GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-28 21:40:13 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\00000069 Maxtor_6L120P0 rev.BAJ41G20 114,50GB Running: kq5x20n9.exe; Driver: C:\DOCUME~1\Bracia\USTAWI~1\Temp\pxrdrpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB13BDAC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xB165A0BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB13BE5A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB14045A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB13CA63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB13CA688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB13CA822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB1403F54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB13CA5AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB13CA6CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB13CA5F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB13BEAD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB13CA7DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB13BF390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB13BDB2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB1404C66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB1404F1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB13C2B86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB1404AD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB140493C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB13BD716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB165A574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB13BDB90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB13C2F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB13BFE78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB13CA666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB13CA6AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB13CA846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB14042B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB13CA5D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB13C247E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB13CA75A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB13CA61A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB13C286A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB13CA800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB165A312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB14047B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB13BFCEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB1404609] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB13BF842] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB1668358] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xB1668CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB1403597] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB13BDBF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB13BDC5C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB13BF20A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB13BD7B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB13BD982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB1404D6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB13BD910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB13BF55A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB13BF6BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB13BDA0A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB13BF048] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB13BF1EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB13BDCC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB13BE5FE] INT 0x62 ? 82135CB8 INT 0x63 ? 81E05F00 INT 0x73 ? 81E05F00 INT 0x82 ? 82135CB8 INT 0x83 ? 82135CB8 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2400 80501104 8 Bytes JMP A7DCB13B .text ntkrnlpa.exe!ZwCallbackReturn + 2678 8050137C 12 Bytes [F6, DB, 3B, B1, 5C, DC, 3B, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2720 80501424 12 Bytes [5A, F5, 3B, B1, BC, F6, 3B, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 8059A312 4 Bytes CALL B13C0549 \SystemRoot\system32\drivers\aswSnx.sys .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF8382774] init C:\WINDOWS\system32\drivers\nvax.sys entry point in "init" section [0xF8668A0C] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF6F35000, 0x1C5D38, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xABC1B300, 0x3B6D8, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xAFDC2300, 0x1BEE, 0xE8000020] pnidata C:\WINDOWS\system32\DRIVERS\secdrv.sys unknown last section [0xABB2EF00, 0x24000, 0x48000000] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[124] kernel32.dll!SetUnhandledExceptionFilter 7C810386 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1508] kernel32.dll!SetUnhandledExceptionFilter 7C810386 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002 IAT C:\WINDOWS\system32\services.exe[764] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 821341F8 AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys Device \Driver\usbohci \Device\USBPDO-0 81E04440 Device \Driver\usbohci \Device\USBPDO-1 81E04440 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys Device \Driver\prodrv06 \Device\ProDrv06 E1AA9C30 Device \Driver\NetBT \Device\NetBT_Tcpip_{58118260-9E5C-4C10-A707-28ACDC5E837C} 8203D1F8 Device \Driver\Cdrom \Device\CdRom0 81DF4440 Device \Driver\nvatabus \Device\00000069 prosync1.sys Device \Driver\prohlp02 \Device\ProHlp02 E1036398 Device \Driver\NetBT \Device\NetBt_Wins_Export 8203D1F8 Device \Driver\NetBT \Device\NetbiosSmb 8203D1F8 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys Device \Driver\nvatabus \Device\0000006a prosync1.sys Device \Driver\usbohci \Device\USBFDO-0 81E04440 Device \Driver\nvatabus \Device\NvAta0 prosync1.sys Device \Driver\usbohci \Device\USBFDO-1 81E04440 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 811A5440 Device \Driver\nvatabus \Device\NvAta1 prosync1.sys Device \FileSystem\MRxSmb \Device\LanmanRedirector 811A5440 Device \FileSystem\Cdfs \Cdfs 81EDD1F8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{58118260-9E5C-4C10-A707-28ACDC5E837C}@LeaseObtainedTime 1425149939 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{58118260-9E5C-4C10-A707-28ACDC5E837C}@T1 1425150239 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{58118260-9E5C-4C10-A707-28ACDC5E837C}@T2 1425150464 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{58118260-9E5C-4C10-A707-28ACDC5E837C}@LeaseTerminatesTime 1425150539 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{58118260-9E5C-4C10-A707-28ACDC5E837C}@DhcpRetryTime 297 Reg HKLM\SYSTEM\CurrentControlSet\Services\{58118260-9E5C-4C10-A707-28ACDC5E837C}\Parameters\Tcpip@LeaseObtainedTime 1425149939 Reg HKLM\SYSTEM\CurrentControlSet\Services\{58118260-9E5C-4C10-A707-28ACDC5E837C}\Parameters\Tcpip@T1 1425150239 Reg HKLM\SYSTEM\CurrentControlSet\Services\{58118260-9E5C-4C10-A707-28ACDC5E837C}\Parameters\Tcpip@T2 1425150464 Reg HKLM\SYSTEM\CurrentControlSet\Services\{58118260-9E5C-4C10-A707-28ACDC5E837C}\Parameters\Tcpip@LeaseTerminatesTime 1425150539 ---- EOF - GMER 2.1 ----