GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-24 21:40:28 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\0000005b WDC_WD3200AAJS-60M0A0 rev.02.03E02 298,09GB Running: 8pmli68x.exe; Driver: C:\DOCUME~1\Tomek\USTAWI~1\Temp\kwecraoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB3B12A9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB3B1357A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB3B5785D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB3B1F5C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB3B1F610] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB3B1F7AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB3B57211] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB3B1F532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB3B1F654] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB3B1F57A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB3B13AB0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB3B1F764] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB3B14368] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB3B12B02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB3B57F23] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB3B581D9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB3B17B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB3B57D8E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB3B57BF9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB3B126EE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB3D887A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB3B12B68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB3B17F32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB3B14E50] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB3B1F5EE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB3B1F632] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB3B1F7CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB3B5756D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB3B1F558] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB3B17436] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB3B1F6E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB3B1F5A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB3B1781E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB3B1F788] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB3D88546] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB3B57A74] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB3B14CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB3B578C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB3B1481A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB3D964F6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB3B56857] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB3B12BCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB3B12C34] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB3B141E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB3B12788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB3B1295A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB3B5802A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB3B128E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB3B14532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB3B14694] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB3B129E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB3B14020] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB3B141C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB3B12C9A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB3B135D6] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [CE, 2B, B1, B3, 34, 2C, B1, ...] {INTO ; SUB ESI, [ECX-0x4ed3cb4d]; MOV BL, 0xe2; INC ECX; MOV CL, 0xb3} .text ntkrnlpa.exe!ZwCallbackReturn + 306C 80504954 4 Bytes CALL F103FA81 .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [32, 45, B1, B3, 94, 46, B1, ...] {XOR AL, [EBP-0x4f]; MOV BL, 0x94; INC ESI; MOV CL, 0xb3; LOOP 0x33; MOV CL, 0xb3} .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6FE83C0, 0x829A2A, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Java\jre7\bin\jqs.exe[272] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[272] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[456] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[512] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\NetService\NvNetworkService.exe[512] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[532] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[532] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\PnkBstrA.exe[564] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\PnkBstrA.exe[564] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe[700] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\TP-LINK\TP-LINK Wireless Client Utility\TWCU.exe[700] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[716] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[716] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[736] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\Update Core\NvBackend.exe[736] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Razer\Diamondback 3G\razerhid.exe[768] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Razer\Diamondback 3G\razerhid.exe[768] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[792] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[792] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[792] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[836] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[836] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[868] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[868] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[892] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[892] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\services.exe[936] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[936] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[948] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[948] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1108] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1108] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1168] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1168] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1208] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1208] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[1268] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[1268] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1312] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1312] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1324] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1324] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1340] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1340] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Documents and Settings\Tomek\Pulpit\LoL\GMER\8pmli68x.exe[1364] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Tomek\Pulpit\LoL\GMER\8pmli68x.exe[1364] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1436] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1436] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1500] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1500] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1500] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1796] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1796] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1804] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1804] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\acs.exe[1900] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\acs.exe[1900] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1968] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1968] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[2096] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[2096] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\RunDll32.exe[2116] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\RunDll32.exe[2116] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2368] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2368] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2516] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2516] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2828] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2828] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Razer\Diamondback 3G\razertra.exe[3240] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Razer\Diamondback 3G\razertra.exe[3240] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Razer\Diamondback 3G\razerofa.exe[3952] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Razer\Diamondback 3G\razerofa.exe[3952] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[936] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[936] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\Control\Video\{7FFB1CC8-4AB8-45CC-928D-3AC4A3F8CC9F}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{348E64BF-D310-4C2F-B1D7-C1A35A418135}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{7FFB1CC8-4AB8-45CC-928D-3AC4A3F8CC9F}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{348E64BF-D310-4C2F-B1D7-C1A35A418135}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{7FFB1CC8-4AB8-45CC-928D-3AC4A3F8CC9F}\0000@D3D_\x3332\x3331 2089309684 ---- EOF - GMER 2.1 ----