GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-23 21:50:53 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 HTS541080G9SA00 rev.MB4IC65R 74,53GB Running: gmer.exe; Driver: C:\DOKUME~1\UserX\Ustawienia lokalne\Temp\ugldypob.sys ---- System - GMER 2.1 ---- SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwAddBootEntry [0xA2DC6AD0] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xA2DC75AE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwClose [0xA2E0B7D0] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateEvent [0xA2DD35E0] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateEventPair [0xA2DD362C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xA2DD37C6] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateKey [0xA2E0B184] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateMutant [0xA2DD354E] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateSection [0xA2DD3670] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xA2DD3596] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateThread [0xA2DC7AE4] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwCreateTimer [0xA2DD3780] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xA2DC839C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xA2DC6B36] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDeleteKey [0xA2E0BE96] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xA2E0C14C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwDuplicateObject [0xA2DCBB32] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwEnumerateKey [0xA2E0BD01] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xA2E0BB6C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwLoadDriver [0xA2DC671E] SSDT \??\C:\WINDOWS\system32\drivers\aswSP.sys ZwMapViewOfSection [0xA3312466] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xA2DC6B9C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xA2DCBF28] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xA2DC8E2C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenEvent [0xA2DD360A] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenEventPair [0xA2DD364E] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xA2DD37EA] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenKey [0xA2E0B4E0] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenMutant [0xA2DD3574] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenProcess [0xA2DCB42C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenSection [0xA2DD36FE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xA2DD35BE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenThread [0xA2DCB814] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwOpenTimer [0xA2DD37A4] SSDT \??\C:\WINDOWS\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xA331220A] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueryKey [0xA2E0B9E7] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueryObject [0xA2DC8CF8] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueryValueKey [0xA2E0B839] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwQueueApcThread [0xA2DC884E] SSDT \??\C:\WINDOWS\system32\drivers\aswSP.sys ZwRenameKey [0xA33201EA] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwRestoreKey [0xA2E0A7CA] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xA2DC6C02] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetBootOptions [0xA2DC6C68] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetContextThread [0xA2DC8216] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xA2DC67B8] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xA2DC698E] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSetValueKey [0xA2E0BF9D] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwShutdownSystem [0xA2DC691C] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSuspendProcess [0xA2DC8566] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSuspendThread [0xA2DC86C8] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xA2DC6A16] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwTerminateProcess [0xA2DC8054] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwTerminateThread [0xA2DC81F6] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwVdmControl [0xA2DC6CCE] SSDT \??\C:\WINDOWS\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xA2DC760A] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2538 80501D70 4 Bytes JMP C6A2DD37 .text ntkrnlpa.exe!ZwCallbackReturn + 2664 80501E9C 4 Bytes JMP EAA33201 .text ntkrnlpa.exe!ZwCallbackReturn + 26B0 80501EE8 12 Bytes [02, 6C, DC, A2, 68, 6C, DC, ...] {ADD CH, [ESP+EBX*8-0x5e]; PUSH DWORD 0x16a2dc6c; SBB AH, 0xa2} .text ntkrnlpa.exe!ZwCallbackReturn + 2758 80501F90 12 Bytes [66, 85, DC, A2, C8, 86, DC, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 8059B86C 4 Bytes CALL A2DC94FD \??\C:\WINDOWS\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\svchost.exe[120] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[120] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\iPlus\iPlusChecker.exe[384] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\iPlus\iPlusChecker.exe[384] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[404] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\hkcmd.exe[404] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\igfxpers.exe[436] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\igfxpers.exe[436] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\igfxsrvc.exe[464] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\igfxsrvc.exe[464] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[508] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[508] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[664] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Nero\Nero8\Nero BackItUp\NBService.exe[664] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[688] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[688] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe[760] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Lenovo\Bluetooth Software\bin\btwdins.exe[760] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\IoctlSvc.exe[772] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\IoctlSvc.exe[772] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[820] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[820] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[864] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[864] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[896] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[896] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1024] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1024] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\AGRSMMSG.exe[1048] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\AGRSMMSG.exe[1048] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[1328] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1464] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1464] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1596] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1596] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1640] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1640] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1652] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1652] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Fingerprint Sensor\AtService.exe[1816] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Fingerprint Sensor\AtService.exe[1816] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1840] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1840] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1928] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1928] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1968] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1968] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\LClock\LClock.exe[2184] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\LClock\LClock.exe[2184] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Vista Rainbar\Rainmeter.exe[2204] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Vista Rainbar\Rainmeter.exe[2204] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\SlimDrivers\SlimDrivers.exe[2260] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\SlimDrivers\SlimDrivers.exe[2260] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2480] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\Nero\Lib\NMIndexStoreSvr.exe[2480] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2492] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 012BC930 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2492] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2492] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 004E03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2492] KERNEL32.dll!VirtualAlloc 7C809AE1 5 Bytes JMP 014EE0AA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2492] KERNEL32.dll!MapViewOfFile 7C80B995 5 Bytes JMP 014EE083 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2492] KERNEL32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2492] GDI32.dll!CreateDIBSection 77F19E19 5 Bytes JMP 014EE00D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2516] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[2516] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\DoubleDesktop\dd.exe[2532] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\DoubleDesktop\dd.exe[2532] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2568] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Common Files\Nero\Lib\NMIndexingService.exe[2568] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Programy portable\Taskbar Shuffle\TaskbarShuffle.exe[2580] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Programy portable\Taskbar Shuffle\TaskbarShuffle.exe[2580] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Yz Dock\YzDock.exe[2596] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Yz Dock\YzDock.exe[2596] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\PROGRA~1\Lenovo\Bluetooth Software\BtStackServer.exe[3308] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\PROGRA~1\Lenovo\Bluetooth Software\BtStackServer.exe[3308] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Dokumenty i ustawienia\UserX\Pulpit\gmer.exe[3764] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Dokumenty i ustawienia\UserX\Pulpit\gmer.exe[3764] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3840] ntdll.dll!RtlDosSearchPath_U + 1D1 7C9171AA 1 Byte [62] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3840] kernel32.dll!GetBinaryTypeW + 80 7C868C2C 1 Byte [62] .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3840] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 10454822 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3840] USER32.dll!TrackPopupMenu 7E3B531E 5 Bytes JMP 10454DD6 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1640] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1640] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswNdis2.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B529D972-CB54-D123-FF26-A78F497378AE} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B529D972-CB54-D123-FF26-A78F497378AE}@pabcjhigbkbedgebnfgdjnpghipbmjai 0x6A 0x61 0x68 0x70 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{B529D972-CB54-D123-FF26-A78F497378AE}@oaddbkecelglhhmglejonekodhhjkb 0x6A 0x61 0x66 0x70 ... ---- EOF - GMER 2.1 ----