GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-24 00:53:41 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST500DM002-1BD142 rev.KC45 465,76GB Running: jhnmqgsg.exe; Driver: C:\DOCUME~1\BAKA~1\USTAWI~1\Temp\pxtdypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xAA490AC4] SSDT \SystemRoot\system32\drivers\aswSP.sys (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xAA76B0BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xAA4915A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwClose [0xAA4D75A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xAA49D63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xAA49D688] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xAA49D822] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwCreateKey [0xAA4D6F54] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xAA49D5AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xAA49D6CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xAA49D5F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xAA491AD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xAA49D7DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xAA492390] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xAA490B2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwDeleteKey [0xAA4D7C66] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwDeleteValueKey [0xAA4D7F1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwDuplicateObject [0xAA495B86] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwEnumerateKey [0xAA4D7AD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwEnumerateValueKey [0xAA4D793C] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xAA490716] SSDT \SystemRoot\system32\drivers\aswSP.sys (avast! self protection module/AVAST Software) ZwMapViewOfSection [0xAA76B574] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xAA490B90] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xAA495F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xAA492E78] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xAA49D666] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xAA49D6AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xAA49D846] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwOpenKey [0xAA4D72B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xAA49D5D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwOpenProcess [0xAA49547E] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xAA49D75A] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xAA49D61A] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwOpenThread [0xAA49586A] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xAA49D800] SSDT \SystemRoot\system32\drivers\aswSP.sys (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xAA76B312] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwQueryKey [0xAA4D77B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xAA492CEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwQueryValueKey [0xAA4D7609] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xAA492842] SSDT \SystemRoot\system32\drivers\aswSP.sys (avast! self protection module/AVAST Software) ZwRenameKey [0xAA779358] SSDT \SystemRoot\system32\drivers\aswSP.sys (avast! self protection module/AVAST Software) ZwReplaceKey [0xAA779CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwRestoreKey [0xAA4D6597] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xAA490BF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xAA490C5C] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xAA49220A] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xAA4907B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xAA490982] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwSetValueKey [0xAA4D7D6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xAA490910] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xAA49255A] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xAA4926BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xAA490A0A] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xAA492048] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xAA4921EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xAA490CC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xAA4915FE] Code \??\C:\DOCUME~1\BAKA~1\USTAWI~1\Temp\catchme.sys pIofCallDriver ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [F6, 0B, 49, AA, 5C, 0C, 49, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [5A, 25, 49, AA, BC, 26, 49, ...] {POP EDX; AND EAX, 0x26bcaa49; DEC ECX; STOSB ; OR CL, [EDX]; DEC ECX; STOSB } PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL AA493549 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) init C:\WINDOWS\system32\drivers\senfilt.sys entry point in "init" section [0xF6799F80] .text win32k.sys!EngFreeUserMem + 674 BF8099C2 5 Bytes JMP AA497872 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngFreeUserMem + 35D1 BF80C91F 5 Bytes JMP AA497750 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSurface + 45 BF80FDD6 5 Bytes JMP AA497704 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngTransparentBlt + 44FC BF81F489 5 Bytes JMP AA4961E4 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngMulDiv + 197D BF821B96 5 Bytes JMP AA496CDA \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPaint + 11A6 BF82E3B0 5 Bytes JMP AA496344 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLockSurface + C09 BF82F52E 5 Bytes JMP AA4979E8 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + 2E84 BF839EBA 5 Bytes JMP AA497C02 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + B8FE BF842934 5 Bytes JMP AA4975F8 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + E0BA BF8450F0 5 Bytes JMP AA496CBC \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_bEnum + F636 BF84666C 5 Bytes JMP AA4963E4 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 290F BF86910A 5 Bytes JMP AA496DB2 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 4BED BF86B3E8 5 Bytes JMP AA49681C \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 4C78 BF86B473 5 Bytes JMP AA496AF6 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + 584E BF86C049 5 Bytes JMP AA4960C8 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XLATEOBJ_iXlate + AC2C BF871427 5 Bytes JMP AA4977A0 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngUnicodeToMultiByteN + 67EE BF878651 5 Bytes JMP AA49792A \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 35E9 BF891936 5 Bytes JMP AA4968E2 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetCurrentCodePage + 4126 BF892473 5 Bytes JMP AA496AB0 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGetLastError + 1606 BF8AF55F 5 Bytes JMP AA496DD0 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngGradientFill + 2862 BF8B2C7D 5 Bytes JMP AA497B5A \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAlphaBlend + 3E8 BF8C1A6A 5 Bytes JMP AA496514 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngDeleteSemaphore + A5B0 BF8EAF87 5 Bytes JMP AA496CF8 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 19EF BF8EFA48 5 Bytes JMP AA495FB2 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 3BBE BF8F1C17 5 Bytes JMP AA4965F8 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bCloseFigure + 3E3E BF8F1E97 5 Bytes JMP AA496740 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 1A40 BF914AE8 5 Bytes JMP AA4962CC \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 1CEC BF914D94 5 Bytes JMP AA496E7A \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 2614 BF9156BC 5 Bytes JMP AA4964AC \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateClip + 4F95 BF91803D 5 Bytes JMP AA496C16 \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 191B BF948590 5 Bytes JMP AA497AAC \SystemRoot\system32\drivers\aswSnx.sys (avast! Virtualization Driver/AVAST Software) ? C:\WINDOWS\system32\Drivers\PROCEXP113.SYS Nie można odnaleźć określonego pliku. ! ? C:\DOCUME~1\BAKA~1\USTAWI~1\Temp\catchme.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1384] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[564] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1384] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64CA6330] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[564] @ C:\WINDOWS\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [64CA6330] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\WINDOWS\system32\services.exe[800] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[800] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys (avast! TDI Filter Driver/AVAST Software) ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Reporting\EventCache\WU@FlushCacheFiles ???w????? ?????????????????????????????????????????e????? ??????????????????????? ??????????????????????????????????????????????? ????????????????$?????????????????????????????????????????????????????????????c???????????????????????f??????????????????????????????????????????????????????????u?????????????????s??????????????????????????????????????????????????????????????????????????????????????????????????????????i???????????????????????????????????????v????????6??????????????????????????????????????????????????????????????????????????????????g???????????????????????????????2??????????????????????????????????????????????????????????????????????????????m??????????????????????????????????????????????????????????????????????????????????????R?????????????????????????????????????????????????????????? ?????????????????????????????????? ???????????? ??????????????????? ????????????????????????????????????????x???????:???????????????