GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-07-31 08:53:22 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HD161HJ rev.GF100-07 Running: gmer.exe; Driver: C:\DOCUME~1\KG\USTAWI~1\Temp\pxldrpow.sys ---- System - GMER 1.0.15 ---- SSDT 862DC490 ZwAlertResumeThread SSDT 862D8720 ZwAlertThread SSDT 863D0C58 ZwAllocateVirtualMemory SSDT 862F2408 ZwAssignProcessToJobObject SSDT 862FAB58 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF3565D40] SSDT 85184138 ZwCreateMutant SSDT 851812B8 ZwCreateSymbolicLinkObject SSDT 86284408 ZwCreateThread SSDT 862ED6C8 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF3565FC0] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF3566680] SSDT 863BA1A8 ZwDuplicateObject SSDT 859B6220 ZwFreeVirtualMemory SSDT 862E5B48 ZwImpersonateAnonymousToken SSDT 862DD690 ZwImpersonateThread SSDT 862DC190 ZwLoadDriver SSDT 8629A620 ZwMapViewOfSection SSDT 862E70D0 ZwOpenEvent SSDT 863FA118 ZwOpenProcess SSDT 8628E3F8 ZwOpenProcessToken SSDT 862E7B30 ZwOpenSection SSDT 863FA088 ZwOpenThread SSDT 85181348 ZwProtectVirtualMemory SSDT 862D0EF0 ZwResumeThread SSDT 8628E738 ZwSetContextThread SSDT 85220110 ZwSetInformationProcess SSDT 862ECDC0 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF3566910] SSDT 862E7918 ZwSuspendProcess SSDT 862CE638 ZwSuspendThread SSDT 8628E0E8 ZwTerminateProcess SSDT 862CDC50 ZwTerminateThread SSDT 8628E590 ZwUnmapViewOfSection SSDT 862F7538 ZwWriteVirtualMemory INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA79316D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys (HASP Kernel Device Driver for Windows NT/Aladdin Knowledge Systems) BA792FC2 ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FE0 80504898 8 Bytes CALL D0D6717D ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF639D380, 0x346307, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[1252] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 011BB52A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1252] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 0146B6F5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1252] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 0146B6D2 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1252] kernel32.dll!MoveFileExW 7C83568B 6 Bytes JMP 025512B1 C:\Program Files\Common Files\Spigot\Search Settings\wth.dll (WTH Dynamic Link Library/Spigot, Inc.) .text C:\Program Files\Mozilla Firefox\firefox.exe[1252] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 01342BD4 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[1252] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 0146B653 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- Processes - GMER 1.0.15 ---- Library c:\windows\system32\n (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [3260] 0x45670000 ---- Files - GMER 1.0.15 ---- File C:\Documents and Settings\All Users\Dane aplikacji\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\Lue\Downloads\Partial\1343352797jtun_ncodatfull25.x03 131818 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\Lue\Downloads\Partial\1343571572jtun_asfullpatch.7z 746 bytes File C:\Documents and Settings\All Users\Dane aplikacji\Norton\{0C55C096-0F1D-4F28-AAA2-85EF591126E7}\NIS_19.7.1.5\Lue\Downloads\Partial\1343650596jtun_iron2012_120727003.irn 748 bytes ---- EOF - GMER 1.0.15 ----