GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-07-20 17:59:46 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c ST3320620AS rev.3.AAD 298,09GB Running: gmer.exe; Driver: G:\DOCUME~1\Piotr\USTAWI~1\Temp\pxtdapow.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB173567A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xB1A4CAE2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB1736158] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB177CD3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB17428F6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB1742942] SSDT \??\G:\WINDOWS\system32\windrvNT.sys ZwCreateFile [0xB16A836A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB1742ADC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB177C6F0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB1742864] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB1742986] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB17428AC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB173668E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB1742A96] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB1736DC0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB17356E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB177D402] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB177D6B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB173A252] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB177D26D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB177D0D8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xB1A4CBBA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwGetContextThread [0xB1737652] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB17352CC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB1A4CF9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB1735746] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB173A648] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB1737BE4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB1742920] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB1742964] SSDT \??\G:\WINDOWS\system32\windrvNT.sys ZwOpenFile [0xB16A8CD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB1742B00] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB177CA4C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB174288A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB1739B2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB1742A14] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB17428D4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB1739F20] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB1742ABA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB1A4CD3A] SSDT \??\G:\WINDOWS\system32\windrvNT.sys ZwQueryDirectoryFile [0xB16A8842] SSDT \??\G:\WINDOWS\system32\windrvNT.sys ZwQueryInformationProcess [0xB16A51E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB177CF53] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB17379FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB177CDA5] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB17373EA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB1A5AF10] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xB1A5B8DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB177BD33] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwResumeProcess [0xB1736F8A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwResumeThread [0xB1737196] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB17357AC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB1735812] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB173777C] SSDT \??\G:\WINDOWS\system32\windrvNT.sys ZwSetInformationFile [0xB16A9142] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB1735366] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB1735538] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB177D509] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB17354C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB1737090] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB17372C0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB17355C0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB1736BFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB1736DA0] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xB1A49D7A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB1735878] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB17361B4] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D14 805045FC 16 Bytes [F6, 28, 74, B1, 42, 29, 74, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2E50 80504738 16 Bytes [20, 29, 74, B1, 64, 29, 74, ...] {AND [ECX], CH; JZ 0xffffffb5; SUB [FS:ECX+ESI*4-0x28], ESI; MOV [EDX-0x4f], GS; ADD [EBX], CH; JZ 0xffffffc1} .text ntkrnlpa.exe!ZwCallbackReturn + 2F58 80504840 4 Bytes JMP E0B17373 .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 805048A0 12 Bytes [33, BD, 77, B1, 8A, 6F, 73, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [AC, 57, 73, B1, 12, 58, 73, ...] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL B173825D \SystemRoot\system32\drivers\aswSnx.sys .text G:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB45FA3C0, 0x9B091A, 0xE8000020] ---- User code sections - GMER 2.2 ---- .text G:\Program Files\AVAST Software\Avast\AvastSvc.exe[1696] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text G:\Program Files\AVAST Software\Avast\AvastUI.exe[2216] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- Devices - GMER 2.2 ---- Device \Driver\Tcpip \Device\Ip aswStmXP.sys Device \Driver\Tcpip \Device\Tcp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Tcp GtTdiFltr.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume1 hotcore3.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume2 hotcore3.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume3 hotcore3.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume4 hotcore3.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume5 hotcore3.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume6 hotcore3.sys AttachedDevice \Driver\Ftdisk \Device\HarddiskVolume7 hotcore3.sys Device \Driver\Tcpip \Device\Udp aswStmXP.sys Device \Driver\Tcpip \Device\RawIp aswStmXP.sys Device \Driver\Tcpip \Device\IPMULTICAST aswStmXP.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@D:\Program Files (x86)\LucasArts\LEGO\xae Indiana Jones\x2122 2\Audio\Audio.CFG 2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@D:\Program Files (x86)\LucasArts\LEGO\xae Indiana Jones\x2122 2\Audio\_CutScenes\AkatorHub_Intro.ogg 2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@D:\Program Files (x86)\LucasArts\LEGO\xae Indiana Jones\x2122 2\Audio\_Music\1_0_HUB_1Nepal_Qui.ogg 2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\SharedDlls@D:\Program Files (x86)\LucasArts\LEGO\xae Indiana Jones\x2122 2\Movies\PC\attract.bik 2 Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\WU@FlushCacheFiles ????????? ??????????????????????????????N?????????????r???????N?????????{098f2470-bae0-11cd-b579-08002b30bfeb}??????????????????????????? ????????????????????????"?????????????????? ??????????????e???????????????????????video/mpeg????????????????????^?????????? ??????????????????????????????????????????????????????? ??????????????????????????????????????????????????????? ???????????????????????????????????????????s????????????????????N?????????? ??????????????????????????????N?????????????r???????N?????????{098f2470-bae0-11cd-b579-08002b30bfeb}??????????????????????????? ????????????????????????L??????????????x??? ??????????????????????????????N???&???????????????????????{c5a40261-cd64-4ccf-84cb-c394da41d590}??????????????? ????????????????????????"?????????????g???? ??????????????e???video???????????????????????????video/mpeg????????????????????????????d?????????? ??????????????????????????????????????????????????????? ???????????????????????????????????????????????0???W??? ???????????????????????????? ???? Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{00DD39A5-A21B-430F-3B2F-459FA24CF7F2} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{00DD39A5-A21B-430F-3B2F-459FA24CF7F2}@hahbdbpbogdapdgc 0x70 0x61 0x66 0x62 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{00DD39A5-A21B-430F-3B2F-459FA24CF7F2}@jaabacpdlgdjfdmlnijh 0x6F 0x61 0x63 0x63 ... ---- EOF - GMER 2.2 ----