GMER 1.0.14.14536 - http://www.gmer.net Rootkit scan 2009-01-25 15:03:09 Windows 5.1.2600 Service Pack 3 ---- System - GMER 1.0.14 ---- SSDT 863BF9E8 ZwAlertResumeThread SSDT 864673E0 ZwAlertThread SSDT 86BEAD30 ZwAllocateVirtualMemory SSDT 864E97D0 ZwConnectPort SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwCreateKey [0xAA257020] SSDT 86C014B8 ZwCreateMutant SSDT 86BE5CD8 ZwCreateThread SSDT 86C0A5A0 ZwDebugActiveProcess SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteKey [0xAA2572A0] SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwDeleteValueKey [0xAA257800] SSDT 86C3CDE0 ZwFreeVirtualMemory SSDT 86BDD778 ZwImpersonateAnonymousToken SSDT 86BE3828 ZwImpersonateThread SSDT 86C3CD40 ZwMapViewOfSection SSDT 86BFFE38 ZwOpenEvent SSDT 864A5C38 ZwOpenProcessToken SSDT 86BC8CA0 ZwOpenSection SSDT 86D09008 ZwOpenThreadToken SSDT 864A5340 ZwResumeThread SSDT 864A0148 ZwSetContextThread SSDT 864A4C40 ZwSetInformationProcess SSDT 86D09070 ZwSetInformationThread SSDT \??\C:\WINDOWS\system32\Drivers\SYMEVENT.SYS (Symantec Event Library/Symantec Corporation) ZwSetValueKey [0xAA257A50] SSDT 86C1C830 ZwSuspendProcess SSDT 86446BC0 ZwSuspendThread SSDT 86443C38 ZwTerminateProcess SSDT 86C32E30 ZwTerminateThread SSDT 86D0E130 ZwUnmapViewOfSection SSDT 86BEACA0 ZwWriteVirtualMemory Code 2201ced6d30a29e038061eb6d9f15452.sys ZwCreateKey [0xF76AFC8E] Code 2201ced6d30a29e038061eb6d9f15452.sys ZwEnumerateKey [0xF76AFD13] Code 2201ced6d30a29e038061eb6d9f15452.sys ZwOpenKey [0xF76AFC10] Code 2201ced6d30a29e038061eb6d9f15452.sys ZwQueryDirectoryFile [0xF76AF999] Code 2201ced6d30a29e038061eb6d9f15452.sys IoCreateFile Code 2201ced6d30a29e038061eb6d9f15452.sys NtQueryDirectoryFile ---- Kernel code sections - GMER 1.0.14 ---- PAGE ntkrnlpa.exe!IoCreateFile 8056BB8C 5 Bytes JMP F76AF872 2201ced6d30a29e038061eb6d9f15452.sys PAGE ntkrnlpa.exe!NtQueryDirectoryFile 8056F0F4 5 Bytes JMP F76AF99D 2201ced6d30a29e038061eb6d9f15452.sys PAGE ntkrnlpa.exe!ZwCreateKey 8061A312 5 Bytes JMP F76AFC92 2201ced6d30a29e038061eb6d9f15452.sys PAGE ntkrnlpa.exe!ZwEnumerateKey 8061AB52 7 Bytes JMP F76AFD17 2201ced6d30a29e038061eb6d9f15452.sys PAGE ntkrnlpa.exe!ZwOpenKey 8061B6E4 5 Bytes JMP F76AFC14 2201ced6d30a29e038061eb6d9f15452.sys ? 2201ced6d30a29e038061eb6d9f15452.sys The system cannot find the file specified. ! ---- User code sections - GMER 1.0.14 ---- .text C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe[1296] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes JMP 0056DBBD C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe (Windows Live Messenger/Microsoft Corporation) .text C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\WindowsSearchIndexer.exe[3108] kernel32.dll!WriteFile 7C810E17 7 Bytes JMP 646A05B2 C:\Program Files\MSN Toolbar Suite\DS\02.05.0001.1119\en-us\bin\mssrch.dll (Windows Desktop Search executable/Microsoft Corporation) .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3984] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10002E30 .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3984] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10002D90 .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3984] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100029A0 .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3984] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3984] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100024F0 .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[3984] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10002D44 .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtCreateFile + 6 7C90D096 4 Bytes [ 25, 00, 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtCreateFile + B 7C90D09B 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtMapViewOfSection + 6 7C90D506 1 Byte [ 25 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtMapViewOfSection + 8 7C90D508 2 Bytes [ 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtMapViewOfSection + B 7C90D50B 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenFile + 6 7C90D586 4 Bytes [ 65, 00, 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenFile + B 7C90D58B 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenProcess + 6 7C90D5E6 4 Bytes [ A5, 01, 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenProcess + B 7C90D5EB 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenProcessToken + 6 7C90D5F6 4 Bytes [ E5, 01, 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenProcessToken + B 7C90D5FB 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenProcessTokenEx + 6 7C90D606 4 Bytes [ A5, 02, 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenProcessTokenEx + B 7C90D60B 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenThread + 6 7C90D646 4 Bytes [ 65, 01, 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenThread + B 7C90D64B 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenThreadToken + 6 7C90D656 4 Bytes [ 65, 02, 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenThreadToken + B 7C90D65B 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenThreadTokenEx + 6 7C90D666 4 Bytes [ E5, 02, 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtOpenThreadTokenEx + B 7C90D66B 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtQueryAttributesFile + 6 7C90D6F6 4 Bytes [ A5, 00, 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtQueryAttributesFile + B 7C90D6FB 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtQueryFullAttributesFile + 6 7C90D796 4 Bytes [ E5, 00, 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtQueryFullAttributesFile + B 7C90D79B 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtSetInformationFile + 6 7C90DC46 4 Bytes [ 25, 01, 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtSetInformationFile + B 7C90DC4B 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtSetInformationThread + 6 7C90DC96 4 Bytes [ 25, 02, 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtSetInformationThread + B 7C90DC9B 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtUnmapViewOfSection + 6 7C90DEF6 1 Byte [ 65 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtUnmapViewOfSection + 8 7C90DEF8 2 Bytes [ 16, 00 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] ntdll.dll!NtUnmapViewOfSection + B 7C90DEFB 1 Byte [ E2 ] .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] kernel32.dll!ExitProcess 7C81CAFA 5 Bytes JMP 10002E30 .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] WS2_32.dll!connect 71AB4A07 5 Bytes JMP 10002D90 .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] WS2_32.dll!send 71AB4C27 5 Bytes JMP 100029A0 .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] WS2_32.dll!WSARecv 71AB4CB5 5 Bytes JMP 100027F8 .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] WS2_32.dll!recv 71AB676F 5 Bytes JMP 100024F0 .text C:\Documents and Settings\Greg Masie\Local Settings\Application Data\Google\Chrome\Application\chrome.exe[4024] WS2_32.dll!WSASend 71AB68FA 5 Bytes JMP 10002D44 ---- Devices - GMER 1.0.14 ---- AttachedDevice \Driver\Tcpip \Device\Ip SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company) AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 EABFiltr.sys (QLB PS/2 Keyboard filter driver/Hewlett-Packard Company) AttachedDevice \Driver\Tcpip \Device\Tcp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\Udp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) AttachedDevice \Driver\Tcpip \Device\RawIp SYMTDI.SYS (Network Dispatch Driver/Symantec Corporation) ---- Services - GMER 1.0.14 ---- Service system32\2201ced6d30a29e038061eb6d9f15452.sys (*** hidden *** ) [BOOT] 2201ced6d30a29e038061eb6d9f15452 <-- ROOTKIT !!! ---- Registry - GMER 1.0.14 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???!?!??system32\DRIVERS\tosporte.sys??????? ???????????LocalSystem?????%SystemRoot%\system32\spoolsv.exe?????N??"???!??D??????????????????e????? ??????????????p?????8??!????????h?????????? ? ?!?!?!?!?!?????????????????n????\SystemRoot\System32\Drivers\SYMDNS.SYS?t.???????????0?????????e????Universal Plug and Play Device Host???????v??!?????????e???????????1???1????10.203.61.242????????????!???????????????E?.?e??? ???"???e??????????LocalSystem??????????????o??en????p??!?????????n??????.??!??????????????????????system32\drivers\swmidi.sys?sv????T??!?????????elS???????????=????????e??6??system32\DRIVERS\w29n51.sys??????? ??????E??pn???????"?????????n?????????!?????????e????Windows Time????????????oem35.inf????0?0?1??????????????t????????????