GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-02 17:43:55 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST9250410AS rev.0003HPM1 232,89GB Running: n0nv5kgh.exe; Driver: C:\DOCUME~1\user\USTAWI~1\Temp\uxtdapow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xAC1A2ACC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xAC51331C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xAC1A35AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xAC1E9600] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xAC1AF67A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xAC1AF6C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xAC1AF860] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xAC1E8FB4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xAC1AF5E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xAC1AF70A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xAC1AF630] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xAC1A3AE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xAC1AF81A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xAC1A4398] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xAC1A2B32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xAC1E9CC6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xAC1E9F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xAC1A7BEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xAC1E9B31] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xAC1E999C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xAC5133F4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xAC1A271E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xAC5137D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xAC1A2B98] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xAC1A7FE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xAC1A4EDC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xAC1AF6A4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xAC1AF6E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xAC1AF884] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xAC1E9310] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xAC1AF60E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xAC1A74E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xAC1AF798] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xAC1AF658] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xAC1A78CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xAC1AF83E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xAC513574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xAC1E9817] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xAC1A4CF4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xAC1E9669] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xAC1A484A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xAC520D24] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xAC521690] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xAC1E85F7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xAC1A2BFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xAC1A2C64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xAC1A4212] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xAC1A27B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xAC1A298A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xAC1E9DCD] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xAC1A2918] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xAC1A4562] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xAC1A46C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xAC1A2A12] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xAC1A4050] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xAC1A41F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xAC5107BE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xAC1A2CCA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xAC1A3606] INT 0x62 ? 8AB51CC8 INT 0x63 ? 8AB51CC8 INT 0x63 ? 8AB51CC8 INT 0x63 ? 8A912F00 INT 0x63 ? 8A912F00 INT 0x63 ? 8AB51CC8 INT 0x73 ? 8A912F00 INT 0x82 ? 8AB51CC8 INT 0x84 ? 8A912F00 INT 0x94 ? 8A912F00 INT 0xA4 ? 8A912F00 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C70 805044FC 4 Bytes [E8, F5, 1A, AC] .text ntkrnlpa.exe!ZwCallbackReturn + 2CD4 80504560 4 Bytes JMP 88AC1A7B .text ntkrnlpa.exe!ZwCallbackReturn + 2F10 8050479C 12 Bytes [FE, 2B, 1A, AC, 64, 2C, 1A, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 12 Bytes [62, 45, 1A, AC, C4, 46, 1A, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A648C 4 Bytes CALL AC1A55AD \SystemRoot\system32\drivers\aswSnx.sys .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xB9F6E346] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8D0B000, 0x1BDE76, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[408] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[992] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1288] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1288] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8AB821F8 AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \Driver\usbuhci \Device\USBPDO-0 8A908360 Device \Driver\usbuhci \Device\USBPDO-1 8A908360 Device \Driver\usbehci \Device\USBPDO-2 8A8F71F8 Device \Driver\usbuhci \Device\USBPDO-3 8A908360 Device \Driver\usbuhci \Device\USBPDO-4 8A908360 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys Device \Driver\usbehci \Device\USBPDO-5 8A8F71F8 Device \Driver\usbuhci \Device\USBPDO-6 8A908360 Device \Driver\usbuhci \Device\USBPDO-7 8A908360 Device \Driver\Cdrom \Device\CdRom0 8A76B1F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [B9DDDB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [B9DDDB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [B9DDDB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort2 [B9DDDB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort3 [B9DDDB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-12 [B9DDDB40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 8A7171F8 Device \Driver\NetBT \Device\NetbiosSmb 8A7171F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{9546C111-48B7-4CFA-994C-E713B79B81CA} 8A7171F8 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys Device \Driver\usbuhci \Device\USBFDO-0 8A908360 Device \Driver\usbuhci \Device\USBFDO-1 8A908360 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 89B1E1F8 Device \Driver\usbuhci \Device\USBFDO-2 8A908360 Device \FileSystem\MRxSmb \Device\LanmanRedirector 89B1E1F8 Device \Driver\usbehci \Device\USBFDO-3 8A8F71F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{E3F66025-C9A4-4387-BC62-6674403FED0A} 8A7171F8 Device \Driver\usbuhci \Device\USBFDO-4 8A908360 Device \Driver\usbuhci \Device\USBFDO-5 8A908360 Device \Driver\NetBT \Device\NetBT_Tcpip_{D943668F-A2C8-4361-BB91-81E8F556EAE8} 8A7171F8 Device \Driver\usbuhci \Device\USBFDO-6 8A908360 Device \Driver\usbehci \Device\USBFDO-7 8A8F71F8 Device \Driver\imagedrv \Device\Scsi\imagedrv1 8AB831F8 Device \FileSystem\Cdfs \Cdfs 89A89430 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x37 0x7C 0x6F 0xD2 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x13 0x8E 0xB6 0x76 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x37 0x7C 0x6F 0xD2 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x37 0x7C 0x6F 0xD2 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x13 0x8E 0xB6 0x76 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x47 0xC6 0xB2 0x99 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2E 0xF9 0x29 0xBE ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD9 0x34 0x8A 0x73 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x13 0x8E 0xB6 0x76 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x47 0xC6 0xB2 0x99 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2E 0xF9 0x29 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD9 0x34 0x8A 0x73 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 1 Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x13 0x8E 0xB6 0x76 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x47 0xC6 0xB2 0x99 ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x2E 0xF9 0x29 0xBE ... Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet006\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xD9 0x34 0x8A 0x73 ... ---- EOF - GMER 2.1 ----