GMER 1.0.15.15477 - http://www.gmer.net Rootkit scan 2010-11-01 11:00:44 Windows 5.1.2600 Dodatek Service Pack 3 Running: 4oz5d66r.exe; Driver: C:\DOCUME~1\Xebritas\USTAWI~1\Temp\ugnyraog.sys ---- System - GMER 1.0.15 ---- SSDT 8ACC4D40 ZwAlertResumeThread SSDT 8ACC5228 ZwAlertThread SSDT 8AFD32D8 ZwAllocateVirtualMemory SSDT 8AD05890 ZwAssignProcessToJobObject SSDT 8AC48280 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0x9F0E7130] SSDT 8A8AB3F0 ZwCreateMutant SSDT 8AE1C350 ZwCreateSymbolicLinkObject SSDT 8ACC1C90 ZwCreateThread SSDT 8ADC0448 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0x9F0E73B0] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0x9F0E7910] SSDT 8AFBF6E0 ZwDuplicateObject SSDT 8A4B7DB0 ZwFreeVirtualMemory SSDT 8ACFFE98 ZwImpersonateAnonymousToken SSDT 8ACDA4A8 ZwImpersonateThread SSDT 8A9E89B0 ZwLoadDriver SSDT 8ACC2E78 ZwMapViewOfSection SSDT 8ACFEAC8 ZwOpenEvent SSDT 8A951C68 ZwOpenProcess SSDT 8ABCD698 ZwOpenProcessToken SSDT 8AA680E8 ZwOpenSection SSDT 8AE03B08 ZwOpenThread SSDT 8A8F4068 ZwProtectVirtualMemory SSDT 8AA0E958 ZwResumeThread SSDT 8ACAF478 ZwSetContextThread SSDT 8AFD73E8 ZwSetInformationProcess SSDT 8AD08FD0 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0x9F0E7B60] SSDT 8ACF1C08 ZwSuspendProcess SSDT 8AB25988 ZwSuspendThread SSDT 8AB74A70 ZwTerminateProcess SSDT 8ACA2C88 ZwTerminateThread SSDT 8A9BD210 ZwUnmapViewOfSection SSDT 8ADF54A8 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2DAC 80504648 4 Bytes JMP 6A568ACF .text ntkrnlpa.exe!ZwCallbackReturn + 2DD8 80504674 4 Bytes CALL AEDAECF9 .text ntkrnlpa.exe!ZwCallbackReturn + 2F1C 805047B8 4 Bytes JMP D2F4D25D .text ntkrnlpa.exe!ZwCallbackReturn + 2F74 80504810 4 Bytes CALL 48DB4588 ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB58F23A0, 0x59FFE5, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\Explorer.EXE[252] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00BE000A .text C:\WINDOWS\Explorer.EXE[252] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00C8000A .text C:\WINDOWS\Explorer.EXE[252] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00BD000C .text C:\WINDOWS\System32\svchost.exe[1540] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A .text C:\WINDOWS\System32\svchost.exe[1540] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A2000A .text C:\WINDOWS\System32\svchost.exe[1540] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C .text C:\WINDOWS\System32\svchost.exe[1540] ole32.dll!CoCreateInstance 774EF1AC 5 Bytes JMP 00FE000A .text C:\WINDOWS\system32\wuauclt.exe[2312] ntdll.dll!NtProtectVirtualMemory 7C90D6EE 5 Bytes JMP 00A1000A .text C:\WINDOWS\system32\wuauclt.exe[2312] ntdll.dll!NtWriteVirtualMemory 7C90DFAE 5 Bytes JMP 00A2000A .text C:\WINDOWS\system32\wuauclt.exe[2312] ntdll.dll!KiUserExceptionDispatcher 7C90E47C 5 Bytes JMP 00A0000C ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\Documents and Settings\Xebritas\Moje dokumenty\Downloads\Programs\4oz5d66r.exe[728] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00802F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\Xebritas\Moje dokumenty\Downloads\Programs\4oz5d66r.exe[728] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00802CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\Xebritas\Moje dokumenty\Downloads\Programs\4oz5d66r.exe[728] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00802D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Documents and Settings\Xebritas\Moje dokumenty\Downloads\Programs\4oz5d66r.exe[728] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00802CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\AIMP2\AIMP2.exe[2580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00E72F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\AIMP2\AIMP2.exe[2580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00E72CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\AIMP2\AIMP2.exe[2580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00E72D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\AIMP2\AIMP2.exe[2580] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00E72CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Last.fm\LastFM.exe[2668] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00D62F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Last.fm\LastFM.exe[2668] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00D62CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Last.fm\LastFM.exe[2668] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00D62D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\Last.fm\LastFM.exe[2668] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00D62CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\TrueCrypt\TrueCrypt.exe[3736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtCreateFile] [00BD2F30] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\TrueCrypt\TrueCrypt.exe[3736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDeviceIoControlFile] [00BD2CA0] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\TrueCrypt\TrueCrypt.exe[3736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtClose] [00BD2D00] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) IAT C:\Program Files\TrueCrypt\TrueCrypt.exe[3736] @ C:\WINDOWS\system32\kernel32.dll [ntdll.dll!NtDuplicateObject] [00BD2CD0] C:\WINDOWS\TEMP\logishrd\LVPrcInj02.dll (Camera Helper Library./Logitech Inc.) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort0 8AEFDAEA Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort1 8AEFDAEA Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort2 8AEFDAEA Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort3 8AEFDAEA Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort4 8AEFDAEA Device \Driver\atapi -> DriverStartIo \Device\Ide\IdePort5 8AEFDAEA Device \Driver\atapi -> DriverStartIo \Device\Ide\IdeDeviceP3T1L0-12 8AEFDAEA AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) Device \Device\Ide\IdeDeviceP3T0L0-a -> \??\IDE#DiskWDC_WD3200AAKS-00L9A0___________________01.03E01#5&5c6cfd6&0&0.0.0#{53f56307-b6bf-11d0-94f2-00a0c91efb8b} device not found ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5D 0xF8 0xBC 0xDB ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x7E 0xE7 0x47 0xBA ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDD 0xFB 0x79 0x3D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x0D 0xE8 0x30 0xE9 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x5D 0xF8 0xBC 0xDB ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x7E 0xE7 0x47 0xBA ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xDD 0xFB 0x79 0x3D ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq1@hdf12 0x0D 0xE8 0x30 0xE9 ... ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\Xebritas\Ustawienia lokalne\Dane aplikacji\Last.fm\Client\Xebritas_submissions.xml 699 bytes File C:\Documents and Settings\Xebritas\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\vsw57i6c.default\urlclassifier3.sqlite-journal 0 bytes ---- EOF - GMER 1.0.15 ----