GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-04 19:47:34 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HTS541640J9SA00 rev.SB1OC74P 37,26GB Running: 0s64hq44.exe; Driver: C:\DOCUME~1\Halina\USTAWI~1\Temp\pftdypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB4B9DA9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB4B9E57A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB4BE285D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB4BAA5C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB4BAA610] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB4BAA7AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB4BE2211] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB4BAA532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB4BAA654] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB4BAA57A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB4B9EAB0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB4BAA764] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB4B9F368] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB4B9DB02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB4BE2F23] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB4BE31D9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB4BA2B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB4BE2D8E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB4BE2BF9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB4B9D6EE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB4E3B67A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB4B9DB68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB4BA2F32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB4B9FE50] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB4BAA5EE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB4BAA632] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB4BAA7CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB4BE256D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB4BAA558] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB4BA2436] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB4BAA6E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB4BAA5A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB4BA281E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB4BAA788] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB4E3B41E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB4BE2A74] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB4B9FCC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB4BE28C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB4B9F81A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB4E493D8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB4BE1857] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB4B9DBCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB4B9DC34] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB4B9F1E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB4B9D788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB4B9D95A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB4BE302A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB4B9D8E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB4B9F532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB4B9F694] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB4B9D9E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB4B9F020] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB4B9F1C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB4B9DC9A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB4B9E5D6] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C98 80504524 8 Bytes JMP A764B4B9 .text ntkrnlpa.exe!ZwCallbackReturn + 2F10 8050479C 12 Bytes [CE, DB, B9, B4, 34, DC, B9, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FA8 80504834 4 Bytes CALL D9050211 .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 12 Bytes [32, F5, B9, B4, 94, F6, B9, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A648C 4 Bytes CALL B4BA04FD \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB9820000, 0x19DA46, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[216] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[216] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[216] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\4G Hostless Modem\PLAY ONLINE\CheckNDISPort_df.exe[268] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\4G Hostless Modem\PLAY ONLINE\CheckNDISPort_df.exe[268] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\4G Hostless Modem\PLAY ONLINE\CancelAutoPlay_df.exe[336] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\4G Hostless Modem\PLAY ONLINE\CancelAutoPlay_df.exe[336] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[472] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[472] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[472] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[492] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[492] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\IFXTCS.exe[584] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\IFXTCS.exe[584] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[608] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[608] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Java\jre6\bin\jqs.exe[676] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Java\jre6\bin\jqs.exe[676] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Documents and Settings\Halina\Dane aplikacji\PLAY ONLINE\ouc.exe[712] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Documents and Settings\Halina\Dane aplikacji\PLAY ONLINE\ouc.exe[712] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[740] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\MDM.EXE[740] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[760] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[760] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[816] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[916] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[916] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\PasswordBox\pbbtnService.exe[968] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\PasswordBox\pbbtnService.exe[968] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\SCardSvr.exe[1008] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\SCardSvr.exe[1008] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1092] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1092] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1124] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1124] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1168] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1168] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1180] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1180] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\ifxspmgt.exe[1304] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\ifxspmgt.exe[1304] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1360] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1360] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1408] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1408] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[1464] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE[1464] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1472] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Analog Devices\Core\smax4pnp.exe[1472] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[1480] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe[1480] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1504] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe[1504] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\IfxPsdSv.exe[1544] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\IfxPsdSv.exe[1544] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1568] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1568] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1700] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1700] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1860] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1860] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Documents and Settings\All Users\Dane aplikacji\DatacardService\HWDeviceService.exe[1872] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Documents and Settings\All Users\Dane aplikacji\DatacardService\HWDeviceService.exe[1872] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\AVG SafeGuard toolbar\vprot.exe[2024] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVG SafeGuard toolbar\vprot.exe[2024] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[2224] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[2224] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2376] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2376] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe[2472] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\ToolbarUpdater.exe[2472] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\loggingserver.exe[2612] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\18.1.0\loggingserver.exe[2612] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2668] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Hewlett-Packard\Shared\hpqwmiex.exe[2668] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3200] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[3200] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3292] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3292] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[3608] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[3608] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe[3620] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Hewlett-Packard\Embedded Security Software\PSDrt.exe[3620] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[3672] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[3672] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Documents and Settings\Halina\Pulpit\Nowy folder\0s64hq44.exe[3980] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Documents and Settings\Halina\Pulpit\Nowy folder\0s64hq44.exe[3980] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1168] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1168] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\72\Shell@MinPos1280x800(1).x -1 Reg HKCU\Software\Microsoft\Windows\ShellNoRoam\Bags\72\Shell@MinPos1280x800(1).y -1 ---- EOF - GMER 2.1 ----