GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-29 00:48:58 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Maxtor_6V080E0 rev.VA111630 76,33GB Running: 4zh90hd4.exe; Driver: C:\DOCUME~1\Myron\USTAWI~1\Temp\kgrcyfow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwAddBootEntry [0xAB7BF59C] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwAllocateVirtualMemory [0xAB873388] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwAssignProcessToJobObject [0xAB7C002E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwClose [0xAB803316] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateEvent [0xAB7CB7F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateEventPair [0xAB7CB83E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateIoCompletion [0xAB7CB9D8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateKey [0xAB802CCA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateMutant [0xAB7CB760] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateSection [0xAB7CB882] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateSemaphore [0xAB7CB7A8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateThread [0xAB7C052C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateTimer [0xAB7CB992] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwDebugActiveProcess [0xAB7C0DE4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwDeleteBootEntry [0xAB7BF602] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwDeleteKey [0xAB8039DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwDeleteValueKey [0xAB803C92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwDuplicateObject [0xAB7C45C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwEnumerateKey [0xAB803847] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwEnumerateValueKey [0xAB8036B2] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwFreeVirtualMemory [0xAB873450] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwLoadDriver [0xAB7BF1EA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwModifyBootEntry [0xAB7BF668] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwNotifyChangeKey [0xAB7C498C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwNotifyChangeMultipleKeys [0xAB7C1874] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenEvent [0xAB7CB81C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenEventPair [0xAB7CB860] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenIoCompletion [0xAB7CB9FC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenKey [0xAB803026] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenMutant [0xAB7CB786] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenProcess [0xAB7C3EA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenSection [0xAB7CB910] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenSemaphore [0xAB7CB7D0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenThread [0xAB7C429A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenTimer [0xAB7CB9B6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwProtectVirtualMemory [0xAB8735B0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwQueryKey [0xAB80352D] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwQueryObject [0xAB7C1740] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwQueryValueKey [0xAB80337F] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwQueueApcThread [0xAB7C1296] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwRenameKey [0xAB8804DA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwRestoreKey [0xAB802310] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetBootEntryOrder [0xAB7BF6CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetBootOptions [0xAB7BF734] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetContextThread [0xAB7C0C5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetSystemInformation [0xAB7BF284] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetSystemPowerState [0xAB7BF45A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetValueKey [0xAB803AE3] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwShutdownSystem [0xAB7BF3E8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSuspendProcess [0xAB7C0FAE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSuspendThread [0xAB7C1110] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSystemDebugControl [0xAB7BF4E2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwTerminateProcess [0xAB7C0A9C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwTerminateThread [0xAB7C0C3E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwUnloadDriver [0xAB8719E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwVdmControl [0xAB7BF79A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwWriteVirtualMemory [0xAB7C008A] Code \SystemRoot\System32\Drivers\aswSP.SYS ZwCreateProcessEx [0xAB88CBA0] Code \SystemRoot\System32\Drivers\aswSP.SYS ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS ObMakeTemporaryObject ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D48 805045D4 4 Bytes JMP 82AB7BF1 .text ntkrnlpa.exe!ZwCallbackReturn + 2F10 8050479C 12 Bytes [CE, F6, 7B, AB, 34, F7, 7B, ...] {INTO ; IDIV BYTE [EBX-0x55]; XOR AL, 0xf7; JNP 0xffffffb3; POP ESI; OR AL, 0x7c; STOSD } .text ntkrnlpa.exe!ZwCallbackReturn + 2FA8 80504834 4 Bytes CALL D8FBC42C .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 12 Bytes [AE, 0F, 7C, AB, 10, 11, 7C, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A648C 4 Bytes CALL AB7C1F21 \SystemRoot\System32\Drivers\aswSnx.SYS PAGE ntkrnlpa.exe!ObMakeTemporaryObject 805BC512 5 Bytes JMP AB889A3A \SystemRoot\System32\Drivers\aswSP.SYS PAGE ntkrnlpa.exe!ObInsertObject 805C2F96 5 Bytes JMP AB88B554 \SystemRoot\System32\Drivers\aswSP.SYS PAGE ntkrnlpa.exe!ZwCreateProcessEx 805D1136 7 Bytes JMP AB88CBA4 \SystemRoot\System32\Drivers\aswSP.SYS .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB4C7D3A0, 0x83C195, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\svchost.exe[216] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[216] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[260] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[260] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[316] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[316] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[520] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[520] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[708] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[760] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[760] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[784] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[784] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\services.exe[828] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\services.exe[828] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[840] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[840] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1012] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1012] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1036] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1036] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1144] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1144] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1184] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1204] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Ahead\InCD\InCDsrv.exe[1204] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1332] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1332] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1400] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1400] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1460] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1460] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1556] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1556] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1612] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1612] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1616] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1616] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1744] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1744] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe[1900] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Linksys\Compact Wireless-G USB Adapter Wireless Network Monitor\WLService.exe[1900] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[1912] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\RUNDLL32.EXE[1912] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe[1928] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\ASUS\EPU-4 Engine\FourEngine.exe[1928] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[1936] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[1936] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\PROGRA~1\NEOSTR~1\CnxMon.exe[1956] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\PROGRA~1\NEOSTR~1\CnxMon.exe[1956] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe[1964] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Thomson\SpeedTouch USB\Dragdiag.exe[1964] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe[1972] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\PROGRA~1\NEOSTR~1\TaskbarIcon.exe[1972] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1980] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\avastUI.exe[1980] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1996] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[1996] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[2012] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[2012] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2204] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiapsrv.exe[2204] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2264] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2264] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[2368] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[2368] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Documents and Settings\Myron\Pulpit\4zh90hd4.exe[2476] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Documents and Settings\Myron\Pulpit\4zh90hd4.exe[2476] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[828] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[828] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS AttachedDevice \Driver\Tcpip \Device\Ip {9edd0ea8-2819-47c2-8320-b007d5996f8a}Gt.sys AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.SYS AttachedDevice \Driver\Tcpip \Device\Tcp tcpipBM.sys AttachedDevice \Driver\Tcpip \Device\Tcp {9edd0ea8-2819-47c2-8320-b007d5996f8a}Gt.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.SYS AttachedDevice \Driver\Tcpip \Device\Udp {9edd0ea8-2819-47c2-8320-b007d5996f8a}Gt.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.SYS AttachedDevice \Driver\Tcpip \Device\RawIp {9edd0ea8-2819-47c2-8320-b007d5996f8a}Gt.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.SYS Device InCDfs.SYS ---- EOF - GMER 2.1 ----