GMER 1.0.15.15641 - httpwww.gmer.net Rootkit scan 2012-10-28 193925 Windows 5.1.2600 Dodatek Service Pack 3 Harddisk0DR0 - DeviceIdeIdeDeviceP0T0L0-4 SAMSUNG_HD502HJ rev.1AJ10001 Running i4xb4jrk.exe; Driver CDOCUME~1ADMINI~1USTAWI~1Temppwndraow.sys ---- System - GMER 1.0.15 ---- SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwAddBootEntry [0xA85BBCAE] SSDT BA7C53D4 ZwClose SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwCreateEvent [0xA85BDB34] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwCreateEventPair [0xA85BDB8C] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwCreateIoCompletion [0xA85BDCA2] SSDT BA7C538E ZwCreateKey SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwCreateMutant [0xA85BDA8A] SSDT BA7C53DE ZwCreateSection SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwCreateSemaphore [0xA85BDADE] SSDT BA7C5384 ZwCreateThread SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwCreateTimer [0xA85BDC50] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwDeleteBootEntry [0xA85BBCD2] SSDT BA7C5393 ZwDeleteKey SSDT BA7C539D ZwDeleteValueKey SSDT BA7C53CF ZwDuplicateObject SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwEnumerateKey [0xA85D8ED6] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwEnumerateValueKey [0xA85D8D41] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwLoadDriver [0xA85BBADA] SSDT BA7C53A2 ZwLoadKey SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwModifyBootEntry [0xA85BBCF6] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwNotifyChangeKey [0xA85BE548] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwNotifyChangeMultipleKeys [0xA85BC7F8] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwOpenEvent [0xA85BDB64] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwOpenEventPair [0xA85BDBB4] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwOpenIoCompletion [0xA85BDCCC] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwOpenKey [0xA85D86B5] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwOpenMutant [0xA85BDAB6] SSDT BA7C5370 ZwOpenProcess SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwOpenSection [0xA85BDC1C] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwOpenSemaphore [0xA85BDB0C] SSDT BA7C5375 ZwOpenThread SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwOpenTimer [0xA85BDC7A] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwQueryKey [0xA85D8BBC] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwQueryObject [0xA85BC6BE] SSDT BA7C53F7 ZwQueryValueKey SSDT SystemRootSystem32DriversaswSP.SYS (avast! self protection moduleAVAST Software) ZwRenameKey [0xA860C22E] SSDT BA7C53AC ZwReplaceKey SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwReplyWaitReceivePort [0xA85BE57E] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwReplyWaitReceivePortEx [0xA85BE142] SSDT BA7C53E8 ZwRequestWaitReplyPort SSDT BA7C53A7 ZwRestoreKey SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwSetBootEntryOrder [0xA85BBD1A] SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwSetBootOptions [0xA85BBD3E] SSDT BA7C53E3 ZwSetContextThread SSDT BA7C53ED ZwSetSecurityObject SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwSetSystemInformation [0xA85BBB34] SSDT BA7C5398 ZwSetValueKey SSDT SystemRootSystem32DriversaswSnx.SYS (avast! Virtualization DriverAVAST Software) ZwShutdownSystem [0xA85BBC44] SSDT BA7C53F2 ZwSystemDebugControl SSDT BA7C537F ZwTerminateProcess ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2EFC 805047F4 4 Bytes CALL 990AC44C .text ntkrnlpa.exe!ZwCallbackReturn + 2F28 80504820 12 Bytes [1A, BD, 5B, A8, 3E, BD, 5B, ...] {SBB BH, [EBP-0x42c157a5]; POP EBX; TEST AL, 0xe3; PUSH EBX; JL 0xffffffffffffffc6} .text CWINDOWSsystem32DRIVERSati2mtag.sys section is writeable [0xB5127000, 0x2326C7, 0xE8000020] ---- User code sections - GMER 1.0.15 ---- .text dProgram FilesAlwil SoftwareAvast5AvastSvc.exe[3588] kernel32.dll!SetUnhandledExceptionFilter 7C84495D 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } ---- User IATEAT - GMER 1.0.15 ---- IAT CWINDOWSsystem32services.exe[1108] @ CWINDOWSsystem32services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT CWINDOWSsystem32services.exe[1108] @ CWINDOWSsystem32services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 1.0.15 ---- AttachedDevice FileSystemNtfs Ntfs aswMon2.SYS (avast! File System Filter Driver for Windows XPAVAST Software) AttachedDevice DriverTcpip DeviceIp aswFW.SYS (avast! Filtering TDI driverAVAST Software) AttachedDevice DriverTcpip DeviceIp aswTdi.SYS (avast! TDI Filter DriverAVAST Software) AttachedDevice DriverTcpip DeviceTcp aswFW.SYS (avast! Filtering TDI driverAVAST Software) AttachedDevice DriverTcpip DeviceTcp aswTdi.SYS (avast! TDI Filter DriverAVAST Software) AttachedDevice DriverTcpip DeviceUdp aswFW.SYS (avast! Filtering TDI driverAVAST Software) AttachedDevice DriverTcpip DeviceUdp aswTdi.SYS (avast! TDI Filter DriverAVAST Software) AttachedDevice DriverTcpip DeviceRawIp aswFW.SYS (avast! Filtering TDI driverAVAST Software) AttachedDevice DriverTcpip DeviceRawIp aswTdi.SYS (avast! TDI Filter DriverAVAST Software) AttachedDevice FileSystemFastfat Fat fltMgr.sys (Microsoft Filesystem Filter ManagerMicrosoft Corporation) AttachedDevice FileSystemFastfat Fat aswMon2.SYS (avast! File System Filter Driver for Windows XPAVAST Software) ---- Files - GMER 1.0.15 ---- File CWINDOWS$NtUninstallKB58953$1764482637 0 bytes File CWINDOWS$NtUninstallKB58953$2338417960 0 bytes File CWINDOWS$NtUninstallKB58953$2338417960@ 2048 bytes File CWINDOWS$NtUninstallKB58953$2338417960cfg.ini 204 bytes File CWINDOWS$NtUninstallKB58953$2338417960Desktop.ini 4608 bytes File CWINDOWS$NtUninstallKB58953$2338417960L 0 bytes File CWINDOWS$NtUninstallKB58953$2338417960Leybqtseu 65280 bytes File CWINDOWS$NtUninstallKB58953$2338417960twl.dll 223744 bytes File CWINDOWS$NtUninstallKB58953$2338417960U 0 bytes File CWINDOWS$NtUninstallKB58953$2338417960U00000001.@ 2048 bytes File CWINDOWS$NtUninstallKB58953$2338417960U00000002.@ 224768 bytes File CWINDOWS$NtUninstallKB58953$2338417960U00000004.@ 1024 bytes File CWINDOWS$NtUninstallKB58953$2338417960U80000000.@ 66560 bytes File CWINDOWS$NtUninstallKB58953$2338417960U80000004.@ 1024 bytes File CWINDOWS$NtUninstallKB58953$2338417960U80000032.@ 115712 bytes File CWINDOWS$NtUninstallKB58953$2338417960version 866 bytes ---- EOF - GMER 1.0.15 ----