GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-10 14:10:53 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST500DM002-1BD142 rev.KC45 465,76GB Running: uvvk89vh.exe; Driver: C:\DOCUME~1\WACICI~1\USTAWI~1\Temp\kfxdraob.sys ---- System - GMER 2.1 ---- SSDT 894C8AC8 ZwAlertResumeThread SSDT 894C8B60 ZwAlertThread SSDT 894E4658 ZwAllocateVirtualMemory SSDT 894A27E0 ZwAssignProcessToJobObject SSDT 8A0AC240 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwCreateKey [0xB016AF50] SSDT 8950AAD8 ZwCreateMutant SSDT 8951BDB8 ZwCreateSymbolicLinkObject SSDT 894E5838 ZwCreateThread SSDT 8950B9F8 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteKey [0xB016B1D0] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwDeleteValueKey [0xB016B890] SSDT 894E4798 ZwDuplicateObject SSDT 894E9698 ZwFreeVirtualMemory SSDT 8950AB80 ZwImpersonateAnonymousToken SSDT 894C8A30 ZwImpersonateThread SSDT 8A34A8E0 ZwLoadDriver SSDT 894C6DA8 ZwMapViewOfSection SSDT 8950AA40 ZwOpenEvent SSDT 8952ECE0 ZwOpenProcess SSDT 894E4700 ZwOpenProcessToken SSDT 8950BB08 ZwOpenSection SSDT 8952EC58 ZwOpenThread SSDT 894A2738 ZwProtectVirtualMemory SSDT 8951BD30 ZwQueueApcThread SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwRenameKey [0xB016BDF0] SSDT 894C99F8 ZwResumeThread SSDT 894C9BC0 ZwSetContextThread SSDT 894C6C68 ZwSetInformationProcess SSDT 8950BA50 ZwSetSystemInformation SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS ZwSetValueKey [0xB016BB10] SSDT 8950BB80 ZwSuspendProcess SSDT 894C9A90 ZwSuspendThread SSDT 89506680 ZwTerminateProcess SSDT 894C9B28 ZwTerminateThread SSDT 894C6D10 ZwUnmapViewOfSection SSDT 894E9740 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.1 ---- ? SYMDS.SYS Nie można odnaleźć określonego pliku. ! ? SYMEFA.SYS Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB2F9B3C0, 0x843A2A, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[2000] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 015C6D70 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2000] kernel32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 0191D736 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2000] kernel32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 0191D713 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2000] kernel32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 015E1C62 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2000] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 0191D694 C:\Program Files\Mozilla Firefox\xul.dll .text E:\tools\uvvk89vh.exe[4780] ntdll.dll!NtMapViewOfSection 7C90D51E 5 Bytes JMP 003F0048 .text E:\tools\uvvk89vh.exe[4780] ntdll.dll!NtTerminateThread 7C90DE7E 5 Bytes JMP 003C0050 .text E:\tools\uvvk89vh.exe[4780] ADVAPI32.dll!OpenSCManagerW + A3 77DD6FF8 7 Bytes JMP 003F020E .text E:\tools\uvvk89vh.exe[4780] ADVAPI32.dll!LogonUserExW + 461 77DE4A04 7 Bytes JMP 003F012A .text E:\tools\uvvk89vh.exe[4780] ADVAPI32.dll!SystemFunction025 + 8D 77DE4C61 7 Bytes JMP 003F0682 .text E:\tools\uvvk89vh.exe[4780] ADVAPI32.dll!SetServiceObjectSecurity + E3 77E26E64 7 Bytes JMP 003F059E .text E:\tools\uvvk89vh.exe[4780] ADVAPI32.dll!ChangeServiceConfigA + 193 77E26FFC 7 Bytes JMP 003F03D6 .text E:\tools\uvvk89vh.exe[4780] ADVAPI32.dll!ChangeServiceConfig2W + 83 77E2720C 2 Bytes JMP 003F02F2 .text E:\tools\uvvk89vh.exe[4780] ADVAPI32.dll!ChangeServiceConfig2W + 86 77E2720F 4 Bytes [5C, 88, EB, F9] {POP ESP; MOV BL, CH; STC } .text E:\tools\uvvk89vh.exe[4780] ADVAPI32.dll!CreateServiceA + 193 77E273A4 7 Bytes JMP 003F04BA .text E:\tools\uvvk89vh.exe[4780] ADVAPI32.dll!CreateServiceW + 103 77E274AC 7 Bytes JMP 003F0766 .text E:\tools\uvvk89vh.exe[4780] USER32.dll!CreateSystemThreads + 10A 7E3817F2 7 Bytes JMP 003F092C .text E:\tools\uvvk89vh.exe[4780] USER32.dll!DeviceEventWorker + 178 7E3AA270 7 Bytes JMP 003F084A ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS ---- EOF - GMER 2.1 ----