GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-02 16:42:33 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-17 WDC_WD3200KS-00PFB0 rev.21.00M21 298,09GB Running: z65v1jcp.exe; Driver: C:\DOCUME~1\wojtas\USTAWI~1\Temp\uftdqpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xAE1A3ACC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xB170E31C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xAE1A45AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xAE1EA620] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xAE1B06A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xAE1B06EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xAE1B0886] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xAE1E9FD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xAE1B060E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xAE1B0730] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xAE1B0656] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xAE1A4AE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xAE1B0840] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xAE1A5398] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xAE1A3B32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xAE1EACE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xAE1EAF9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xAE1A8BEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xAE1EAB51] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xAE1EA9BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xB170E3F4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xAE1A371E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB170E7D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xAE1A3B98] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xAE1A8FE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xAE1A5EDC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xAE1B06CA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xAE1B070E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xAE1B08AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xAE1EA330] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xAE1B0634] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xAE1A84E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xAE1B07BE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xAE1B067E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xAE1A88CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xAE1B0864] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB170E574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xAE1EA837] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xAE1A5CF4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xAE1EA689] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xAE1A584A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB171BD2C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xB171C698] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xAE1E9617] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xAE1A3BFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xAE1A3C64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xAE1A5212] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xAE1A37B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xAE1A398A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xAE1EADED] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xAE1A3918] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xAE1A5562] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xAE1A56C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xAE1A3A12] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xAE1A5050] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xAE1A51F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xB170B7BE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xAE1A3CCA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xAE1A4606] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2CD4 80504560 4 Bytes JMP 88AE1A8B .text ntkrnlpa.exe!ZwCallbackReturn + 2F10 8050479C 12 Bytes [FE, 3B, 1A, AE, 64, 3C, 1A, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 12 Bytes [62, 55, 1A, AE, C4, 56, 1A, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A648C 4 Bytes CALL AE1A65AD \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB5F4A360, 0x24CB9D, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text D:\programy\AVAST Software\Avast\AvastUI.exe[516] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text D:\programy\AVAST Software\Avast\AvastSvc.exe[1556] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[876] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[876] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{A52953A9-D9A3-4C98-B0AF-CB2485F24232}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet005\Control\Video\{A52953A9-D9A3-4C98-B0AF-CB2485F24232}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{47629D4B-2AD3-4e50-B716-A66C15C63153}\InprocServer32@cd042efbbd7f7af1647644e76e06692b 0x2E 0xE8 0xE1 0x00 ... Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{604BB98A-A94F-4a5c-A67C-D8D3582C741C}\InprocServer32@bca643cdc5c2726b20d2ecedcc62c59b 0x46 0x47 0x15 0xB0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{684373FB-9CD8-4e47-B990-5A4466C16034}\InprocServer32@2c81e34222e8052573023a60d06dd016 0x7A 0x45 0x05 0xFD ... Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{74554CCD-F60F-4708-AD98-D0152D08C8B9}\InprocServer32@2582ae41fb52324423be06337561aa48 0x3E 0x1E 0x9E 0xE0 ... Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{7EB537F9-A916-4339-B91B-DED8E83632C0}\InprocServer32@caaeda5fd7a9ed7697d9686d4b818472 0xCD 0x44 0xCD 0xB9 ... Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{948395E8-7A56-4fb1-843B-3E52D94DB145}\InprocServer32@a4a1bcf2cc2b8bc3716b74b2b4522f5d 0xDF 0x20 0x58 0x62 ... Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{AC3ED30B-6F1A-4bfc-A4F6-2EBDCCD34C19}\InprocServer32@4d370831d2c43cd13623e232fed27b7b 0xFB 0xA7 0x78 0xE6 ... Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{DE5654CA-EB84-4df9-915B-37E957082D6D}\InprocServer32@1d68fe701cdea33e477eb204b76f993d 0xAA 0x52 0xC6 0x00 ... Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{E39C35E8-7488-4926-92B2-2F94619AC1A5}\InprocServer32@1fac81b91d8e3c5aa4b0a51804d844a3 0xB2 0x46 0x9A 0xE2 ... Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{EACAFCE5-B0E2-4288-8073-C02FF9619B6F}\InprocServer32@f5f62a6129303efb32fbe080bb27835b 0xB1 0xCD 0x45 0x5A ... Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{F8F02ADD-7366-4186-9488-C21CB8B3DCEC}\InprocServer32@fd4e2e1a3940b94dceb5a6a021f2e3c6 0xE3 0x0E 0x66 0xD5 ... Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32 Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ThreadingModel Apartment Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@ C:\WINDOWS\system32\OLE32.DLL Reg HKLM\SOFTWARE\Classes\CLSID\{FEE45DE2-A467-4bf9-BF2D-1411304BCD84}\InprocServer32@8a8aec57dd6508a385616fbc86791ec2 0x6C 0x43 0x2D 0x1E ... ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-2000478354-1532298954-839522115-1003 0 bytes File C:\avast! sandbox\S-1-5-21-2000478354-1532298954-839522115-1003\webStorage 0 bytes File C:\avast! sandbox\S-1-5-21-2000478354-1532298954-839522115-1003\webStorage\C 0 bytes File C:\avast! sandbox\S-1-5-21-2000478354-1532298954-839522115-1003\webStorage\snx_fs.dat 978 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG 1024 bytes File D:\avast! sandbox 0 bytes File D:\avast! sandbox\S-1-5-21-2000478354-1532298954-839522115-1003 0 bytes File D:\avast! sandbox\S-1-5-21-2000478354-1532298954-839522115-1003\webStorage 0 bytes File D:\avast! sandbox\S-1-5-21-2000478354-1532298954-839522115-1003\webStorage\D 0 bytes ---- EOF - GMER 2.1 ----