GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-09-13 11:13:29 Windows 5.1.2600 Dodatek Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 Maxtor_6Y080P0 rev.YAR41BW0 Running: doem0jo1.exe; Driver: C:\DOCUME~1\ja\USTAWI~1\Temp\pglcipoc.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xF6134374] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xF619B2B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwClose [0xF6158829] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xF6136996] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xF61369EE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xF6136B04] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xF61581DD] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xF61368EC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xF6136A3E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xF6136940] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xF6136AB2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xF6134398] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xF6158EEF] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xF61591A5] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xF6136D88] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xF6158D5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xF6158BC5] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xF619B368] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xF6134162] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xF61343BC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xF6136EFC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xF6134E54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xF61369C6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xF6136A16] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xF6136B2E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xF6158539] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xF6136918] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xF6136BC0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xF6136A7E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xF613696E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xF6136CA4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xF6136ADC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xF619B400] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xF6158A40] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xF6134D1A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xF6158892] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwRenameKey [0xF61A36E2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xF6157850] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xF61343E0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xF6134404] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xF61341BC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xF61342F8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xF6158FF6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xF61342D4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xF613431C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xF6134428] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xF61B09A6] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntoskrnl.exe!ObInsertObject 805645A3 5 Bytes JMP F61ADE84 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntoskrnl.exe!ObMakeTemporaryObject 805A079B 5 Bytes JMP F61AC3DE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 415E BF885ECA 1 Byte [36] ---- User code sections - GMER 1.0.15 ---- .text C:\WINDOWS\system32\spoolsv.exe[384] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[384] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[460] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[520] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[544] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[544] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\system32\services.exe[596] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\services.exe[596] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[608] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[608] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[748] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[748] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[756] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[756] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[804] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[804] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[872] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[872] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[920] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[920] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[956] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[956] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[980] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[980] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\Program Files\3COM\3Com Wireless 108 Mbps 11g USB Utility \lcs.exe[1024] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\3COM\3Com Wireless 108 Mbps 11g USB Utility \lcs.exe[1024] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1080] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1080] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1324] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1324] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1324] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1392] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1392] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[1540] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[1540] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1548] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1548] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe[1556] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\VIA\VIAudioi\SBADeck\ADeck.exe[1556] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\Program Files\Browny02\Brother\BrStMonW.exe[1584] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Browny02\Brother\BrStMonW.exe[1584] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe[1592] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Vimicro Corporation\VMUVC\VMonitor.exe[1592] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1600] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1600] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\SOUNDMAN.EXE[1608] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\SOUNDMAN.EXE[1608] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[1620] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\rundll32.exe[1620] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\Program Files\Free Download Manager\fdm.exe[1628] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Free Download Manager\fdm.exe[1628] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[1644] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Brother\ControlCenter3\brccMCtl.exe[1644] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\Program Files\Browny02\BrYNSvc.exe[1652] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\Browny02\BrYNSvc.exe[1652] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2492] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2492] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2656] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2656] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\Downloads\doem0jo1.exe[3084] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Downloads\doem0jo1.exe[3084] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[3112] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\system32\wuauclt.exe[3112] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\Program Files\NAPI-PROJEKT\napisy.exe[3416] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\Program Files\NAPI-PROJEKT\napisy.exe[3416] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\notepad.exe[3708] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\notepad.exe[3708] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[4088] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916FCA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[4088] kernel32.dll!GetBinaryTypeW + 80 7C867DFC 1 Byte [62] ---- User IAT/EAT - GMER 1.0.15 ---- IAT C:\WINDOWS\system32\services.exe[596] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[596] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Fastfat \FatCdrom aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) Device \FileSystem\Fastfat \Fat aswSP.SYS (avast! self protection module/AVAST Software) AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS (avast! File System Filter Driver for Windows XP/AVAST Software) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00198600247d Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00198600247d@001ca4a47396 0x69 0xCB 0x2F 0x22 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00198600247d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00198600247d@001ca4a47396 0x69 0xCB 0x2F 0x22 ... ---- EOF - GMER 1.0.15 ----