GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-09-05 11:34:41 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_DT01ACA100 rev.MS2OA750 931,51GB Running: n03stmo3.exe; Driver: C:\DOCUME~1\Kasia\USTAWI~1\Temp\fwtdapow.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xA7B3267C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xA7DE7860] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xA7B3315A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xA7B79D3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xA7B3F8F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xA7B3F944] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xA7B3FADE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xA7B796F0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xA7B3F866] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xA7B3F988] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xA7B3F8AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xA7B33690] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xA7B3FA98] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xA7B33DC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xA7B326E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xA7B7A402] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xA7B7A6B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xA7B37254] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xA7B7A26D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xA7B7A0D8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xA7DE7938] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwGetContextThread [0xA7B34654] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xA7B322CE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xA7DE7D1A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xA7B32748] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xA7B3764A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xA7B34BE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xA7B3F922] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xA7B3F966] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xA7B3FB02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xA7B79A4C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xA7B3F88C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xA7B36B2C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xA7B3FA16] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xA7B3F8D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xA7B36F22] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xA7B3FABC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xA7DE7AB8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xA7B79F53] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xA7B349FE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xA7B79DA5] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xA7B343EC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xA7DF59FC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xA7DF63C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xA7B78D33] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwResumeProcess [0xA7B33F8C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwResumeThread [0xA7B34198] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xA7B327AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xA7B32814] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xA7B3477E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xA7B32368] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xA7B3253A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xA7B7A509] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xA7B324C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xA7B34092] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xA7B342C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xA7B325C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xA7B33C00] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xA7B33DA2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xA7DE4AF8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xA7B3287A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xA7B331B6] ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2F88 80504870 5 Bytes [FC, 59, DF, A7, C8] .text ntkrnlpa.exe!ZwCallbackReturn + 2F8E 80504876 2 Bytes [DF, A7] .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 805048A0 12 Bytes [33, 8D, B7, A7, 8C, 3F, B3, ...] {XOR ECX, [EBP+0x3f8ca7b7]; MOV BL, 0xa7; CWDE ; INC ECX; MOV BL, 0xa7} .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [AE, 27, B3, A7, 14, 28, B3, ...] {SCASB ; DAA ; MOV BL, 0xa7; ADC AL, 0x28; MOV BL, 0xa7; JLE 0x51; MOV BL, 0xa7} .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [92, 40, B3, A7, C2, 42, B3, ...] {XCHG EDX, EAX; INC EAX; MOV BL, 0xa7; RET 0xb342; CMPSD ; RET 0xb325; CMPSD } ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\rserver30\RServer3.exe[1212] kernel32.dll!GetSystemTime 7C80176F 5 Bytes JMP 00AF596C C:\WINDOWS\system32\rserver30\WSOCK32.dll .text C:\WINDOWS\system32\rserver30\RServer3.exe[1212] kernel32.dll!CreateProcessW 7C802336 5 Bytes JMP 00AF54D8 C:\WINDOWS\system32\rserver30\WSOCK32.dll .text C:\WINDOWS\system32\rserver30\RServer3.exe[1212] kernel32.dll!QueryPerformanceCounter 7C80A4C7 5 Bytes JMP 00AF59D8 C:\WINDOWS\system32\rserver30\WSOCK32.dll .text C:\WINDOWS\system32\rserver30\RServer3.exe[1212] ADVAPI32.dll!RegQueryValueExA 77DC7ABB 5 Bytes JMP 00AF57AC C:\WINDOWS\system32\rserver30\WSOCK32.dll .text C:\WINDOWS\system32\rserver30\RServer3.exe[1212] ADVAPI32.dll!RegOpenKeyA 77DCEFC8 5 Bytes JMP 00AF56F0 C:\WINDOWS\system32\rserver30\WSOCK32.dll .text C:\WINDOWS\system32\rserver30\RServer3.exe[1212] ADVAPI32.dll!RegQueryInfoKeyW 77DD49CE 5 Bytes JMP 00AF58BC C:\WINDOWS\system32\rserver30\WSOCK32.dll .text C:\WINDOWS\system32\rserver30\RServer3.exe[1212] ADVAPI32.dll!RegEnumKeyExA 77DD51B6 5 Bytes JMP 00AF5858 C:\WINDOWS\system32\rserver30\WSOCK32.dll .text C:\WINDOWS\system32\rserver30\RServer3.exe[1212] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 00AF53B0 C:\WINDOWS\system32\rserver30\WSOCK32.dll .text C:\WINDOWS\system32\rserver30\FamItrfc.Exe[1308] ADVAPI32.dll!CreateProcessAsUserW 77DDA8A9 5 Bytes JMP 004053B0 C:\WINDOWS\system32\rserver30\wsock32.dll .text C:\WINDOWS\system32\rserver30\FamItrfc.Exe[1308] USER32.dll!SetWindowTextW 7E37960E 5 Bytes JMP 004048F4 C:\WINDOWS\system32\rserver30\wsock32.dll .text C:\WINDOWS\system32\rserver30\FamItrfc.Exe[1308] shell32.dll!Shell_NotifyIcon 7CA23D69 5 Bytes JMP 004048E8 C:\WINDOWS\system32\rserver30\wsock32.dll .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1632] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2592] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 1003B780 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] USER32.dll!SetWindowRgn + 2BD 7E37E7E5 7 Bytes JMP 1003B3D0 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] USER32.dll!SetClipboardData + 19D 7E38113B 7 Bytes JMP 1003B340 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] USER32.dll!MessageBoxA + 49 7E3A0833 7 Bytes JMP 1003B680 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] USER32.dll!MessageBoxExW + 1F 7E3A0857 7 Bytes JMP 1003B570 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] USER32.dll!MessageBoxTimeoutA + CA 7E3B64D0 7 Bytes JMP 1003B6D0 C:\Program Files\Sony\Sony PC Companion\NewUI.dll ---- Devices - GMER 2.2 ---- Device \Driver\Tcpip \Device\Ip aswStmXP.sys Device \Driver\Tcpip6 \Device\Ip6 aswStmXP.sys Device \Driver\Tcpip \Device\Tcp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.sys Device \Driver\Tcpip6 \Device\RawIp6 aswStmXP.sys Device \Driver\Tcpip6 \Device\Tcp6 aswStmXP.sys Device \Driver\Tcpip \Device\Udp aswStmXP.sys Device \Driver\Tcpip \Device\RawIp aswStmXP.sys Device \Driver\Tcpip6 \Device\Udp6 aswStmXP.sys Device \Driver\Tcpip \Device\IPMULTICAST aswStmXP.sys