GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-27 21:05:08 Windows 5.1.2600 Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-a WDC_WD800BB-00JHC0 rev.05.01C05 74,53GB Running: gmer.exe; Driver: C:\DOCUME~1\Gilson\CONFIG~1\Temp\awecrfog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xF4801BA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xF4802684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xF4846D80] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xF480E6F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xF480E744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xF480E8DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xF4846734] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xF480E666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xF480E788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xF480E6AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xF4802BBA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xF480E898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xF4803472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xF4801C0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xF4847446] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xF48476FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xF4806C68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xF48472B1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xF484711C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xF48017F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xF4B35ED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xF4801C72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xF480705E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xF4803F5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xF480E722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xF480E766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xF480E902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xF4846A90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xF480E68C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xF4806560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xF480E816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xF480E6D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xF480694C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xF480E8BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xF4B35C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xF4846F97] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xF4803DCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xF4846DE9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xF4803924] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xF4B43E1A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xF4845D77] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xF4801CD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xF4801D3E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xF48032EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xF4801892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xF4801A64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xF484754D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xF48019F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xF480363C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xF480379E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xF4801AEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xF480312A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xF48032CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xF4801DA4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xF48026E0] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + E4 804E26B8 4 Bytes [DE, E8, 80, F4] .text ntoskrnl.exe!_abnormal_termination + 220 804E27F4 4 Bytes JMP 88721C79 .text ntoskrnl.exe!_abnormal_termination + 240 804E2814 8 Bytes [16, E8, 80, F4, D6, E6, 80, ...] .text ntoskrnl.exe!_abnormal_termination + 258 804E282C 4 Bytes [BC, E8, 80, F4] .text ntoskrnl.exe!_abnormal_termination + 310 804E28E4 4 Bytes JMP 9942AD56 .text ... PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BC20 4 Bytes CALL F480462B \SystemRoot\system32\drivers\aswSnx.sys ? C:\DOCUME~1\Gilson\CONFIG~1\Temp\mbr.sys A sintaxe do nome do arquivo, pasta ou nome do volume está incorreta. ! ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\smss.exe[604] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[652] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[652] KERNEL32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[676] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AD0001 .text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!FreeLibrary 7C80AC7E 5 Bytes JMP 3B6A7121 C:\Arquivos de programas\GbPlugin\gbiehCef.dll .text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!FreeLibraryAndExitThread 7C80C210 5 Bytes JMP 3B6A7099 C:\Arquivos de programas\GbPlugin\gbiehCef.dll .text C:\WINDOWS\system32\winlogon.exe[676] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[676] ole32.dll!CoUnmarshalInterface 7750D3AC 6 Bytes JMP 71A9000A .text C:\WINDOWS\system32\services.exe[720] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\services.exe[720] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[732] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[732] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[892] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[892] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\WgaTray.exe[928] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\WgaTray.exe[928] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[976] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[976] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1016] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1016] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1060] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1060] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1276] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1276] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1300] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1300] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe[1316] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe[1316] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Arquivos de programas\Alwil Software\Avast5\AvastSvc.exe[1316] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1404] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1404] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1496] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1496] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1544] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1544] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\dmwu.exe[1608] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\dmwu.exe[1608] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Arquivos de programas\Java\jre6\bin\jqs.exe[1632] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Arquivos de programas\Java\jre6\bin\jqs.exe[1632] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\HPZipm12.exe[1664] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\HPZipm12.exe[1664] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Arquivos de programas\Ralink\Common\RaRegistry.exe[1708] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Arquivos de programas\Ralink\Common\RaRegistry.exe[1708] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Documents and Settings\All Users\Dados de aplicativos\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1752] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\All Users\Dados de aplicativos\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1752] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[1816] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\System32\alg.exe[1816] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1940] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1940] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[2068] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wscntfy.exe[2068] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[2076] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[2076] kernel32.dll!LoadLibraryExW + C4 7C801BB9 4 Bytes CALL 71AF0001 .text C:\WINDOWS\Explorer.EXE[2076] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[2076] ole32.dll!CoUnmarshalInterface 7750D3AC 6 Bytes JMP 71AB000A .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2092] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2092] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2252] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[2252] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\jmdp\stij.exe[2396] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\jmdp\stij.exe[2396] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Arquivos de programas\Vimicro Corporation\VMUVC\VMonitor.exe[2568] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Arquivos de programas\Vimicro Corporation\VMUVC\VMonitor.exe[2568] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe[2604] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Arquivos de programas\Microsoft Office\Office12\GrooveMonitor.exe[2604] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Arquivos de programas\SweetIM\Messenger\SweetIM.exe[2660] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Arquivos de programas\SweetIM\Messenger\SweetIM.exe[2660] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Arquivos de programas\SweetIM\Communicator\SweetPacksUpdateManager.exe[2724] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Arquivos de programas\SweetIM\Communicator\SweetPacksUpdateManager.exe[2724] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe[2804] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Arquivos de programas\Arquivos comuns\Java\Java Update\jusched.exe[2804] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Arquivos de programas\Alwil Software\Avast5\AvastUI.exe[2884] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Arquivos de programas\Alwil Software\Avast5\AvastUI.exe[2884] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Arquivos de programas\Alwil Software\Avast5\AvastUI.exe[2884] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[2896] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\ctfmon.exe[2896] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Arquivos de programas\Ralink\Common\RaUI.exe[2968] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Arquivos de programas\Ralink\Common\RaUI.exe[2968] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\Documents and Settings\Gilson\Desktop\gmer.exe[3068] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\Documents and Settings\Gilson\Desktop\gmer.exe[3068] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3412] ntdll.dll!RtlDosSearchPath_U + 186 7C916865 1 Byte [62] .text C:\WINDOWS\system32\wbem\unsecapp.exe[3412] kernel32.dll!GetBinaryTypeW + 80 7C869AB4 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 00380002 IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 00380000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- EOF - GMER 2.1 ----