GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-07-28 17:58:21 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD3200AAKS-00L9A0 rev.01.03E01 Running: gmer.exe; Driver: C:\DOCUME~1\Pawel\USTAWI~1\Temp\kweiifow.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwAdjustPrivilegesToken [0xADD65690] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwClose [0xADD65F94] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwConnectPort [0xADD66DC8] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwCreateEvent [0xADD67312] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwCreateFile [0xADD66270] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwCreateKey [0xADD64500] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwCreateMutant [0xADD671F8] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwCreateNamedPipeFile [0xADD6527E] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwCreatePort [0xADD670CC] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwCreateSection [0xADD65426] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwCreateSemaphore [0xADD67432] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwCreateThread [0xADD65C1C] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwCreateWaitablePort [0xADD67162] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwDebugActiveProcess [0xADD68B1A] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwDeleteKey [0xADD64B0A] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwDeleteValueKey [0xADD64EBE] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwDeviceIoControlFile [0xADD666F2] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwDuplicateObject [0xADD69D26] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwEnumerateKey [0xADD6500A] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwEnumerateValueKey [0xADD650A2] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwFsControlFile [0xADD66500] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwLoadDriver [0xADD68C0C] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwLoadKey [0xADD644DC] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwLoadKey2 [0xADD644EE] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwMapViewOfSection [0xADD69374] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwNotifyChangeKey [0xADD651CE] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwOpenEvent [0xADD673A8] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwOpenFile [0xADD66016] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwOpenKey [0xADD646C0] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwOpenMutant [0xADD67288] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwOpenProcess [0xADD658CC] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwOpenSection [0xADD6910E] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwOpenSemaphore [0xADD674C8] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwOpenThread [0xADD657BE] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwQueryKey [0xADD6513A] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwQueryMultipleValueKey [0xADD64D72] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwQuerySection [0xADD696AE] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwQueryValueKey [0xADD6499C] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwQueueApcThread [0xADD68FA0] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwRenameKey [0xADD64C2C] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwReplaceKey [0xADD63F16] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwReplyPort [0xADD6782C] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwReplyWaitReceivePort [0xADD676F2] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwRequestWaitReplyPort [0xADD688B4] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwRestoreKey [0xADD6428E] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwResumeThread [0xADD69BC8] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwSaveKey [0xADD63EAE] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwSecureConnectPort [0xADD66B0E] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwSetContextThread [0xADD65E38] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwSetInformationToken [0xADD68154] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwSetSecurityObject [0xADD68DAA] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwSetSystemInformation [0xADD697FE] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwSetValueKey [0xADD64816] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwSuspendProcess [0xADD698F0] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwSuspendThread [0xADD69A2A] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwSystemDebugControl [0xADD68A3E] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwTerminateProcess [0xADD65A68] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwTerminateThread [0xADD659C8] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwUnmapViewOfSection [0xADD69552] SSDT \SystemRoot\system32\DRIVERS\2809484drv.sys ZwWriteVirtualMemory [0xADD65B52] Code \SystemRoot\system32\DRIVERS\2809484drv.sys FsRtlCheckLockForReadAccess Code \SystemRoot\system32\DRIVERS\2809484drv.sys IoIsOperationSynchronous ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!FsRtlCheckLockForReadAccess 804E9F90 5 Bytes JMP ADD57FD0 \SystemRoot\system32\DRIVERS\2809484drv.sys .text ntkrnlpa.exe!IoIsOperationSynchronous 804EE86E 5 Bytes JMP ADD583AC \SystemRoot\system32\DRIVERS\2809484drv.sys .text ntkrnlpa.exe!ZwCallbackReturn + 24E8 80501D10 12 Bytes [0C, 8C, D6, AD, DC, 44, D6, ...] {OR AL, 0x8c; SALC ; LODSD ; FADD QWORD [ESI+EDX*8-0x53]; OUT DX, AL ; INC ESP; SALC ; LODSD } .text ntkrnlpa.exe!ZwCallbackReturn + 2664 80501E8C 16 Bytes [2C, 4C, D6, AD, 16, 3F, D6, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2758 80501F80 12 Bytes [F0, 98, D6, AD, 2A, 9A, D6, ...] .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB51B33A0, 0x88C445, 0xE8000020] ? system32\DRIVERS\2809484drv.sys System nie może odnaleźć określonej ścieżki. ! ? system32\DRIVERS\30140786.sys System nie może odnaleźć określonej ścieżki. ! ? C:\Documents and Settings\Pawel\Ustawienia lokalne\temp\11C.tmp\block_reader.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 1.0.15 ---- .text D:\programy\Mozilla 5.0\plugin-container.exe[1136] USER32.dll!SetWindowLongA 7E37C29D 5 Bytes JMP 1068EDA6 D:\programy\Mozilla 5.0\xul.dll (Mozilla Foundation) .text D:\programy\Mozilla 5.0\plugin-container.exe[1136] USER32.dll!SetWindowLongW 7E37C2BB 5 Bytes JMP 1068ED38 D:\programy\Mozilla 5.0\xul.dll (Mozilla Foundation) .text D:\programy\Mozilla 5.0\plugin-container.exe[1136] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 104A5451 D:\programy\Mozilla 5.0\xul.dll (Mozilla Foundation) .text D:\programy\Mozilla 5.0\plugin-container.exe[1136] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 104A5A99 D:\programy\Mozilla 5.0\xul.dll (Mozilla Foundation) .text D:\programy\Mozilla 5.0\firefox.exe[2328] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00401410 D:\programy\Mozilla 5.0\firefox.exe (Firefox/Mozilla Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----