GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-20 22:10:31 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD400EB-75CPF0 rev.06.04G06 37,27GB Running: 42j0jtks.exe; Driver: C:\DOCUME~1\STANIS~1\USTAWI~1\Temp\kxriykow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xF46F3AC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xF496E0BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xF46F45A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xF473A5A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xF470063C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xF4700688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xF4700822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xF4739F54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xF47005AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xF47006CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xF47005F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xF46F4AD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xF47007DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xF46F5390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xF46F3B2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xF473AC66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xF473AF1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xF46F8B86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xF473AAD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xF473A93C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xF46F3716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xF496E574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xF46F3B90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xF46F8F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xF46F5E78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xF4700666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xF47006AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xF4700846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xF473A2B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xF47005D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xF46F847E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xF470075A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xF470061A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xF46F886A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xF4700800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xF496E312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xF473A7B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xF46F5CEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xF473A609] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xF46F5842] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xF497C358] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xF497CCC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xF4739597] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xF46F3BF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xF46F3C5C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xF46F520A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xF46F37B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xF46F3982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xF473AD6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xF46F3910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xF46F555A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xF46F56BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xF46F3A0A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xF46F5048] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xF46F51EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xF46F3CC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xF46F45FE] INT 0x62 ? 82B70BF8 INT 0x82 ? 82B70BF8 INT 0x83 ? 82921BF8 INT 0x83 ? 82921BF8 INT 0x83 ? 82921BF8 INT 0x83 ? 82921BF8 INT 0x83 ? 82921BF8 ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + 398 804E296C 12 Bytes [F6, 3B, 6F, F4, 5C, 3C, 6F, ...] {IDIV BYTE [EBX]; OUTS DX, DWORD [ESI]; HLT ; POP ESP; CMP AL, 0x6f; HLT ; OR DL, [EDX+0x6f]; HLT } .text ntoskrnl.exe!_abnormal_termination + 440 804E2A14 12 Bytes [5A, 55, 6F, F4, BC, 56, 6F, ...] {POP EDX; PUSH EBP; OUTS DX, DWORD [ESI]; HLT ; MOV ESP, 0xaf46f56; CMP CH, [EDI-0xc]} PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BC20 4 Bytes CALL F46F6549 \SystemRoot\system32\drivers\aswSnx.sys ? spwt.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1328] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2744] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS.1\system32\services.exe[692] @ C:\WINDOWS.1\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS.1\system32\services.exe[692] @ C:\WINDOWS.1\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 IAT C:\WINDOWS.1\Explorer.EXE[1172] @ C:\WINDOWS.1\Explorer.EXE [KERNEL32.dll!GetProcAddress] [5CFE7774] C:\WINDOWS.1\system32\ShimEng.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 82B6F1F8 Device \FileSystem\Fastfat \FatCdrom 82727500 AttachedDevice \Driver\Tcpip \Device\Ip {993baf86-643c-42e9-95e5-094f337533f0}Gt.sys Device \Driver\usbuhci \Device\USBPDO-0 82A191F8 Device \Driver\usbuhci \Device\USBPDO-1 82A191F8 Device \Driver\usbuhci \Device\USBPDO-2 82A191F8 Device \Driver\usbehci \Device\USBPDO-3 829121F8 AttachedDevice \Driver\Tcpip \Device\Tcp {993baf86-643c-42e9-95e5-094f337533f0}Gt.sys Device \Driver\Ftdisk \Device\HarddiskVolume1 82BDF1F8 Device \Driver\Cdrom \Device\CdRom0 82A021F8 Device \Driver\Ftdisk \Device\HarddiskVolume2 82BDF1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{EF23C3FA-14AF-4EB0-9F31-8C712B078867} 82978500 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-3 [F7634B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort0 [F7634B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7634B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-e [F7634B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\USBSTOR \Device\00000069 82756500 Device \Driver\NetBT \Device\NetBt_Wins_Export 82978500 Device \Driver\NetBT \Device\NetbiosSmb 82978500 AttachedDevice \Driver\Tcpip \Device\Udp {993baf86-643c-42e9-95e5-094f337533f0}Gt.sys AttachedDevice \Driver\Tcpip \Device\RawIp {993baf86-643c-42e9-95e5-094f337533f0}Gt.sys Device \Driver\usbuhci \Device\USBFDO-0 82A191F8 Device \Driver\USBSTOR \Device\0000006d 82756500 Device \Driver\usbuhci \Device\USBFDO-1 82A191F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 827891F8 Device \Driver\usbuhci \Device\USBFDO-2 82A191F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 827891F8 Device \Driver\usbehci \Device\USBFDO-3 829121F8 Device \Driver\Ftdisk \Device\FtControl 82BDF1F8 Device \FileSystem\Fastfat \Fat 82727500 AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys Device \FileSystem\Cdfs \Cdfs 8273E500 Device \FileSystem\Cdfs \Cdfs ECF77BCE ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys hal.dll atapi.sys spwt.sys >>UNKNOWN [0x82b90938]<< 82b90938 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x82b30ab8] 82b30ab8 Trace 3 CLASSPNP.SYS[f780efd7] -> nt!IofCallDriver -> \Device\00000060[0x82b25c88] 82b25c88 Trace 5 ACPI.sys[f7679620] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-3[0x82b24230] 82b24230 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s1 771343423 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@s2 285507792 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg@h0 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDB 0x91 0x7E 0x3E ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x9C 0x3F 0x79 0xDF ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xEB 0x25 0x8A 0x38 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xDB 0x91 0x7E 0x3E ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001@hdf12 0x9C 0x3F 0x79 0xDF ... Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet004\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC\00000001\gdq0@hdf12 0xEB 0x25 0x8A 0x38 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesProcessed 320 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher@TracesSuccessful 235 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 Whistler@MBR code has been found <-- ROOTKIT !!! ---- EOF - GMER 2.1 ----