GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-24 23:52:45 Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-12 WDC_WD1200BB-55GUC0 rev.08.02D08 111,79GB Running: 7i728ktp.exe; Driver: C:\DOCUME~1\Marysia\LOCALS~1\Temp\kwlyrfob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xF57ADBA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xF57AE684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xF57F2D80] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xF57BA6F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xF57BA744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xF57BA8DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xF57F2734] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xF57BA666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xF57BA788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xF57BA6AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xF57AEBBA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xF57BA898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xF57AF472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xF57ADC0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xF57F3446] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xF57F36FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xF57B2C68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xF57F32B1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xF57F311C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xF57AD7F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xF5A23ED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xF57ADC72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xF57B305E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xF57AFF5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xF57BA722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xF57BA766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xF57BA902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xF57F2A90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xF57BA68C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xF57B2560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xF57BA816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xF57BA6D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xF57B294C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xF57BA8BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xF5A23C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xF57F2F97] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xF57AFDCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xF57F2DE9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xF57AF924] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xF5A31E1A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xF57F1D77] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xF57ADCD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xF57ADD3E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xF57AF2EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xF57AD892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xF57ADA64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xF57F354D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xF57AD9F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xF57AF63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xF57AF79E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xF57ADAEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xF57AF12A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xF57AF2CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xF57ADDA4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xF57AE6E0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2F4C 80504834 4 Bytes [E9, 2D, 7F, F5] .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [D8, DC, 7A, F5, 3E, DD, 7A, ...] {FCOMP ST4; JP 0xfffffff9; FNSTSW [EDX-0xb]; IN AL, DX; JP 0x1} .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [3C, F6, 7A, F5, 9E, F7, 7A, ...] {CMP AL, 0xf6; JP 0xfffffff9; SAHF ; IDIV DWORD [EDX-0xb]; IN AL, DX; FIDIVR DWORD [EDX-0xb]} PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL F57B062B \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF75CB360, 0x1DEE5D, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\SOUNDMAN.EXE[124] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\SOUNDMAN.EXE[124] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe[168] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Lexmark X1100 Series\lxbkbmgr.exe[168] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe[224] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Lexmark X1100 Series\lxbkbmon.exe[224] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[456] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[456] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[500] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[548] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[548] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[572] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[572] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\services.exe[616] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[616] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[628] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[628] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[812] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[812] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\eHome\ehRecvr.exe[820] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\eHome\ehRecvr.exe[820] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[860] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[860] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\eHome\ehSched.exe[904] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\eHome\ehSched.exe[904] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[928] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[928] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[992] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[992] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1056] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1056] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1096] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1096] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1096] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1160] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\nvsvc32.exe[1160] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1224] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1224] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1252] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1252] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wdfmgr.exe[1340] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wdfmgr.exe[1340] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1388] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[1388] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\LEXBCES.EXE[1472] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\LEXBCES.EXE[1472] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\LEXPPS.EXE[1512] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\LEXPPS.EXE[1512] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1516] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1516] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\ehome\mcrdsvc.exe[1700] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\ehome\mcrdsvc.exe[1700] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\dllhost.exe[2448] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\dllhost.exe[2448] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2544] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[2544] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[3216] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[3216] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0192C6E0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] ntdll.dll!NtFlushBuffersFile 7C90D32E 2 Bytes JMP 0162D3A3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] ntdll.dll!NtFlushBuffersFile + 3 7C90D331 2 Bytes [D2, 84] .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 0162D620 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 0162D400 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 02256F6A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0192D5B0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 02256F19 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00461F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 004503FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] KERNEL32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 021BEAF5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 021BEAD2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] KERNEL32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 0192913E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] user32.dll!GetWindowInfo 7E42C49C 5 Bytes JMP 020C5F20 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3360] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 021BEA53 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Documents and Settings\Marysia\My Documents\Pobrane\7i728ktp.exe[3956] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Marysia\My Documents\Pobrane\7i728ktp.exe[3956] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[616] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003E0002 IAT C:\WINDOWS\system32\services.exe[616] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003E0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys ---- Processes - GMER 2.1 ---- Library C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1388] 0x10000000 Library C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.POL (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1388] 0x02910000 ---- EOF - GMER 2.1 ----