GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-05 12:20:32 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 WDC_WD2500BEVS-60UST0 rev.01.01A01 232,89GB Running: r76s6um9.exe; Driver: C:\Users\Klaudia\AppData\Local\Temp\uxliipoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8B6CDACC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x8B78A31C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8B6CE5AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8B6DA67A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8B6DA6C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8B6DA860] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8B6DA5E8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8B78A6F6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8B6DA630] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8B78A986] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8B78AA70] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8B6DA81A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8B6CF398] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8B6CDB32] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwDuplicateObject [0x8B78AB74] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0x8B78A3F4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwLoadDriver [0x8B78778E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8B78A7D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8B6CDB98] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8B6D2FE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8B6CFEDC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8B6DA6A4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8B6DA6E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8B6DA884] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8B6DA60E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8B6D24E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8B6DA798] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8B6DA658] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8B6D28CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8B6DA83E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8B78A574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8B6CFCF4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8B6CFA02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8B6CDBFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8B6CDC64] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8B78A8D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8B6CD7B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8B6CD98A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8B6CD918] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8B6CF562] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8B6CF6C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8B6CDA12] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8B78A642] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8B6CF1F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0x8B7877BE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8B6CDCCA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8B78A4A6] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestPort + 14AD 83087BB5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830C1B92 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 830C8F90 4 Bytes [CC, DA, 6C, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 830C8FB8 4 Bytes [1C, A3, 78, 8B] {SBB AL, 0xa3; JS 0xffffff8f} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 830C9018 4 Bytes [AA, E5, 6C, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 830C906C 8 Bytes [7A, A6, 6D, 8B, C6, A6, 6D, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 830C9078 4 Bytes [60, A8, 6D, 8B] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 83286B07 4 Bytes CALL 8B6D05C3 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 832A09A9 4 Bytes CALL 8B6D05D9 \SystemRoot\system32\drivers\aswSnx.sys ? System32\Drivers\spbm.sys System nie może odnaleźć określonej ścieżki. ! .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9281E000, 0x2D5378, 0xE8000020] ? C:\Users\Klaudia\AppData\Local\Temp\ALSysIO.sys Nie można odnaleźć określonego pliku. ! ? \Program Files\DAEMON Tools Lite\Engine.dll System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\avastui.exe[3460] kernel32.dll!SetUnhandledExceptionFilter 75BCF5FB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Pando Networks\Media Booster\PMB.exe[3468] kernel32.dll!SetUnhandledExceptionFilter 75BCF5FB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Windows\system32\msiexec.exe[3728] ntdll.dll!NtMapViewOfSection 76F75C80 5 Bytes JMP 7FF938B1 .text C:\Windows\system32\msiexec.exe[3728] ws2_32.dll!GetAddrInfoW 75E14889 5 Bytes JMP 7FF943BD ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 866C31F8 Device \Driver\volmgr \Device\VolMgrControl 859DE1F8 Device \Driver\usbohci \Device\USBPDO-0 86E1A1F8 Device \Driver\usbohci \Device\USBPDO-1 86E1A1F8 Device \Driver\sptd \Device\2782422181 spbm.sys Device \Driver\usbehci \Device\USBPDO-2 86E161F8 Device \Driver\usbohci \Device\USBPDO-3 86E1A1F8 Device \Driver\usbohci \Device\USBPDO-4 86E1A1F8 Device \Driver\PCI_PNP6175 \Device\00000061 spbm.sys Device \Driver\usbehci \Device\USBPDO-5 86E161F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{F1285FE9-1AA3-410B-A64D-EF3543A70BDC} 86DCB1F8 Device \Driver\volmgr \Device\HarddiskVolume1 859DE1F8 Device \Driver\volmgr \Device\HarddiskVolume2 859DE1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{CAB7FF11-B3DC-439D-94F8-5C755902E517} 86DCB1F8 Device \Driver\cdrom \Device\CdRom0 86CBA1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP2T0L0-4 859E01F8 Device \Driver\atapi \Device\Ide\IdePort0 859E01F8 Device \Driver\atapi \Device\Ide\IdePort1 859E01F8 Device \Driver\atapi \Device\Ide\IdePort2 859E01F8 Device \Driver\atapi \Device\Ide\IdePort3 859E01F8 Device \Driver\atapi \Device\Ide\IdePort4 859E01F8 Device \Driver\atapi \Device\Ide\IdePort5 859E01F8 Device \Driver\atapi \Device\Ide\IdePort6 859E01F8 Device \Driver\atapi \Device\Ide\IdePort7 859E01F8 Device \Driver\msahci \Device\Ide\PciIde1Channel0 859E11F8 Device \Driver\msahci \Device\Ide\PciIde1Channel1 859E11F8 Device \Driver\msahci \Device\Ide\PciIde1Channel2 859E11F8 Device \Driver\msahci \Device\Ide\PciIde1Channel3 859E11F8 Device \Driver\msahci \Device\Ide\PciIde1Channel4 859E11F8 Device \Driver\msahci \Device\Ide\PciIde1Channel5 859E11F8 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-5 859E01F8 Device \Driver\volmgr \Device\HarddiskVolume3 859DE1F8 Device \Driver\cdrom \Device\CdRom1 86CBA1F8 Device \Driver\volmgr \Device\HarddiskVolume4 859DE1F8 Device \Driver\USBSTOR \Device\00000080 86CC91F8 Device \Driver\USBSTOR \Device\00000081 86CC91F8 Device \Driver\NetBT \Device\NetBt_Wins_Export 86DCB1F8 Device \Driver\usbohci \Device\USBFDO-0 86E1A1F8 Device \Driver\usbohci \Device\USBFDO-1 86E1A1F8 Device \Driver\usbehci \Device\USBFDO-2 86E161F8 Device \Driver\usbohci \Device\USBFDO-3 86E1A1F8 Device \Driver\usbohci \Device\USBFDO-4 86E1A1F8 Device \Driver\usbehci \Device\USBFDO-5 86E161F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{900D6670-7AA1-4B3C-9428-3FD71CC99E68} 86DCB1F8 Device \Driver\ativng4a \Device\Scsi\ativng4a1 86F04500 Device \Driver\ativng4a \Device\Scsi\ativng4a1Port8Path0Target0Lun0 86F04500 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys hpdskflt.sys halmacpi.dll >>UNKNOWN [0x859e01f8]<< 859e01f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x868fc268] 868fc268 Trace 3 CLASSPNP.SYS[8b00459e] -> nt!IofCallDriver -> [0x868fc988] 868fc988 Trace 5 hpdskflt.sys[8b3b4f92] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP2T0L0-4[0x86758908] 86758908 Trace \Driver\atapi[0x86771298] -> IRP_MJ_CREATE -> 0x859e01f8 859e01f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{A6B1ED3E-6F12-425F-BF6E-A855791F1D9D}\Connection@Name isatap.{900D6670-7AA1-4B3C-9428-3FD71CC99E68} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{19AF0079-AF11-4989-9C0B-7AB46B589237}?\Device\{24635960-31DA-40F6-84FA-6643C1F3063C}?\Device\{A6B1ED3E-6F12-425F-BF6E-A855791F1D9D}?\Device\{22B94109-9B88-49DC-8A0C-AFE1727FFD12}?\Device\{287E331A-A593-4C93-9627-D8AE836CE7FF}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{19AF0079-AF11-4989-9C0B-7AB46B589237}"?"{24635960-31DA-40F6-84FA-6643C1F3063C}"?"{A6B1ED3E-6F12-425F-BF6E-A855791F1D9D}"?"{22B94109-9B88-49DC-8A0C-AFE1727FFD12}"?"{287E331A-A593-4C93-9627-D8AE836CE7FF}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{19AF0079-AF11-4989-9C0B-7AB46B589237}?\Device\TCPIP6TUNNEL_{24635960-31DA-40F6-84FA-6643C1F3063C}?\Device\TCPIP6TUNNEL_{A6B1ED3E-6F12-425F-BF6E-A855791F1D9D}?\Device\TCPIP6TUNNEL_{22B94109-9B88-49DC-8A0C-AFE1727FFD12}?\Device\TCPIP6TUNNEL_{287E331A-A593-4C93-9627-D8AE836CE7FF}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{A6B1ED3E-6F12-425F-BF6E-A855791F1D9D}@InterfaceName isatap.{900D6670-7AA1-4B3C-9428-3FD71CC99E68} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{A6B1ED3E-6F12-425F-BF6E-A855791F1D9D}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xFD 0x2E 0xDA 0xDA ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF8 0x58 0x62 0x35 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD5 0x56 0xAD 0x10 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 D:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDD 0x5F 0xC1 0xA8 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0xF8 0x58 0x62 0x35 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD5 0x56 0xAD 0x10 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@85E830D4 830 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{EF16B156-F3B6-434D-8EE9-0FBC171536E2} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF16B156-F3B6-434D-8EE9-0FBC171536E2} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF16B156-F3B6-434D-8EE9-0FBC171536E2}@Path \Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF16B156-F3B6-434D-8EE9-0FBC171536E2}@Hash 0xF3 0x3E 0x8B 0x5A ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF16B156-F3B6-434D-8EE9-0FBC171536E2}@Triggers 0x15 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{EF16B156-F3B6-434D-8EE9-0FBC171536E2}@DynamicInfo 0x03 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows\Setup\GWXTriggers\refreshgwxconfig-B@Id {EF16B156-F3B6-434D-8EE9-0FBC171536E2} ---- EOF - GMER 2.1 ----