GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-02 09:41:17 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 HITACHI_ rev.SBDI 111,79GB Running: kwbs6gk4.exe; Driver: C:\DOCUME~1\barbara\USTAWI~1\Temp\fwtdapog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x9E676AD6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x9E8EA806] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x9E6775B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0x9E6BD770] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x9E6836B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x9E683704] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x9E68389E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0x9E6BD124] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x9E683626] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0x9E683748] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x9E68366E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0x9E677AEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x9E683858] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x9E6783A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x9E676B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0x9E6BDE36] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0x9E6BE0EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x9E67BBF2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0x9E6BDCA1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0x9E6BDB0C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0x9E8EA8DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x9E676728] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x9E8EACC0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x9E676BA2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x9E67BFE8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x9E678EE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x9E6836E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x9E683726] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x9E6838C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0x9E6BD480] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x9E68364C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x9E67B4EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x9E6837D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x9E683696] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x9E67B8D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x9E68387C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x9E8EAA5E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0x9E6BD987] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x9E678CFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0x9E6BD7D9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0x9E678854] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0x9E8F8D08] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0x9E8F96CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0x9E6BC767] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x9E676C08] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x9E676C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0x9E67821C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x9E6767C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x9E676994] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0x9E6BDF3D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x9E676922] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x9E67856C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x9E6786CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x9E676A1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0x9E67805A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x9E6781FC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0x9E8E7A9E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x9E676CD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x9E677610] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D5C 80504644 8 Bytes [EA, 7A, 67, 9E, 58, 38, 68, ...] {JMP FAR 0x6838:0x589e677a; SAHF } .text ntkrnlpa.exe!ZwCallbackReturn + 2E44 8050472C 8 Bytes [E8, BF, 67, 9E, E6, 8E, 67, ...] {CALL 0xe69e67c4; MOV FS, [EDI-0x62]} .text ntkrnlpa.exe!ZwCallbackReturn + 2E70 80504758 4 Bytes [EA, B4, 67, 9E] .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [08, 6C, 67, 9E, 6E, 6C, 67, ...] {OR [EDI-0x62], CH; OUTS DX, BYTE [ESI]; INS BYTE [ES:EDI], DX; SAHF ; SBB AL, 0x82; SAHF } .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [6C, 85, 67, 9E, CE, 86, 67, ...] {INS BYTE [ES:EDI], DX; TEST [EDI-0x62], ESP; INTO ; XCHG [EDI-0x62], AH; SBB AL, 0x6a; SAHF } PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL 9E6795B7 \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[276] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\afwServ.exe[352] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3348] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1208] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1208] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- Device \Driver\Tcpip \Device\Ip aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Ip aswNdis2.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 mouclass.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys Device \Driver\Tcpip \Device\Tcp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswNdis2.sys Device \Driver\Tcpip \Device\Udp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Udp aswNdis2.sys Device \Driver\Tcpip \Device\RawIp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswNdis2.sys Device \Driver\Tcpip \Device\IPMULTICAST aswStmXP.sys Device mrxsmb.sys Device Fastfat.SYS AttachedDevice fltmgr.sys Device Cdfs.SYS Device DLAIFS_M.SYS ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 349966 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{81F7F71E-893D-4CA2-A623-2FD99D118360}@DhcpRetryStatus 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8E2A03C0-A30B-4CF5-93EB-B97E2C0FED98}@DhcpRetryTime 314 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{8E2A03C0-A30B-4CF5-93EB-B97E2C0FED98}@DhcpRetryStatus 1 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----