GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-08-08 13:12:16 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK1637GSX rev.DL040D 149,05GB Running: zpnfivk1.exe; Driver: C:\DOCUME~1\dtc\USTAWI~1\Temp\fwwdifoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwAddBootEntry [0xA94AF9CA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwAllocateVirtualMemory [0xA9504A68] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwClose [0xA94CFAF5] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateEvent [0xA94B1EAC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateEventPair [0xA94B1F04] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateIoCompletion [0xA94B201A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateKey [0xA94CF4A9] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateMutant [0xA94B1E02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateSection [0xA94B1F54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateSemaphore [0xA94B1E56] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateTimer [0xA94B1FC8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwDeleteBootEntry [0xA94AF9EE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwDeleteKey [0xA94D01BB] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwDeleteValueKey [0xA94D0471] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwDuplicateObject [0xA94B229E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwEnumerateKey [0xA94D0026] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwEnumerateValueKey [0xA94CFE91] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwFreeVirtualMemory [0xA9504B18] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwLoadDriver [0xA94AF7B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwModifyBootEntry [0xA94AFA12] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwNotifyChangeKey [0xA94B2412] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwNotifyChangeMultipleKeys [0xA94B04AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenEvent [0xA94B1EDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenEventPair [0xA94B1F2C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenIoCompletion [0xA94B2044] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenKey [0xA94CF805] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenMutant [0xA94B1E2E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenProcess [0xA94B20D6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenSection [0xA94B1F94] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenSemaphore [0xA94B1E84] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenThread [0xA94B21BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenTimer [0xA94B1FF2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwProtectVirtualMemory [0xA9504BB0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwQueryKey [0xA94CFD0C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwQueryObject [0xA94B0370] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwQueryValueKey [0xA94CFB5E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwRenameKey [0xA950CE26] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwRestoreKey [0xA94CEB1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetBootEntryOrder [0xA94AFA36] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetBootOptions [0xA94AFA5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetSystemInformation [0xA94AF812] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetSystemPowerState [0xA94AF94E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetValueKey [0xA94D02C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwShutdownSystem [0xA94AF92A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSystemDebugControl [0xA94AF972] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwVdmControl [0xA94AFA7E] ---- Kernel code sections - GMER 2.1 ---- PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4ECC 4 Bytes CALL A94B0E25 \SystemRoot\System32\Drivers\aswSnx.SYS ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\plugin-container.exe[708] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[708] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[708] USER32.dll!SetPropW + 11B 77D3DECE 7 Bytes JMP 1099D8D4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[708] USER32.dll!SetWindowLongA + 19 77D3DEEC 7 Bytes JMP 1099D863 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[708] USER32.dll!GetWindowInfo 77D3F122 5 Bytes JMP 107F2A67 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[708] USER32.dll!GetMenuContextHelpId + 1A 77D84F11 7 Bytes JMP 107F306A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Documents and Settings\dtc\Moje dokumenty\Pobieranie\zpnfivk1.exe[808] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\Documents and Settings\dtc\Moje dokumenty\Pobieranie\zpnfivk1.exe[808] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\Program Files\Mozilla Firefox\firefox.exe[856] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0171EEB0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[856] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\Program Files\Mozilla Firefox\firefox.exe[856] kernel32.dll!lstrlenW + 43 7C809A7C 7 Bytes JMP 01D2979B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[856] kernel32.dll!MapViewOfFileEx + 6A 7C80B788 7 Bytes JMP 01D29778 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[856] kernel32.dll!lstrcpyn + 70 7C810381 7 Bytes JMP 01724CE9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[856] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\Program Files\Mozilla Firefox\firefox.exe[856] GDI32.dll!SetWindowOrgEx + 15E 77F1960B 7 Bytes JMP 01D296F9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Documents and Settings\dtc\Moje dokumenty\Pobieranie\OTL.exe[976] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\Documents and Settings\dtc\Moje dokumenty\Pobieranie\OTL.exe[976] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\WINDOWS\system32\NOTEPAD.EXE[1192] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\WINDOWS\system32\NOTEPAD.EXE[1192] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\WINDOWS\system32\wscntfy.exe[2180] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\WINDOWS\system32\wscntfy.exe[2180] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\WINDOWS\system32\WLTRAY.exe[2564] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\WINDOWS\system32\WLTRAY.exe[2564] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[2652] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\Program Files\Intel\Wireless\bin\ZCfgSvc.exe[2652] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2792] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\Program Files\Intel\Wireless\Bin\ifrmewrk.exe[2792] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\WINDOWS\notepad.exe[2852] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\WINDOWS\notepad.exe[2852] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\WINDOWS\system32\igfxsrvc.exe[3072] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\WINDOWS\system32\igfxsrvc.exe[3072] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\WINDOWS\system32\hkcmd.exe[3144] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\WINDOWS\system32\hkcmd.exe[3144] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\WINDOWS\system32\igfxpers.exe[3152] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\WINDOWS\system32\igfxpers.exe[3152] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\Documents and Settings\dtc\riuom.exe[3196] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\Documents and Settings\dtc\riuom.exe[3196] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\WINDOWS\system32\ctfmon.exe[3248] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\WINDOWS\system32\ctfmon.exe[3248] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\Documents and Settings\dtc\gaigaen.exe[3280] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\Documents and Settings\dtc\gaigaen.exe[3280] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3480] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3480] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text J:\riUoM.exE[3544] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text J:\riUoM.exE[3544] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] .text C:\WINDOWS\notepad.exe[3712] kernel32.dll!TerminateProcess 7C801E16 1 Byte [C3] .text C:\WINDOWS\notepad.exe[3712] kernel32.dll!TerminateThread 7C81CACB 1 Byte [C3] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[880] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002 IAT C:\WINDOWS\system32\services.exe[880] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000 ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs aswMon2.SYS AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\Fastfat \Fat aswMon2.SYS ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???`?s???h???????S??????????????sr??Parport??J??? ???????h???????????h???????????????????????????h??????????????????0????????????????`???????????????????? ????????????????????? ???????????????????? ???????g?????h?????a??????????j?0?????????Windows Driver Foundation - User-mode Driver Framework Platform Driver?ams?????h?????h??Konserwuje ??cza mi?dzy plikami systemu NTFS w komputerze lub komputerach w domenie sieciowej.??????RpcSs?Ndisuio??ebc??? ???????5????????????`??w???2??????Ht??? ???????h???????????h???????????????????????????h???s??????????????0????????????????`???????????????????? ????????????????????? ???????????????M???? ???????g?????h?????????? ???????1?????????"{DD80F2B2-BB88-465F-8E8E-2DA33D7C4AE4}"?"{BDC33A65-A53E-4AC9-A555-8138C0F6C515}"??{BDC33A65-A53E-4AC9-A555-8138C0F6C515}"??{BDC33A65-A53E-4AC9-A555-8138C0F6C515}"??C???????g???????????????????????J?J?J???????????J?J?J???{?{?{??? ???h??????????????192.168.0.1?255?????? ??????????????pm??C:\WINDOWS\system32\w32time.dll??????h????????????????? ---- EOF - GMER 2.1 ----