GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-11-04 14:01:16 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\0000006a ST380817AS rev.3.42 Running: vswrn4dh.exe; Driver: C:\DOCUME~1\Admin\USTAWI~1\Temp\ufrdqpog.sys ---- System - GMER 1.0.15 ---- SSDT 8201E5B8 ZwAlertResumeThread SSDT 822D7F48 ZwAlertThread SSDT 822DEC60 ZwAllocateVirtualMemory SSDT 822DBB68 ZwAssignProcessToJobObject SSDT 8231C8B0 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xEBA33980] SSDT 820502C0 ZwCreateMutant SSDT 822DAC40 ZwCreateSymbolicLinkObject SSDT 822D9BD8 ZwCreateThread SSDT 822DB550 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xEBA33C00] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xEBA33F10] SSDT 822CAF80 ZwDuplicateObject SSDT 822DF188 ZwFreeVirtualMemory SSDT 82050390 ZwImpersonateAnonymousToken SSDT 8201E4F8 ZwImpersonateThread SSDT 8222D080 ZwLoadDriver SSDT 822DE6F0 ZwMapViewOfSection SSDT 8204F3E0 ZwOpenEvent SSDT 822E8B48 ZwOpenProcess SSDT 822CAEC0 ZwOpenProcessToken SSDT 822BDF28 ZwOpenSection SSDT 822C3F18 ZwOpenThread SSDT 822DAD30 ZwProtectVirtualMemory SSDT 822DC608 ZwResumeThread SSDT 822DD7A0 ZwSetContextThread SSDT 822DDC38 ZwSetInformationProcess SSDT 822DB630 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xEBA34160] SSDT 8204F300 ZwSuspendProcess SSDT 822DC6E8 ZwSuspendThread SSDT 822E9458 ZwTerminateProcess SSDT 822DD6C0 ZwTerminateThread SSDT 822DE630 ZwUnmapViewOfSection SSDT 822DF258 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xEC099360, 0x372FAD, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9 .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtCreateFile + 6 7C90D0B4 4 Bytes [28, 00, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtCreateFile + B 7C90D0B9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtMapViewOfSection + 6 7C90D524 1 Byte [28] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtMapViewOfSection + 6 7C90D524 4 Bytes [28, 03, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtMapViewOfSection + B 7C90D529 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenFile + 6 7C90D5A4 4 Bytes [68, 00, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenFile + B 7C90D5A9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenProcess + 6 7C90D604 4 Bytes [A8, 01, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenProcess + B 7C90D609 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenProcessToken + 6 7C90D614 4 Bytes CALL 7B90EC1A .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenProcessToken + B 7C90D619 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D624 4 Bytes [A8, 02, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenProcessTokenEx + B 7C90D629 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenThread + 6 7C90D664 4 Bytes [68, 01, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenThread + B 7C90D669 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenThreadToken + 6 7C90D674 4 Bytes [68, 02, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenThreadToken + B 7C90D679 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D684 4 Bytes CALL 7B90EC8B .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtOpenThreadTokenEx + B 7C90D689 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtQueryAttributesFile + 6 7C90D714 4 Bytes [A8, 00, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtQueryAttributesFile + B 7C90D719 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D7B4 4 Bytes CALL 7B90EDB9 .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtQueryFullAttributesFile + B 7C90D7B9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtSetInformationFile + 6 7C90DC64 4 Bytes [28, 01, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtSetInformationFile + B 7C90DC69 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtSetInformationThread + 6 7C90DCB4 4 Bytes [28, 02, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtSetInformationThread + B 7C90DCB9 1 Byte [E2] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 1 Byte [68] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtUnmapViewOfSection + 6 7C90DF14 4 Bytes [68, 03, 16, 00] .text C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] ntdll.dll!NtUnmapViewOfSection + B 7C90DF19 1 Byte [E2] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[1368] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002D0010 IAT C:\Documents and Settings\Admin\Ustawienia lokalne\Dane aplikacji\Google\Chrome\Application\chrome.exe[4068] @ C:\WINDOWS\system32\RPCRT4.dll [KERNEL32.dll!CreateNamedPipeW] 002D0010 ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD2 0x5E 0x5B 0x50 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xD2 0x5E 0x5B 0x50 ... ---- EOF - GMER 1.0.15 ----