GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-04 23:58:24 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 KINGSTON_SH103S3240G rev.506ABBF0 223,57GB Running: 7x7i26b3.exe; Driver: C:\Users\AGNIES~1\AppData\Local\Temp\kwldypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8FE44BA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8FE45684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8FE516F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8FE51744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8FE518DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8FE51666] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8FEFBDF0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8FE516AE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8FEFC080] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8FEFC16A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8FE51898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8FE46472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8FE44C0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8FE49C68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8FE447F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8FEFBED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8FE44C72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8FE4A05E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8FE46F5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8FE51722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8FE51766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8FE51902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8FE5168C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8FE49560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8FE51816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8FE516D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8FE4994C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8FE518BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8FEFBC6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8FE46DCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8FE46ADC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8FE44CD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8FE44D3E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8FEFBFCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8FE44892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8FE44A64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8FE449F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8FE4663C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8FE4679E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8FE44AEC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8FEFBD3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8FE462CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8FE44DA4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8FEFBBA0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82E79A35 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EB3392 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82EBA5B0 4 Bytes [A6, 4B, E4, 8F] {CMPSB ; DEC EBX; IN AL, 0x8f} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82EBA638 4 Bytes [84, 56, E4, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82EBA68C 8 Bytes [F8, 16, E5, 8F, 44, 17, E5, ...] {CLC ; PUSH SS; IN EAX, 0x8f; INC ESP; POP SS; IN EAX, 0x8f} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82EBA698 4 Bytes [DE, 18, E5, 8F] {FICOMP WORD [EAX]; IN EAX, 0x8f} .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82EBA6B4 4 Bytes [66, 16, E5, 8F] {PUSH SS; IN EAX, 0x8f} .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 8307550F 4 Bytes CALL 8FE47641 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 8308F377 4 Bytes CALL 8FE47657 \SystemRoot\system32\drivers\aswSnx.sys ? C:\Windows\System32\Drivers\SafeBoot.sys Proces nie może uzyskać dostępu do pliku, ponieważ jest on używany przez inny proces. .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91E37000, 0x2F7634, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Broadcom\Broadcom 802.11\bcmwltry.exe[516] KERNEL32.dll!GetBinaryTypeW + 70 75CF6AAC 1 Byte [62] .text C:\Program Files\Common Files\ActivIdentity\ac.sharedstore.exe[548] kernel32.dll!GetBinaryTypeW + 70 75CF6AAC 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[564] kernel32.dll!SetUnhandledExceptionFilter 75CDF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[564] kernel32.dll!GetBinaryTypeW + 70 75CF6AAC 1 Byte [62] .text C:\Windows\system32\csrss.exe[716] kernel32.dll!GetBinaryTypeW + 70 75CF6AAC 1 Byte [62] .text C:\Windows\system32\wininit.exe[804] kernel32.dll!GetBinaryTypeW + 70 75CF6AAC 1 Byte [62] .text C:\Windows\system32\csrss.exe[812] kernel32.dll!GetBinaryTypeW + 70 75CF6AAC 1 Byte [62] .text C:\Windows\system32\services.exe[856] kernel32.dll!GetBinaryTypeW + 70 75CF6AAC 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\avastui.exe[5320] kernel32.dll!SetUnhandledExceptionFilter 75CDF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[5320] kernel32.dll!GetBinaryTypeW + 70 75CF6AAC 1 Byte [62] .text C:\Program Files\Common Files\Portrait Displays\Drivers\SDKCOMServer.exe[5332] kernel32.dll!GetBinaryTypeW + 70 75CF6AAC 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5344] kernel32.dll!GetBinaryTypeW + 70 75CF6AAC 1 Byte [62] .text C:\Program Files\Browny02\Brother\BrStMonW.exe[5432] kernel32.dll!GetBinaryTypeW + 70 75CF6AAC 1 Byte [62] .text C:\Program Files\Broadcom\Broadcom 802.11\WLTRAY.EXE[5448] KERNEL32.dll!GetBinaryTypeW + 70 75CF6AAC 1 Byte [62] .text ... ---- Devices - GMER 2.1 ---- Device Ntfs.sys AttachedDevice tdrpman.sys Device fastfat.SYS AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \Driver\volmgr \Device\VolMgrControl fltsrv.sys AttachedDevice \Driver\tdx \Device\Tcp ccnfd_1_10_0_5.sys Device \Driver\volmgr \Device\HarddiskVolume1 fltsrv.sys Device \Driver\volmgr \Device\HarddiskVolume2 fltsrv.sys Device \Driver\volmgr \Device\HarddiskVolume3 fltsrv.sys Device \Driver\volmgr \Device\HarddiskVolume4 fltsrv.sys Device \Driver\volmgr \Device\HarddiskVolume5 fltsrv.sys Device \Driver\partmgr \Device\PartmgrControl fltsrv.sys AttachedDevice \Driver\tdx \Device\Udp ccnfd_1_10_0_5.sys Device \Driver\Disk \Device\Harddisk0\DR0 fltsrv.sys Device \Driver\Disk \Device\Harddisk1\DR1 fltsrv.sys Device \Driver\BTHUSB \Device\00000098 bthport.sys Device \Driver\BTHUSB \Device\0000009a bthport.sys AttachedDevice fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82cbe83d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82cbe83d@0007614db68e 0x67 0x34 0x06 0x30 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a82cbe83d@6cf373c56e76 0x12 0x2B 0x79 0xED ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x12 0xFB 0xF8 0x81 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82cbe83d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82cbe83d@0007614db68e 0x67 0x34 0x06 0x30 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a82cbe83d@6cf373c56e76 0x12 0x2B 0x79 0xED ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x12 0xFB 0xF8 0x81 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{6B45264A-08C7-4036-A60D-6079897F96FB} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B45264A-08C7-4036-A60D-6079897F96FB} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B45264A-08C7-4036-A60D-6079897F96FB}@Path \Microsoft\Windows Defender\MP Scheduled Scan Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B45264A-08C7-4036-A60D-6079897F96FB}@Hash 0x04 0x57 0x27 0x74 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B45264A-08C7-4036-A60D-6079897F96FB}@Triggers 0x15 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{6B45264A-08C7-4036-A60D-6079897F96FB}@DynamicInfo 0x03 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Windows Defender\MP Scheduled Scan@Id {6B45264A-08C7-4036-A60D-6079897F96FB} ---- EOF - GMER 2.1 ----