GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-23 18:52:55 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 PLEXTOR_ rev.1.07 119,24GB Running: 4k9lzqxt.exe; Driver: F:\XP\TEMP\kwroapob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB4130BA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB4131684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB4175D80] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB413D6F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB413D744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB413D8DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB4175734] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB413D666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB413D788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB413D6AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB4131BBA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB413D898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB4132472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB4130C0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB4176446] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB41766FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB4135C68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB41762B1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB417611C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB41307F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB4437ED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB4130C72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB413605E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB4132F5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB413D722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB413D766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB413D902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB4175A90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB413D68C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB4135560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB413D816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB413D6D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB413594C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB413D8BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB4437C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB4175F97] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB4132DCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB4175DE9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB4132924] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB4445E1A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB4174D77] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB4130CD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB4130D3E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB41322EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB4130892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB4130A64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB417654D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB41309F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB413263C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB413279E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB4130AEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB413212A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB41322CC] SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB338675C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB4130DA4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB41316E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2F4C 80504834 4 Bytes [E9, 5D, 17, B4] .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [D8, 0C, 13, B4, 3E, 0D, 13, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [3C, 26, 13, B4, 9E, 27, 13, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL B413362B \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB71333C0, 0x75D00A, 0xE8000020] ? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\spoolsv.exe[172] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[172] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text F:\XP\Pobieranie\4k9lzqxt.exe[676] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text F:\XP\Pobieranie\4k9lzqxt.exe[676] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[764] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[764] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[912] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[964] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[964] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[1012] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\RTHDCPL.EXE[1012] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1028] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1028] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1028] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1072] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1072] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1220] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1220] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1232] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1232] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1436] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1436] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1504] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[1504] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1564] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1564] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1660] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1660] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1752] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1752] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1788] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1788] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1788] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1860] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1860] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1860] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[1936] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesApp32.exe[1936] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2328] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\unsecapp.exe[2328] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Ashampoo\Ashampoo HDD Control 2\DfsdkS.exe[3864] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Ashampoo\Ashampoo HDD Control 2\DfsdkS.exe[3864] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[3900] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\TuneUp Utilities 2013\TuneUpUtilitiesService32.exe[3900] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\UPHClean\uphclean.exe[3936] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\UPHClean\uphclean.exe[3936] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[4016] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[4016] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1220] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1220] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\Control\Video\{68296897-8BFF-4CE8-8787-9B22D9F60053}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet002\Control\Video\{D0703F32-CE78-4AC1-94A1-68A0422E6FEE}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet002\Control\Video\{E31EA076-5F10-4533-AAF7-F40EF1A53348}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{30E989B7-7F6F-4899-9383-DD303677681F}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{68296897-8BFF-4CE8-8787-9B22D9F60053}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{D0703F32-CE78-4AC1-94A1-68A0422E6FEE}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{E31EA076-5F10-4533-AAF7-F40EF1A53348}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{EA5A2A83-EAA1-4D7C-A832-43150B995EA7}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{30E989B7-7F6F-4899-9383-DD303677681F}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{68296897-8BFF-4CE8-8787-9B22D9F60053}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{D0703F32-CE78-4AC1-94A1-68A0422E6FEE}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{E31EA076-5F10-4533-AAF7-F40EF1A53348}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{EA5A2A83-EAA1-4D7C-A832-43150B995EA7}\0000@D3D_\x3332\x3331 2089309684 ---- EOF - GMER 2.1 ----