GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-20 02:58:15 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdePort1 ST9320423AS rev.0002SDM1 298,09GB Running: g___m__e__rt9flnp2e.exe; Driver: C:\DOCUME~1\R\USTAWI~1\Temp\pgtdrpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xA892DBA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xA892E684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xA8972D80] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xA893A6F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xA893A744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xA893A8DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xA8972734] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xA893A666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xA893A788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xA893A6AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xA892EBBA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xA893A898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xA892F472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xA892DC0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xA8973446] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xA89736FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xA8932C68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xA89732B1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xA897311C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xA892D7F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xA8C43E28] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xA892DC72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xA893305E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xA892FF5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xA893A722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xA893A766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xA893A902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xA8972A90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xA893A68C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xA8932560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xA893A816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xA893A6D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xA893294C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xA893A8BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xA8C43BCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xA8972F97] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xA892FDCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xA8972DE9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xA892F924] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xA8C51D88] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xA8971D77] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xA892DCD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xA892DD3E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xA892F2EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xA892D892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xA892DA64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xA897354D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xA892D9F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xA892F63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xA892F79E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xA892DAEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xA892F12A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xA892F2CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xA892DDA4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xA892E6E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2F4C 80504834 4 Bytes [E9, 2D, 97, A8] .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [D8, DC, 92, A8, 3E, DD, 92, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [3C, F6, 92, A8, 9E, F7, 92, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL A893062B \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\spoolsv.exe[264] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[264] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\SCardSvr.exe[324] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\SCardSvr.exe[324] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[388] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[388] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[492] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\OpenOffice.ux.pl 3\program\soffice.exe[512] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\OpenOffice.ux.pl 3\program\soffice.exe[512] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\OpenOffice.ux.pl 3\program\soffice.bin[556] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\OpenOffice.ux.pl 3\program\soffice.bin[556] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[592] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[592] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[596] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[596] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[684] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[684] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[732] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[732] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Malwarebytes Anti-Malware\mbam.exe[744] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Malwarebytes Anti-Malware\mbam.exe[744] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\StacSV.exe[808] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\StacSV.exe[808] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe[852] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe[852] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[872] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[872] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[900] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[900] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\services.exe[944] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[944] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[964] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[964] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1136] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1136] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1164] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1164] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1220] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1220] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1284] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1284] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\notepad.exe[1360] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\notepad.exe[1360] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1428] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Intel\WiFi\bin\S24EvMon.exe[1428] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[1480] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[1480] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1512] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1512] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe[1532] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\SigmaTel\C-Major Audio\WDM\stsystra.exe[1532] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1576] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1576] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\V0420Mon.exe[1608] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\V0420Mon.exe[1608] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Intel\WiFi\bin\WLKeeper.exe[1624] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Intel\WiFi\bin\WLKeeper.exe[1624] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[1636] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[1636] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1676] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1676] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1708] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1708] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1708] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1816] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe[1816] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1900] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1900] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1944] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[1944] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Skype\Phone\Skype.exe[1968] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Skype\Phone\Skype.exe[1968] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2500] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2500] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[3296] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[3296] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Documents and Settings\R\Pulpit\czyszczenie\g___m__e__rt9flnp2e.exe[4000] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\R\Pulpit\czyszczenie\g___m__e__rt9flnp2e.exe[4000] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\notepad.exe[4084] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\notepad.exe[4084] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[944] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[944] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D57F71E0-7369-396B-10DC-7241E7261618} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D57F71E0-7369-396B-10DC-7241E7261618}@jaakbmomgpadafnfjiai 0x62 0x61 0x63 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D57F71E0-7369-396B-10DC-7241E7261618}@jaakbmomgpadafnfjimh 0x62 0x61 0x63 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D57F71E0-7369-396B-10DC-7241E7261618}@iaalngofbhhkdfaoie 0x6B 0x61 0x68 0x61 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{D57F71E0-7369-396B-10DC-7241E7261618}@hakkpibblgkmlban 0x6B 0x61 0x68 0x61 ... ---- EOF - GMER 2.1 ----