GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-24 22:12:13 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1200JB-00GVA0 rev.08.02D08 111,79GB Running: 1g9tibch.exe; Driver: C:\DOCUME~1\Jan\USTAWI~1\Temp\fgtdypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xAFA99AD6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xB00D283C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xAFA9A5B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xAFAE06A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xAFAA66B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xAFAA6704] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xAFAA689E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xAFAE0054] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xAFAA6626] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xAFAA6748] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xAFAA666E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xAFA9AAEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xAFAA6858] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xAFA9B3A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xAFA99B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xAFAE0D66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xAFAE101C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xAFA9EBF2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xAFAE0BD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xAFAE0A3C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xB00D2914] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xAFA99728] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB00D2CF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xAFA99BA2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xAFA9EFE8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xAFA9BEE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xAFAA66E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xAFAA6726] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xAFAA68C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xAFAE03B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xAFAA664C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xAFA9E4EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xAFAA67D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xAFAA6696] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xAFA9E8D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xAFAA687C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB00D2A94] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xAFAE08B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xAFA9BCFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xAFAE0709] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xAFA9B854] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB00E0B28] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xB00E14EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xAFADF697] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xAFA99C08] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xAFA99C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xAFA9B21C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xAFA997C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xAFA99994] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xAFAE0E6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xAFA99922] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xAFA9B56C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xAFA9B6CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xAFA99A1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xAFA9B05A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xAFA9B1FC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xB00CFAD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xAFA99CD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xAFA9A610] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C6C 80503A40 8 Bytes [EA, AA, A9, AF, 58, 68, AA, ...] {JMP FAR 0xaa68:0x58afa9aa; SCASD } .text ntkrnlpa.exe!ZwCallbackReturn + 2D54 80503B28 8 Bytes [E8, EF, A9, AF, E6, BE, A9, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2D80 80503B54 4 Bytes JMP D6AFA9E4 .text ntkrnlpa.exe!ZwCallbackReturn + 2D98 80503B6C 4 Bytes [D6, E8, A9, AF] .text ntkrnlpa.exe!ZwCallbackReturn + 2EE4 80503CB8 12 Bytes [08, 9C, A9, AF, 6E, 9C, A9, ...] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4F7E 4 Bytes CALL AFA9C5B7 \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB86FC000, 0x1C5DC8, 0xE8000020] ? System32\Drivers\hiber_WMILIB.SYS System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Avast\AvastSvc.exe[1732] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Avast\AvastUI.exe[3460] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Real\RealPlayer\update\realsched.exe[3468] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002 IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000 ---- Devices - GMER 2.1 ---- Device \Driver\Tcpip \Device\Ip aswStmXP.sys Device \Driver\Tcpip \Device\Tcp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.sys Device \Driver\Tcpip \Device\Udp aswStmXP.sys Device \Driver\Tcpip \Device\RawIp aswStmXP.sys Device \Driver\Tcpip \Device\IPMULTICAST aswStmXP.sys ---- EOF - GMER 2.1 ----