GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-22 12:03:04 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e WDC_WD20EARX-00PASB0 rev.51.0AB51 1863,02GB Running: zw9m2zgp.exe; Driver: C:\DOCUME~1\DROSAN\USTAWI~1\Temp\uxtdapog.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xAFC00A56] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xAFF40478] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xAFC015E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xAFC3F8EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xAFC0C44A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xAFC0C496] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xAFC0C668] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xAFC3F2A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xAFC0C3B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xAFC0C4DA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xAFC0C400] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xAFC01B32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xAFC0C622] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xAFC02264] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xAFC00ABC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xAFC3FFB2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xAFC40268] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xAFC053DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xAFC3FE1D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xAFC3FC88] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xAFF40550] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwGetContextThread [0xAFC02AF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xAFC0069C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xAFF40932] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xAFC00B22] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xAFC057EE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xAFC0307C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xAFC0C474] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xAFC0C4B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xAFC0C68C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xAFC3F5FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xAFC0C3DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xAFC04CB4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xAFC0C586] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xAFC0C428] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xAFC050AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xAFC0C646] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xAFF406D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xAFC3FB03] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xAFC02EA0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xAFC3F955] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xAFC0288E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xAFF4E896] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xAFF4F262] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xAFC3E8E3] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwResumeProcess [0xAFC0242E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwResumeThread [0xAFC0263A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xAFC00B88] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xAFC00BEE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xAFC02C20] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xAFC0073C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xAFC00914] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xAFC400B9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xAFC008A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xAFC02534] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xAFC02764] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xAFC0099C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xAFC020A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xAFC02244] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xAFF3DB54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xAFC00C54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xAFC0163C] INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys AE9F516D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys AE9F4FC2 ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2F88 80504870 8 Bytes [96, E8, F4, AF, 62, F2, F4, ...] {XCHG ESI, EAX; CALL 0xf262affa; HLT ; SCASD } .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 805048A0 12 Bytes CALL A47EF868 .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 9 Bytes [88, 0B, C0, AF, EE, 0B, C0, ...] {MOV [EBX], CL; SHR BYTE [EDI-0x503ff412], 0x20} .text ntkrnlpa.exe!ZwCallbackReturn + 2FDE 805048C6 2 Bytes [C0, AF] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [34, 25, C0, AF, 64, 27, C0, ...] {XOR AL, 0x25; SHR BYTE [EDI-0x503fd89c], 0x9c; OR EAX, EAX; SCASD } PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL AFC035B9 \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB27613C0, 0x83E20A, 0xE8000020] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xAE680400, 0x87EE2, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAE724620] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xAE724620] .protect˙˙˙˙hardlockunknown last code section [0xAE724400, 0x5126, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xAE724400, 0x5126, 0xE0000020] ---- User code sections - GMER 2.2 ---- .text C:\program files\real\realplayer\update\realsched.exe[1400] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1536] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2720] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Mozilla Firefox\firefox.exe[2744] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00308290 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2744] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 779103FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2744] KERNEL32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01ACE8D2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2744] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01ACD9FF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2744] KERNEL32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 017CAE7F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2744] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01ACD405 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2744] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 026F30ED C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2744] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 01785294 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2744] USER32.dll!CreateWindowExA 7E37E4A9 5 Bytes JMP 01C4DDBF C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.2 ---- Device \Driver\Tcpip \Device\Ip aswStmXP.sys Device \Driver\Tcpip \Device\Tcp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.sys Device \Driver\Tcpip \Device\Udp aswStmXP.sys Device \Driver\Tcpip \Device\RawIp aswStmXP.sys Device \Driver\Tcpip \Device\IPMULTICAST aswStmXP.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\Fastfat \Fat InCDrec.SYS ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{AA5D93F2-B4B4-476C-85E9-827AD29F4C2C}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Control\Video\{AA5D93F2-B4B4-476C-85E9-827AD29F4C2C}\0001@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14833624990622280@SetupOperations ???C?_????^??_???????????????????? ?????????????????????? ???????_???????????_????????????$??????p???????_??????Service??????_??? ???????_???????????_????????????%???????????n??????????_??????Driver Group?????_??? ???????_???????????_????????????&??????????????_??????Service??????_??? ???????_???????????_??????????????????t???????_???4??Service??????_???????_??????Service?????? ???????_???????????_????????????)??????????????????_??????Driver Group????? ???????_???????????_????????????*? ????????????????_??????Driver??????? ???????_???????????_????????????+???????s??????????_??????Driver???????_??? ???????_???????????_????????????,???????s??????????_???????_???_??????????????Driver??????? ???????_???????????_????????????/???????r??????????_??????Service??????_??? ???????_???????????_????????????0?????s????????_??????Service??????_??? ???????_???????????_????? Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14833627468432280@SetupOperations ???d????USB\Vid_046d&Pid_c03f&Rev_2000?USB\Vid_046d&Pid_c03f?????{?{?d???#?s?s???h?z?C?????d??????0??d???v??1n?????d????Zapewnia us?ugi pozyskiwania obraz?w dla skaner?w i aparat?w fotograficznych.????K?K?K?K?K?K?Q?c?Q??? 0??p??? ????? ? ??(Standardowe urz?dzenia systemowe)????0??@?C?I?I?#?'?J?J?J??????ASUS???????d???d???????d??????0??d???N??1A????(??h??????????? ???????d???????????b???????? ?0????????0???????D??? ???????d????????????????????????????????????s?lm??? ???????d???????????????????????????????f??? ???????c?????d??????????d??????????????O??disk????? *??d???????????????d??? ???????d?????d?????????? ?????????2???????????????????????????????? ???????d?????d?? ???????????&???????????????0??7?;?I?O?O?O?O?O?O?c??????D??e???Q?g?Qh??>???J?P?P?P?b?b?J@??&?)?;?I?/?I?I?I?I?d????rp???????d??aswHdsKe?x???z?z?d??{6BDD1FC6-810F-11D0-BEC7-08002BE2092F}?11D??HID\Vid_09da&Pid_1f8f&MI_01\7&183d515e&0&0000?@?194.204.152.34 194.204.159.1?????d??input.inf????}?}?}??? ???????d?????d??????????"????????????????????c?c???? Reg HKLM\SYSTEM\ControlSet004\Control\Video\{AA5D93F2-B4B4-476C-85E9-827AD29F4C2C}\0000@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Control\Video\{AA5D93F2-B4B4-476C-85E9-827AD29F4C2C}\0001@D3D_\x3332\x3331 2089309684 Reg HKLM\SYSTEM\ControlSet004\Services\aswRvrt\Parameters\Instup_14833624990622280@SetupOperations ???ct???? ???????Y???????????d????????.??????????0???????????????????????s??????input.inf???Microsoft???? ???c???r?????s s0????K?K?R?R?R?R?R?R???????????????r???????U?????? ???????????????????sj???????????b??????????? ???????c???????????e????????6????????????8?b???????????????????????????????????????t?????????????n\s???????????b??????????????????????? ???W??????????s????????!???t??s?(??2?Q?Q?Q?Q?Q?b?b?Q??? 6??u???????????????c?c?d??????