GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-17 18:34:32 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-8 ST1000DM003-1CH162 rev.CC47 931,51GB Running: dn8odr5z.exe; Driver: C:\DOCUME~1\bb\USTAWI~1\Temp\kgwyyfoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB14F9ACC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xB174F464] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB14FA5AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB1540620] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB15066A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB15066EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB1506886] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB153FFD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB150660E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB1506730] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB1506656] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB14FAAE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB1506840] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB14FB398] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB14F9B32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB1540CE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB1540F9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB14FEBEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB1540B51] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB15409BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xB174F53C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB14F971E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB174F91E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB14F9B98] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB14FEFE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB14FBEDC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB15066CA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB150670E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB15068AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB1540330] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB1506634] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB14FE4E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB15067BE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB150667E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB14FE8CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB1506864] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB174F6BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB1540837] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB14FBCF4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB1540689] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB14FB84A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB175CE74] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xB175D7E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB153F617] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB14F9BFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB14F9C64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB14FB212] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB14F97B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB14F998A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB1540DED] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB14F9918] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB14FB562] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB14FB6C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB14F9A12] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB14FB050] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB14FB1F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xB174C906] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB14F9CCA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB14FA606] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D98 80504680 4 Bytes JMP 96B14FEB .text ntkrnlpa.exe!ZwCallbackReturn + 2E88 80504770 4 Bytes [CE, E8, 4F, B1] .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [FE, 9B, 4F, B1, 64, 9C, 4F, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [62, B5, 4F, B1, C4, B6, 4F, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL B14FC5AD \SystemRoot\system32\drivers\aswSnx.sys ? aswVmm.sys Nie można odnaleźć określonego pliku. ! ? aswRvrt.sys Nie można odnaleźć określonego pliku. ! .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB477A3C0, 0x843B7A, 0xE8000020] ? system32\drivers\aswSP.sys System nie może odnaleźć określonej ścieżki. ! ? system32\drivers\aswTdi.sys System nie może odnaleźć określonej ścieżki. ! ? system32\drivers\aswRdr.sys System nie może odnaleźć określonej ścieżki. ! ? system32\drivers\aswSnx.sys System nie może odnaleźć określonej ścieżki. ! ? system32\drivers\aswMonFlt.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[452] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003C01F8 .text C:\Program Files\Internet Explorer\iexplore.exe[452] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003C03FC .text C:\Program Files\Internet Explorer\iexplore.exe[452] KERNEL32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 02E43C10 .text C:\Program Files\Internet Explorer\iexplore.exe[452] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[452] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC24 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[452] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A7997 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[452] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78C9 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[452] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A7934 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[452] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A779A C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[452] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A77FC C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[452] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A79FA C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[452] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A785E C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[452] WININET.dll!InternetReadFile 3FD0F5EB 5 Bytes JMP 02E44F50 .text C:\Program Files\Internet Explorer\iexplore.exe[452] WININET.dll!HttpQueryInfoA 3FD1182D 5 Bytes JMP 02E448C0 .text C:\Program Files\Internet Explorer\iexplore.exe[452] WININET.dll!InternetCloseHandle 3FD12128 5 Bytes JMP 02E44FB0 .text C:\Program Files\Internet Explorer\iexplore.exe[452] WININET.dll!InternetQueryDataAvailable 3FD15023 5 Bytes JMP 02E44980 .text C:\Program Files\Internet Explorer\iexplore.exe[452] WININET.dll!InternetReadFileExA 3FD22C09 5 Bytes JMP 02E44E10 .text C:\Program Files\Internet Explorer\iexplore.exe[924] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003C01F8 .text C:\Program Files\Internet Explorer\iexplore.exe[924] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003C03FC .text C:\Program Files\Internet Explorer\iexplore.exe[924] KERNEL32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 02083C10 .text C:\Program Files\Internet Explorer\iexplore.exe[924] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9B99 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D1CD C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC24 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 406146FC C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A7997 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78C9 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A7934 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A779A C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A77FC C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A79FA C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A785E C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] ole32.dll!CoCreateInstance 774EF1D4 5 Bytes JMP 406ADC80 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] ole32.dll!OleLoadFromStream 7751988B 5 Bytes JMP 407A7CFF C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[924] WININET.dll!InternetReadFile 3FD0F5EB 5 Bytes JMP 02084F50 .text C:\Program Files\Internet Explorer\iexplore.exe[924] WININET.dll!HttpQueryInfoA 3FD1182D 5 Bytes JMP 020848C0 .text C:\Program Files\Internet Explorer\iexplore.exe[924] WININET.dll!InternetCloseHandle 3FD12128 5 Bytes JMP 02084FB0 .text C:\Program Files\Internet Explorer\iexplore.exe[924] WININET.dll!InternetQueryDataAvailable 3FD15023 5 Bytes JMP 02084980 .text C:\Program Files\Internet Explorer\iexplore.exe[924] WININET.dll!InternetReadFileExA 3FD22C09 5 Bytes JMP 02084E10 .text C:\Program Files\Internet Explorer\iexplore.exe[1700] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 005101F8 .text C:\Program Files\Internet Explorer\iexplore.exe[1700] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 005103FC .text C:\Program Files\Internet Explorer\iexplore.exe[3152] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003C01F8 .text C:\Program Files\Internet Explorer\iexplore.exe[3152] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003C03FC .text C:\Program Files\Internet Explorer\iexplore.exe[3152] KERNEL32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 02B63C10 .text C:\Program Files\Internet Explorer\iexplore.exe[3152] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 405D5545 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] USER32.dll!SetWindowsHookExW 7E37820F 5 Bytes JMP 406A9B99 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] USER32.dll!CallNextHookEx 7E37B3C6 5 Bytes JMP 4069D1CD C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 406ADC24 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] USER32.dll!UnhookWindowsHookEx 7E37D5F3 5 Bytes JMP 406146FC C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 407A7997 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407A78C9 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407A7934 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 407A779A C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 407A77FC C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 407A79FA C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 407A785E C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] ole32.dll!CoCreateInstance 774EF1D4 5 Bytes JMP 406ADC80 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] ole32.dll!OleLoadFromStream 7751988B 5 Bytes JMP 407A7CFF C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[3152] WININET.dll!InternetReadFile 3FD0F5EB 5 Bytes JMP 02B64F50 .text C:\Program Files\Internet Explorer\iexplore.exe[3152] WININET.dll!HttpQueryInfoA 3FD1182D 5 Bytes JMP 02B648C0 .text C:\Program Files\Internet Explorer\iexplore.exe[3152] WININET.dll!InternetCloseHandle 3FD12128 5 Bytes JMP 02B64FB0 .text C:\Program Files\Internet Explorer\iexplore.exe[3152] WININET.dll!InternetQueryDataAvailable 3FD15023 5 Bytes JMP 02B64980 .text C:\Program Files\Internet Explorer\iexplore.exe[3152] WININET.dll!InternetReadFileExA 3FD22C09 5 Bytes JMP 02B64E10 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[840] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[840] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???4????????20000???r????????????c????dpci??Tcpip??art??????????????????????????????????????? ??????????????????????????????