GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-15 10:34:31 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-5 SAMSUNG_HD322HJ rev.1AC01118 298,09GB Running: u03sc19p.exe; Driver: C:\DOCUME~1\Irmina\USTAWI~1\Temp\pgliqpoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB3B74A9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB3B7557A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB3BB985D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB3B815C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB3B81610] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB3B817AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB3BB9211] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB3B81532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB3B81654] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB3B8157A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB3B75AB0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB3B81764] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB3B76368] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB3B74B02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB3BB9F23] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB3BBA1D9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB3B79B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB3BB9D8E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB3BB9BF9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB3B746EE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB3EE967A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB3B74B68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB3B79F32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB3B76E50] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB3B815EE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB3B81632] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB3B817CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB3BB956D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB3B81558] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB3B79436] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB3B816E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB3B815A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB3B7981E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB3B81788] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB3EE941E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB3BB9A74] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB3B76CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB3BB98C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB3B7681A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB3EF73D8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB3BB8857] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB3B74BCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB3B74C34] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB3B761E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB3B74788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB3B7495A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB3BBA02A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB3B748E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB3B76532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB3B76694] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB3B749E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB3B76020] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB3B761C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB3B74C9A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB3B755D6] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2F10 8050479C 12 Bytes [CE, 4B, B7, B3, 34, 4C, B7, ...] {INTO ; DEC EBX; MOV BH, 0xb3; XOR AL, 0x4c; MOV BH, 0xb3; LOOP 0x6b; MOV BH, 0xb3} .text ntkrnlpa.exe!ZwCallbackReturn + 2FA8 80504834 4 Bytes CALL D903FF81 .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 12 Bytes [32, 65, B7, B3, 94, 66, B7, ...] {XOR AH, [EBP-0x49]; MOV BL, 0x94; MOV BH, 0xb3; LOOP 0x53; MOV BH, 0xb3} PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A648C 4 Bytes CALL B3B774FD \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB6878380, 0x8D6CD5, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[176] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\VIA\VIAudioi\HDADeck\HDeck.exe[176] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[204] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\ScanSoft\PaperPort\pptd40nt.exe[204] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\SweetIM\Messenger\SweetIM.exe[240] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\SweetIM\Messenger\SweetIM.exe[240] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[252] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[252] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Real\RealPlayer\update\realsched.exe[260] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Real\RealPlayer\update\realsched.exe[260] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\Real\RealPlayer\update\realsched.exe[260] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[288] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[288] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[316] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[316] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[424] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[424] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\afwServ.exe[424] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[464] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[464] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[464] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Messenger\msmsgs.exe[488] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Messenger\msmsgs.exe[488] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[540] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[540] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[592] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text G:\Program Files\IVT Corporation\BlueSoleil\BTNtService.exe[592] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[716] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[772] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[772] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[796] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[796] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\services.exe[840] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\services.exe[840] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[852] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[852] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1040] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1040] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1088] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1088] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1232] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1232] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1272] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1272] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text G:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[1388] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text G:\Program Files\IVT Corporation\BlueSoleil\BlueSoleil.exe[1388] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[1404] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[1404] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1420] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1420] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1452] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1452] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1572] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1572] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1572] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[1596] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\McAfee Security Scan\3.8.141\SSScheduler.exe[1596] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1804] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1804] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1852] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1852] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1876] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1876] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2384] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2384] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[2896] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[2896] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Documents and Settings\Irmina\Pulpit\prog\u03sc19p.exe[3120] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Documents and Settings\Irmina\Pulpit\prog\u03sc19p.exe[3120] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[840] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[840] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- Device Ntfs.sys Device Fastfat.SYS AttachedDevice \Driver\Tcpip \Device\Ip aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001167ac6fce Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001167ac6fce (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001167ac6fce (not active ControlSet) ---- EOF - GMER 2.1 ----