GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-26 13:27:13 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 FUJITSU_ rev.0000 298,09GB Running: 1ttb7vru.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\kwldraob.sys ---- System - GMER 2.1 ---- SSDT 8553E008 ZwAlertResumeThread SSDT 8553E758 ZwAlertThread SSDT 89BBF240 ZwAllocateVirtualMemory SSDT 858DB0D8 ZwConnectPort SSDT \SystemRoot\system32\vsdatant.sys ZwCreateFile [0x91DCD666] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey [0x9B7D4130] SSDT 89D48790 ZwCreateMutant SSDT \SystemRoot\system32\vsdatant.sys ZwCreateProcess [0x91DE7466] SSDT \SystemRoot\system32\vsdatant.sys ZwCreateProcessEx [0x91DE786C] SSDT \SystemRoot\system32\vsdatant.sys ZwCreateSection [0x91DF11D0] SSDT 89BF7D78 ZwCreateThread SSDT \SystemRoot\system32\vsdatant.sys ZwDeleteFile [0x91DCE258] SSDT \SystemRoot\system32\vsdatant.sys ZwDeleteKey [0x91DEE7CE] SSDT \SystemRoot\system32\vsdatant.sys ZwDeleteValueKey [0x91DEE0E4] SSDT \SystemRoot\system32\vsdatant.sys ZwDuplicateObject [0x91DE6364] SSDT 89343008 ZwFreeVirtualMemory SSDT 856C3CE0 ZwImpersonateAnonymousToken SSDT 856C1AA0 ZwImpersonateThread SSDT \SystemRoot\system32\vsdatant.sys ZwLoadKey [0x91DEF1DC] SSDT \SystemRoot\system32\vsdatant.sys ZwLoadKey2 [0x91DEF3E4] SSDT 89D33E68 ZwMapViewOfSection SSDT 856D2828 ZwOpenEvent SSDT \SystemRoot\system32\vsdatant.sys ZwOpenFile [0x91DCDE74] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwOpenKey [0x9B7D46C0] SSDT \SystemRoot\system32\vsdatant.sys ZwOpenProcess [0x91DE97F6] SSDT 8559B1C0 ZwOpenProcessToken SSDT \SystemRoot\system32\vsdatant.sys ZwOpenThread [0x91DE93FE] SSDT 89B7A430 ZwOpenThreadToken SSDT \??\C:\WINDOWS\system32\drivers\wpsdrvnt.sys ZwProtectVirtualMemory [0x931128B0] SSDT \SystemRoot\system32\vsdatant.sys ZwRenameKey [0x91DF0174] SSDT \SystemRoot\system32\vsdatant.sys ZwReplaceKey [0x91DEFAA8] SSDT \SystemRoot\system32\vsdatant.sys ZwRestoreKey [0x91DF0B5A] SSDT 85684198 ZwResumeThread SSDT \SystemRoot\system32\vsdatant.sys ZwSecureConnectPort [0x91DD375E] SSDT 856BE2B8 ZwSetContextThread SSDT \SystemRoot\system32\vsdatant.sys ZwSetInformationFile [0x91DCE61E] SSDT 89B8AB60 ZwSetInformationProcess SSDT 89B55C28 ZwSetInformationThread SSDT \SystemRoot\system32\vsdatant.sys ZwSetSecurityObject [0x91DF06B6] SSDT \SystemRoot\system32\vsdatant.sys ZwSetValueKey [0x91DED868] SSDT 85556640 ZwSuspendProcess SSDT 8553E048 ZwSuspendThread SSDT \SystemRoot\system32\vsdatant.sys ZwSystemDebugControl [0x91DE84F4] SSDT 858EBA78 ZwTerminateProcess SSDT 856BE7F8 ZwTerminateThread SSDT 8556C9C8 ZwUnmapViewOfSection SSDT 89BE0130 ZwWriteVirtualMemory INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys BA2FB16D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys BA2FAFC2 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 12 Bytes [40, 66, 55, 85, 48, E0, 53, ...] {INC EAX; PUSH BP; TEST [EAX-0x20], ECX; PUSH EBX; TEST ESP, ESI; TEST DH, BL; XCHG ECX, EAX} .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0x917F1400, 0x7960C, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x91893420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0x91893420] .protect˙˙˙˙hardlockunknown last code section [0x91893200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0x91893200, 0x5049, 0xE0000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[4840] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 0171EEB0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4840] kernel32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 01D2979B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4840] kernel32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 01D29778 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4840] kernel32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 01724CE9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4840] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 01D296F9 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- Device \Driver\Tcpip \Device\Ip vsdatant.sys AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys Device \Driver\Tcpip \Device\Tcp vsdatant.sys AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS Device \Driver\Tcpip \Device\Udp vsdatant.sys AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS Device \Driver\Tcpip \Device\RawIp vsdatant.sys AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS Device \Driver\Tcpip \Device\IPMULTICAST vsdatant.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00225f00652e Reg HKLM\SYSTEM\CurrentControlSet\Services\NAVENG@ImagePath \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130717.022\NAVENG.SYS Reg HKLM\SYSTEM\CurrentControlSet\Services\NAVENG Reg HKLM\SYSTEM\CurrentControlSet\Services\NAVEX15@ImagePath \??\C:\PROGRA~1\COMMON~1\SYMANT~1\VIRUSD~1\20130717.022\NAVEX15.SYS Reg HKLM\SYSTEM\CurrentControlSet\Services\NAVEX15 Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00225f00652e (not active ControlSet) ---- EOF - GMER 2.1 ----