GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-06 22:58:34 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.892C 74,53GB Running: gmer.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\pxtdrpoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xA64B9A9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xA64BA57A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xA64FE85D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xA64C65C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xA64C6610] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xA64C67AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xA64FE211] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xA64C6532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xA64C6654] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xA64C657A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xA64BAAB0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xA64C6764] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xA64BB368] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xA64B9B02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xA64FEF23] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xA64FF1D9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xA64BEB3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xA64FED8E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xA64FEBF9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xA64B96EE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xA68477A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xA64B9B68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xA64BEF32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xA64BBE50] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xA64C65EE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xA64C6632] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xA64C67CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xA64FE56D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xA64C6558] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xA64BE436] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xA64C66E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xA64C65A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xA64BE81E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xA64C6788] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xA6847546] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xA64FEA74] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xA64BBCC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xA64FE8C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xA64BB81A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xA68554F6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xA64FD857] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xA64B9BCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xA64B9C34] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xA64BB1E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xA64B9788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xA64B995A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xA64FF02A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xA64B98E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xA64BB532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xA64BB694] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xA64B99E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xA64BB020] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xA64BB1C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xA64B9C9A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xA64BA5D6] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2CEC 805045D4 4 Bytes CALL D1AAEC28 .text ntkrnlpa.exe!ZwCallbackReturn + 2E88 80504770 4 Bytes [1E, E8, 4B, A6] .text ntkrnlpa.exe!ZwCallbackReturn + 2F08 805047F0 4 Bytes [74, EA, 4F, A6] {JZ 0xffffffec; DEC EDI; CMPSB } .text ntkrnlpa.exe!ZwCallbackReturn + 2F4C 80504834 4 Bytes [C6, E8, 4F, A6] .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [CE, 9B, 4B, A6, 34, 9C, 4B, ...] {INTO ; WAIT ; DEC EBX; CMPSB ; XOR AL, 0x9c; DEC EBX; CMPSB ; LOOP 0xffffffbb; DEC EBX; CMPSB } .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL A64BC4FD \SystemRoot\system32\drivers\aswSnx.sys ? imofugc.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0x9C5EF300, 0x3ACC8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xA4C3D300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\spoolsv.exe[276] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[276] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[320] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[320] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\SCardSvr.exe[336] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\SCardSvr.exe[336] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\HPQ\IAM\bin\asghost.exe[412] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\HPQ\IAM\bin\asghost.exe[412] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Documents and Settings\Administrator\Pulpit\gmer.exe[480] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Administrator\Pulpit\gmer.exe[480] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[640] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[640] kernel32.dll!SetUnhandledExceptionFilter 7C8449CD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[640] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\FTRTSVC.exe[680] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\FTRTSVC.exe[680] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[732] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[732] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[776] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[776] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[848] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[900] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[900] KERNEL32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[924] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[924] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\services.exe[968] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[968] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[980] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[980] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1180] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1180] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1256] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1256] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1372] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1372] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1400] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1400] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\msdtc.exe[1432] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\msdtc.exe[1432] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1444] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1444] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\DllHost.exe[1568] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\DllHost.exe[1568] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\ABBYY PDF Transformer+\NetworkLicenseServer.exe[1652] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\ABBYY PDF Transformer+\NetworkLicenseServer.exe[1652] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1676] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1676] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1692] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1692] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1772] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1772] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1884] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[1884] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[2008] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[2008] kernel32.dll!SetUnhandledExceptionFilter 7C8449CD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[2008] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2072] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2072] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\mqsvc.exe[2212] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\mqsvc.exe[2212] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\mqtgsvc.exe[2756] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\mqtgsvc.exe[2756] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[3144] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[3144] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[3756] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[3756] kernel32.dll!GetBinaryTypeW + 80 7C868E04 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[968] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[968] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 eabfiltr.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys Device \FileSystem\Cdfs \Cdfs DLAIFS_M.SYS ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----