GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-02 15:48:49 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD800JB-00JJC0 rev.05.01C05 74,53GB Running: o3kyx6vb.exe; Driver: C:\DOCUME~1\Artur\USTAWI~1\Temp\afrdqfob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xF583EBA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xF583F684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xF5883D80] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xF584B6F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xF584B744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xF584B8DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xF5883734] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xF584B666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xF584B788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xF584B6AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xF583FBBA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xF584B898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xF5840472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xF583EC0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xF5884446] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xF58846FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xF5843C68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xF58842B1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xF588411C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xF583E7F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xF5B72ED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xF583EC72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xF584405E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xF5840F5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xF584B722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xF584B766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xF584B902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xF5883A90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xF584B68C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xF5843560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xF584B816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xF584B6D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xF584394C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xF584B8BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xF5B72C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xF5883F97] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xF5840DCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xF5883DE9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xF5840924] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xF5B80E1A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xF5882D77] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xF583ECD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xF583ED3E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xF58402EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xF583E892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xF583EA64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xF588454D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xF583E9F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xF584063C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xF584079E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xF583EAEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xF584012A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xF58402CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xF583EDA4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xF583F6E0] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwYieldExecution + 33A 804E4B64 4 Bytes JMP CB43D3A6 .text ntoskrnl.exe!ZwYieldExecution + 3C2 804E4BEC 12 Bytes [D8, EC, 83, F5, 3E, ED, 83, ...] .text ntoskrnl.exe!ZwYieldExecution + 436 804E4C60 8 Bytes [92, E8, 83, F5, 64, EA, 83, ...] .text ntoskrnl.exe!ZwYieldExecution + 45A 804E4C84 4 Bytes [F2, E9, 83, F5] .text ntoskrnl.exe!ZwYieldExecution + 46A 804E4C94 12 Bytes [3C, 06, 84, F5, 9E, 07, 84, ...] PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 80575B10 4 Bytes CALL F584162B \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6FBB360, 0x372FAD, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\alg.exe[260] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[260] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[364] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[364] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[436] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[436] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[436] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[456] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[456] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[516] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Hp\HP Software Update\HPWuSchd2.exe[516] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\RunDll32.exe[528] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\RunDll32.exe[528] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[624] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe[624] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[700] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[700] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[712] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[760] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[760] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[784] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[784] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\services.exe[828] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[840] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1004] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1004] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1052] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1052] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1092] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1092] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1184] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1208] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1208] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1240] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1240] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1240] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1248] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1248] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1396] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\SAGEM\SAGEM F@st 800-840\dslmon.exe[1396] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1424] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1424] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1424] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1492] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1492] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1592] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1592] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[1720] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[1720] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1772] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1772] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1852] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1852] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2472] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2472] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2504] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2504] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 019D3D20 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] ntdll.dll!NtFlushBuffersFile 7C90D310 5 Bytes JMP 019BC661 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] ntdll.dll!NtQueryFullAttributesFile 7C90D790 5 Bytes JMP 019D3820 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] ntdll.dll!NtReadFile 7C90D9B0 5 Bytes JMP 019BC750 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] ntdll.dll!NtReadFileScatter 7C90D9C0 5 Bytes JMP 0225E1FF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] ntdll.dll!NtWriteFile 7C90DF60 5 Bytes JMP 019D43D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] ntdll.dll!NtWriteFileGather 7C90DF70 5 Bytes JMP 0225E1AE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00461F4C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 004503FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] KERNEL32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 021FF582 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 021FF55F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] KERNEL32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 019D06F3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] user32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 0210E5A9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2684] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 021FF4E0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\WINDOWS\system32\wuauclt.exe[3080] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[3080] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Documents and Settings\Artur\Moje dokumenty\Pobrane\Nowy folder\o3kyx6vb.exe[3144] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Documents and Settings\Artur\Moje dokumenty\Pobrane\Nowy folder\o3kyx6vb.exe[3144] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[828] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[828] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys ---- EOF - GMER 2.1 ----