GMER 1.0.15.15281 - http://www.gmer.net Rootkit scan 2010-08-30 11:09:34 Windows 6.1.7600 Running: cvieknhf.exe; Driver: E:\Users\Damian\AppData\Local\Temp\awworpog.sys ---- System - GMER 1.0.15 ---- INT 0x1F \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83030AF8 INT 0x37 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83030104 INT 0xC1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830303F4 INT 0xD1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83018634 INT 0xD2 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83018898 INT 0xDF \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830301DC INT 0xE1 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83030958 INT 0xE3 \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830306F8 INT 0xFD \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 83030F2C INT 0xFE \SystemRoot\system32\halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) 830311A8 Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8B9DDB9C] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8B9DD9C0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8B9DDAFA] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 82C49599 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C6DF52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} PAGE ntkrnlpa.exe!ZwLoadDriver 82DA7291 2 Bytes JMP 8B9DDAFE \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ZwLoadDriver + 3 82DA7294 4 Bytes [C3, 08, CC, CC] {RET ; OR AH, CL; INT 3 } PAGE ntkrnlpa.exe!ObMakeTemporaryObject 82E0EFBF 5 Bytes JMP 8B9D95B4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ObInsertObject + 27 82E28CF3 5 Bytes JMP 8B9DAFD2 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!NtCreateSection 82E36D63 7 Bytes JMP 8B9DD9C4 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82EE0EAC 7 Bytes JMP 8B9DDBA0 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) .text E:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91404000, 0x31BA76, 0xE8000020] .text peauth.sys B3239C9D 28 Bytes [DE, 39, B0, 69, D9, A7, EB, ...] .text peauth.sys B3239CC1 28 Bytes [DE, 39, B0, 69, D9, A7, EB, ...] PAGE peauth.sys B324002C 102 Bytes [81, F4, EF, 80, 01, 5F, D5, ...] ? E:\Users\Damian\AppData\Local\Temp\mbr.sys Nie można odnaleźć określonego pliku. ! ? E:\Windows\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! PAGE spsys.sys!?SPRevision@@3PADA + 4F90 BC022000 86 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 4FE7 BC022057 203 Bytes [5E, C3, 8B, FF, 55, 8B, EC, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 BC022123 486 Bytes [D5, 01, BC, FE, 05, 34, D5, ...] PAGE spsys.sys!?SPRevision@@3PADA + 529A BC02230A 80 Bytes [01, BC, 3B, 08, 77, 04, 3B, ...] PAGE spsys.sys!?SPRevision@@3PADA + 52EB BC02235B 61 Bytes [33, C5, 89, 45, FC, 8B, 45, ...] PAGE ... .text autochk.exe 004111D1 46 Bytes [44, 8F, 18, 8B, 44, 8E, 14, ...] .text autochk.exe 00411203 10 Bytes [03, F0, 03, F8, FF, 24, 95, ...] .text autochk.exe 0041120E 5 Bytes [8B, FF, 20, 12, 41] {MOV EDI, EDI; AND [EDX], DL; INC ECX} .text autochk.exe 00411214 3 Bytes [28, 12, 41] {SUB [EDX], DL; INC ECX} .text autochk.exe 00411218 3 Bytes [38, 12, 41] {CMP [EDX], DL; INC ECX} .text ... ---- User code sections - GMER 1.0.15 ---- .text E:\Program Files\Winamp\winamp.exe[5176] USER32.dll!SetScrollRange 7652AE3C 5 Bytes JMP 0508C759 E:\Program Files\Winamp\Plugins\gen_jumpex.dll .text E:\Program Files\Winamp\winamp.exe[5176] USER32.dll!GetScrollInfo 76535151 7 Bytes JMP 0508C68B E:\Program Files\Winamp\Plugins\gen_jumpex.dll .text E:\Program Files\Winamp\winamp.exe[5176] USER32.dll!SetScrollInfo 76536632 7 Bytes JMP 0508C703 E:\Program Files\Winamp\Plugins\gen_jumpex.dll .text E:\Program Files\Winamp\winamp.exe[5176] USER32.dll!GetScrollRange 76551B6C 5 Bytes JMP 0508C6D8 E:\Program Files\Winamp\Plugins\gen_jumpex.dll .text E:\Program Files\Winamp\winamp.exe[5176] USER32.dll!SetScrollPos 76551BD0 5 Bytes JMP 0508C72E E:\Program Files\Winamp\Plugins\gen_jumpex.dll .text E:\Program Files\Winamp\winamp.exe[5176] USER32.dll!GetScrollPos 7655252B 5 Bytes JMP 0508C6B3 E:\Program Files\Winamp\Plugins\gen_jumpex.dll .text E:\Program Files\Winamp\winamp.exe[5176] USER32.dll!EnableScrollBar 7655386D 7 Bytes JMP 0508C663 E:\Program Files\Winamp\Plugins\gen_jumpex.dll .text E:\Program Files\Winamp\winamp.exe[5176] USER32.dll!ShowScrollBar 76555785 5 Bytes JMP 0508C787 E:\Program Files\Winamp\Plugins\gen_jumpex.dll .text E:\Program Files\Mozilla Firefox\firefox.exe[5204] ntdll.dll!LdrLoadDll 77A7F625 5 Bytes JMP 011A13F0 E:\Program Files\Mozilla Firefox\firefox.exe (Firefox/Mozilla Corporation) ---- Devices - GMER 1.0.15 ---- AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\volmgr \Device\HarddiskVolume1 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume2 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\volmgr \Device\HarddiskVolume3 fvevol.sys (BitLocker Drive Encryption Driver/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \Driver\ACPI_HAL \Device\0000005e halmacpi.dll (Hardware Abstraction Layer DLL/Microsoft Corporation) ---- Registry - GMER 1.0.15 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{E7A2F428-F16F-42D7-8842-D97F2A3BA091}\Connection@Name isatap.{08A0DBF0-BC2D-47D0-9549-46E316278F9F} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{E7A2F428-F16F-42D7-8842-D97F2A3BA091}?\Device\{DA1967EC-4CCB-4D27-A709-6526BB249629}?\Device\{32F76CC0-46D4-4008-A9CC-81DF0749A558}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{E7A2F428-F16F-42D7-8842-D97F2A3BA091}"?"{DA1967EC-4CCB-4D27-A709-6526BB249629}"?"{32F76CC0-46D4-4008-A9CC-81DF0749A558}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{E7A2F428-F16F-42D7-8842-D97F2A3BA091}?\Device\TCPIP6TUNNEL_{DA1967EC-4CCB-4D27-A709-6526BB249629}?\Device\TCPIP6TUNNEL_{32F76CC0-46D4-4008-A9CC-81DF0749A558}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{E7A2F428-F16F-42D7-8842-D97F2A3BA091}@InterfaceName isatap.{08A0DBF0-BC2D-47D0-9549-46E316278F9F} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{E7A2F428-F16F-42D7-8842-D97F2A3BA091}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6E 0x84 0x98 0xEB ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x6E 0x84 0x98 0xEB ... ---- EOF - GMER 1.0.15 ----