow.sys ---- System - GMER 2.1 ---- SSDT 82230160 ZwAlertResumeThread SSDT 8223C9A0 ZwAlertThread SSDT 820B2990 ZwAllocateVirtualMemory SSDT 820D6CB0 ZwAssignProcessToJobObject SSDT 82081A08 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey [0xEFAF6ED0] SSDT 8208FBD0 ZwCreateMutant SSDT 8208B8B8 ZwCreateSymbolicLinkObject SSDT 822087A0 ZwCreateThread SSDT 820D6E20 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey [0xEFAF7150] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey [0xEFAF7810] SSDT 820BD5B8 ZwDuplicateObject SSDT 8209D888 ZwFreeVirtualMemory SSDT 821D5080 ZwImpersonateAnonymousToken SSDT 82218FD0 ZwImpersonateThread SSDT 8214C008 ZwLoadDriver SSDT 821AEB00 ZwMapViewOfSection SSDT 8219EE28 ZwOpenEvent SSDT 8207D8B0 ZwOpenProcess SSDT 8231B510 ZwOpenProcessToken SSDT 82072140 ZwOpenSection SSDT 820D38D8 ZwOpenThread SSDT 8208C380 ZwProtectVirtualMemory SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwRenameKey [0xEFAF7D70] SSDT 8223DC88 ZwResumeThread SSDT 8226C770 ZwSetContextThread SSDT 8209BB00 ZwSetInformationProcess SSDT 820D6E80 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey [0xEFAF7A90] SSDT 8219BDA8 ZwSuspendProcess SSDT 8226E708 ZwSuspendThread SSDT 82282C88 ZwTerminateProcess SSDT 8226C848 ZwTerminateThread SSDT 82268DF0 ZwUnmapViewOfSection SSDT 820AE1B8 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.1 ---- ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\Documents and Settings\raddor71\Dane aplikacji\VOPackage\VOsrv.exe[204] ntdll.dll!NtMapViewOfSection 7C90D500 5 Bytes JMP 00570048 .text C:\Documents and Settings\raddor71\Dane aplikacji\VOPackage\VOsrv.exe[204] ntdll.dll!NtTerminateThread 7C90DE60 5 Bytes JMP 003D0050 .text C:\Documents and Settings\raddor71\Dane aplikacji\VOPackage\VOsrv.exe[204] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FD8 7 Bytes JMP 0057020E .text C:\Documents and Settings\raddor71\Dane aplikacji\VOPackage\VOsrv.exe[204] ADVAPI32.dll!LogonUserExW + 455 77DE49D8 7 Bytes JMP 0057012A .text C:\Documents and Settings\raddor71\Dane aplikacji\VOPackage\VOsrv.exe[204] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C31 7 Bytes JMP 00570682 .text C:\Documents and Settings\raddor71\Dane aplikacji\VOPackage\VOsrv.exe[204] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E3C 7 Bytes JMP 0057059E .text C:\Documents and Settings\raddor71\Dane aplikacji\VOPackage\VOsrv.exe[204] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FD4 7 Bytes JMP 005703D6 .text C:\Documents and Settings\raddor71\Dane aplikacji\VOPackage\VOsrv.exe[204] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E271E4 7 Bytes JMP 005702F2 .text C:\Documents and Settings\raddor71\Dane aplikacji\VOPackage\VOsrv.exe[204] ADVAPI32.dll!CreateServiceA + 193 77E2737C 7 Bytes JMP 005704BA .text C:\Documents and Settings\raddor71\Dane aplikacji\VOPackage\VOsrv.exe[204] ADVAPI32.dll!CreateServiceW + 103 77E27484 7 Bytes JMP 00570766 .text C:\Documents and Settings\raddor71\Dane aplikacji\VOPackage\VOsrv.exe[204] USER32.dll!CreateSystemThreads + 10A 7E3817F2 7 Bytes JMP 0057092C .text C:\Documents and Settings\raddor71\Dane aplikacji\VOPackage\VOsrv.exe[204] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 0057084A .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\fst_pl_128\upfst_pl_128.exe[476] ntdll.dll!NtMapViewOfSection 7C90D500 5 Bytes JMP 00850048 .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\fst_pl_128\upfst_pl_128.exe[476] ntdll.dll!NtTerminateThread 7C90DE60 5 Bytes JMP 003E0050 .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\fst_pl_128\upfst_pl_128.exe[476] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FD8 7 Bytes JMP 0085020E .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\fst_pl_128\upfst_pl_128.exe[476] ADVAPI32.dll!LogonUserExW + 455 77DE49D8 7 Bytes JMP 0085012A .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\fst_pl_128\upfst_pl_128.exe[476] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C31 7 Bytes JMP 00850682 .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\fst_pl_128\upfst_pl_128.exe[476] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E3C 7 Bytes JMP 0085059E .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\fst_pl_128\upfst_pl_128.exe[476] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FD4 7 Bytes JMP 008503D6 .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\fst_pl_128\upfst_pl_128.exe[476] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E271E4 7 Bytes JMP 008502F2 .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\fst_pl_128\upfst_pl_128.exe[476] ADVAPI32.dll!CreateServiceA + 193 77E2737C 7 Bytes JMP 008504BA .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\fst_pl_128\upfst_pl_128.exe[476] ADVAPI32.dll!CreateServiceW + 103 77E27484 7 Bytes JMP 00850766 .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\fst_pl_128\upfst_pl_128.exe[476] USER32.dll!CreateSystemThreads + 10A 7E3817F2 7 Bytes JMP 0085092C .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\fst_pl_128\upfst_pl_128.exe[476] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 0085084A .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsProtectManger\wprotectmanager.exe[1472] ntdll.dll!NtMapViewOfSection 7C90D500 5 Bytes JMP 005C0048 .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsProtectManger\wprotectmanager.exe[1472] ntdll.dll!NtTerminateThread 7C90DE60 5 Bytes JMP 003E0050 .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsProtectManger\wprotectmanager.exe[1472] USER32.dll!CreateSystemThreads + 10A 7E3817F2 7 Bytes JMP 005C092C .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsProtectManger\wprotectmanager.exe[1472] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 005C084A .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsProtectManger\wprotectmanager.exe[1472] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FD8 7 Bytes JMP 005C020E .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsProtectManger\wprotectmanager.exe[1472] ADVAPI32.dll!LogonUserExW + 455 77DE49D8 7 Bytes JMP 005C012A .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsProtectManger\wprotectmanager.exe[1472] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C31 7 Bytes JMP 005C0682 .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsProtectManger\wprotectmanager.exe[1472] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E3C 7 Bytes JMP 005C059E .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsProtectManger\wprotectmanager.exe[1472] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FD4 7 Bytes JMP 005C03D6 .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsProtectManger\wprotectmanager.exe[1472] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E271E4 7 Bytes JMP 005C02F2 .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsProtectManger\wprotectmanager.exe[1472] ADVAPI32.dll!CreateServiceA + 193 77E2737C 7 Bytes JMP 005C04BA .text C:\Documents and Settings\All Users\Dane aplikacji\WindowsProtectManger\wprotectmanager.exe[1472] ADVAPI32.dll!CreateServiceW + 103 77E27484 7 Bytes JMP 005C0766 .text C:\Documents and Settings\raddor71\Pulpit\logi\7sli2cm3.exe[1584] ntdll.dll!NtMapViewOfSection 7C90D500 5 Bytes JMP 005F0048 .text C:\Documents and Settings\raddor71\Pulpit\logi\7sli2cm3.exe[1584] ntdll.dll!NtTerminateThread 7C90DE60 5 Bytes JMP 003D0050 .text C:\Documents and Settings\raddor71\Pulpit\logi\7sli2cm3.exe[1584] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FD8 7 Bytes JMP 005F020E .text C:\Documents and Settings\raddor71\Pulpit\logi\7sli2cm3.exe[1584] ADVAPI32.dll!LogonUserExW + 455 77DE49D8 7 Bytes JMP 005F012A .text C:\Documents and Settings\raddor71\Pulpit\logi\7sli2cm3.exe[1584] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C31 7 Bytes JMP 005F0682 .text C:\Documents and Settings\raddor71\Pulpit\logi\7sli2cm3.exe[1584] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E3C 7 Bytes JMP 005F059E .text C:\Documents and Settings\raddor71\Pulpit\logi\7sli2cm3.exe[1584] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FD4 7 Bytes JMP 005F03D6 .text C:\Documents and Settings\raddor71\Pulpit\logi\7sli2cm3.exe[1584] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E271E4 7 Bytes JMP 005F02F2 .text C:\Documents and Settings\raddor71\Pulpit\logi\7sli2cm3.exe[1584] ADVAPI32.dll!CreateServiceA + 193 77E2737C 7 Bytes JMP 005F04BA .text C:\Documents and Settings\raddor71\Pulpit\logi\7sli2cm3.exe[1584] ADVAPI32.dll!CreateServiceW + 103 77E27484 7 Bytes JMP 005F0766 .text C:\Documents and Settings\raddor71\Pulpit\logi\7sli2cm3.exe[1584] USER32.dll!CreateSystemThreads + 10A 7E3817F2 7 Bytes JMP 005F092C .text C:\Documents and Settings\raddor71\Pulpit\logi\7sli2cm3.exe[1584] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 005F084A .text C:\Program Files\Microsoft Office\Office12\WINWORD.EXE[2432] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 32605629 C:\Program Files\Common Files\Microsoft Shared\office12\mso.dll .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[3604] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 014755E8 C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[3604] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 01FAE5F0 C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[3604] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 01FAE638 C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[3604] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 0148572C C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll .text C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\GG\Application\ggapp.exe[3604] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 01FAE65F C:\Documents and Settings\raddor71\Ustawienia lokalne\Dane aplikacji\GG\Application\xulrunner\xul.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- EOF - GMER 2.1 ----