GMER 1.0.15.15530 - http://www.gmer.net Rootkit scan 2010-11-15 17:31:52 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e ST9120822AS rev.3.ALC Running: xj3ngv19.exe; Driver: C:\DOCUME~1\Dom\USTAWI~1\Temp\pwnyifoc.sys ---- System - GMER 1.0.15 ---- SSDT 83A686D0 ZwAlertResumeThread SSDT 83A696D0 ZwAlertThread SSDT 837C3700 ZwAllocateVirtualMemory SSDT 83A606D0 ZwAssignProcessToJobObject SSDT 84885B80 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xF2CBC210] SSDT 832F8E00 ZwCreateMutant SSDT 8366BB68 ZwCreateSymbolicLinkObject SSDT 83698658 ZwCreateThread SSDT 83A616D0 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xF2CBC490] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xF2CBC9F0] SSDT 837CD700 ZwDuplicateObject SSDT 8498E3E8 ZwFreeVirtualMemory SSDT 83A666D0 ZwImpersonateAnonymousToken SSDT 83A676D0 ZwImpersonateThread SSDT 83F2B6D0 ZwLoadDriver SSDT 846BC720 ZwMapViewOfSection SSDT 83A656D0 ZwOpenEvent SSDT 837D9700 ZwOpenProcess SSDT 84A3A4F8 ZwOpenProcessToken SSDT 83A636D0 ZwOpenSection SSDT 837D3700 ZwOpenThread SSDT 84882E00 ZwProtectVirtualMemory SSDT 83A6A6D0 ZwResumeThread SSDT 84992938 ZwSetContextThread SSDT 848FA190 ZwSetInformationProcess SSDT 83A626D0 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xF2CBCC40] SSDT 83A646D0 ZwSuspendProcess SSDT 83A6B6D0 ZwSuspendThread SSDT 84884A40 ZwTerminateProcess SSDT 8488BCB8 ZwTerminateThread SSDT 84AAE910 ZwUnmapViewOfSection SSDT 847C2BA0 ZwWriteVirtualMemory ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 3010 805048AC 4 Bytes JMP 3286CD5B ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6897360, 0x305987, 0xE8000020] ---- Devices - GMER 1.0.15 ---- Device Ntfs.sys (NT File System Driver/Microsoft Corporation) AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys (Synaptics Touchpad Driver/Synaptics, Inc.) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) Device mrxsmb.sys (Windows NT SMB Minirdr/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----