GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-18 19:05:41 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 Hitachi_HDS721616PLA380 rev.P22OA70A 153,39GB Running: f1o1leco.exe; Driver: C:\DOCUME~1\Testing\USTAWI~1\Temp\ufpiraog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xF38FDAC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xF3C180BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xF38FE5A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xF39445A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xF390A63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xF390A688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xF390A822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xF3943F54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xF390A5AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xF390A6CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xF390A5F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xF38FEAD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xF390A7DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xF38FF390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xF38FDB2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xF3944C66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xF3944F1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xF3902B86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xF3944AD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xF394493C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xF38FD716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xF3C18574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xF38FDB90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xF3902F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xF38FFE78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xF390A666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xF390A6AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xF390A846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xF39442B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xF390A5D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xF390247E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xF390A75A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xF390A61A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xF390286A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xF390A800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xF3C18312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xF39447B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xF38FFCEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xF3944609] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xF38FF842] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xF3C26358] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xF3C26CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xF3943597] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xF38FDBF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xF38FDC5C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xF38FF20A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xF38FD7B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xF38FD982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xF3944D6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xF38FD910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xF38FF55A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xF38FF6BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xF38FDA0A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xF38FF048] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xF38FF1EA] SSDT \??\C:\WINDOWS\system32\Drivers\uphcleanhlp.sys ZwUnloadKey [0xB774C75C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xF38FDCC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xF38FE5FE] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 24F8 80501D54 8 Bytes JMP A7DCF38F .text ntkrnlpa.exe!ZwCallbackReturn + 2770 80501FCC 12 Bytes [F6, DB, 8F, F3, 5C, DC, 8F, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2818 80502074 12 Bytes [5A, F5, 8F, F3, BC, F6, 8F, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 8059BA02 4 Bytes CALL F3900549 \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF66253C0, 0x84E2FA, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB78B4300, 0x3ACC8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF78C1300, 0x1B7E, 0xE8000020] ? C:\WINDOWS\system32\Drivers\uphcleanhlp.sys Nie można odnaleźć określonego pliku. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1500] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3828] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{48639A77-A80B-4A92-9D3B-8E41B155186A}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{7285A4C0-02B0-4ECB-A08C-6C3DF6824250}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x47 0xBB 0x7C 0x69 ... Reg HKLM\SYSTEM\ControlSet003\Control\Video\{48639A77-A80B-4A92-9D3B-8E41B155186A}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet003\Control\Video\{7285A4C0-02B0-4ECB-A08C-6C3DF6824250}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x47 0xBB 0x7C 0x69 ... ---- EOF - GMER 2.1 ----