GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-04-20 10:43:15 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 Hitachi_ rev.SB2O Running: 8lzg4r6w.exe; Driver: C:\DOCUME~1\user\USTAWI~1\Temp\kwkdapob.sys ---- System - GMER 1.0.15 ---- SSDT 85A928C0 ZwAlertResumeThread SSDT 85A929A0 ZwAlertThread SSDT 861724E8 ZwAllocateVirtualMemory SSDT 85AA3BD8 ZwAssignProcessToJobObject SSDT 85E075E8 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xA6FFE710] SSDT 861547E0 ZwCreateMutant SSDT 85A10938 ZwCreateSymbolicLinkObject SSDT 85AA4718 ZwCreateThread SSDT 859E0938 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xA6FFE990] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xA6FFEEF0] SSDT 85A6C4E8 ZwDuplicateObject SSDT 85A194E8 ZwFreeVirtualMemory SSDT 85A278F8 ZwImpersonateAnonymousToken SSDT 85A279D8 ZwImpersonateThread SSDT 85E121E0 ZwLoadDriver SSDT 85ACE598 ZwMapViewOfSection SSDT 86154720 ZwOpenEvent SSDT 859EA6F0 ZwOpenProcess SSDT 8603A4F8 ZwOpenProcessToken SSDT 85A3AAF8 ZwOpenSection SSDT 859DD4E8 ZwOpenThread SSDT 85AA3AE8 ZwProtectVirtualMemory SSDT 85A92A80 ZwResumeThread SSDT 85F97E80 ZwSetContextThread SSDT 85F97F60 ZwSetInformationProcess SSDT 859E09F8 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xA6FFF140] SSDT 85A3ABD8 ZwSuspendProcess SSDT 85A1A868 ZwSuspendThread SSDT 85A5F5D8 ZwTerminateProcess SSDT 85A1A948 ZwTerminateThread SSDT 85DAA998 ZwUnmapViewOfSection SSDT 85A364E8 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 23C8 80501C00 4 Bytes CALL C4D63329 .text ntkrnlpa.exe!ZwCallbackReturn + 2400 80501C38 4 Bytes [E8, 75, E0, 85] .text ntkrnlpa.exe!ZwCallbackReturn + 2480 80501CB8 4 Bytes [90, E9, FF, A6] .text ntkrnlpa.exe!ZwCallbackReturn + 2494 80501CCC 4 Bytes [E8, C4, A6, 85] .text ntkrnlpa.exe!ZwCallbackReturn + 24D0 80501D08 4 Bytes [E8, 94, A1, 85] .text ... ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Printers\KONICA MINOLTA PagePro 1350W@ChangeID 2265125 ---- EOF - GMER 1.0.15 ----