GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-11-13 11:04:05 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-3 ST3160815A rev.3.AAD Running: k2r258po.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\kwpoapow.sys ---- System - GMER 1.0.15 ---- SSDT 8A4CC1C0 ZwAlertResumeThread SSDT 8A49B4D8 ZwAlertThread SSDT 8A51A358 ZwAllocateVirtualMemory SSDT 89DF3648 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xB48F6020] SSDT 8A63BA98 ZwCreateMutant SSDT 8A493F18 ZwCreateThread SSDT 8A54AD18 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xB48F62A0] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xB48F6800] SSDT 8A514CE8 ZwFreeVirtualMemory SSDT 8A501B78 ZwImpersonateAnonymousToken SSDT 8A50E0D8 ZwImpersonateThread SSDT 8A494538 ZwMapViewOfSection SSDT 8A4CEAD8 ZwOpenEvent SSDT 8A55A590 ZwOpenProcessToken SSDT 8A4F1CA0 ZwOpenSection SSDT 8A5B0C50 ZwOpenThreadToken SSDT 89DB1D38 ZwResumeThread SSDT 8A5158B8 ZwSetContextThread SSDT 8A516BE8 ZwSetInformationProcess SSDT 8A4CAA98 ZwSetInformationThread SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xB48F6A50] SSDT 8A4E58D0 ZwSuspendProcess SSDT 8A491948 ZwSuspendThread SSDT 8A5DBFD0 ZwTerminateProcess SSDT 8A49B688 ZwTerminateThread SSDT 8A5157E0 ZwUnmapViewOfSection SSDT 8A675930 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C80 80503880 4 Bytes CALL D8DA89D1 .text ntkrnlpa.exe!ZwCallbackReturn + 2CFC 805038FC 4 Bytes JMP 516C8A4C .text ntkrnlpa.exe!ZwCallbackReturn + 2EC4 80503AC4 8 Bytes CALL 18DA8C34 .text ntkrnlpa.exe!ZwCallbackReturn + 2F38 80503B38 2 Bytes [D0, BF] .text ntkrnlpa.exe!ZwCallbackReturn + 2F3B 80503B3B 5 Bytes [8A, 88, B6, 49, 8A] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB71CC380, 0x566465, 0xE8000020] ---- Devices - GMER 1.0.15 ---- Device Ntfs.sys (NT File System Driver/Microsoft Corporation) Device Udfs.SYS (UDF File System Driver/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x13 0x58 0xF9 0x9E ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@khjeh 0x13 0x58 0xF9 0x9E ... ---- EOF - GMER 1.0.15 ----