GMER 2.0.18454 - http://www.gmer.net Rootkit scan 2013-02-07 13:54:02 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-2 TOSHIBA_MK1234GSX rev.AH001H 111,79GB Running: dcpqq9bn.exe; Driver: C:\Users\ANNASI~1\AppData\Local\Temp\kwldaaog.sys ---- System - GMER 2.0 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0xA89514BA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0xA99A0C22] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0xA8951ED6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0xA895CFA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0xA895CFF4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0xA895D176] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0xA895CF16] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0xA895D038] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0xA895CF5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0xA895211C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0xA895D130] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0xA895293E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0xA8951508] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0xA99A0CEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0xA8951170] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0xA8951556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0xA8956534] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0xA89533A6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0xA895CFD2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0xA895D016] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0xA895D19A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0xA895CF3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0xA895D0BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0xA895CF86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0xA895D154] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0xA99A0E4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0xA8953272] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThread [0xA8952DD4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0xA89515A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0xA89515F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0xA89527BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0xA89511FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0xA89513AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0xA8951350] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0xA8952AF8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0xA8952C54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0xA895141A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateProcess [0xA89524D4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0xA8952636] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0xA999F41C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0xA8951640] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwWriteVirtualMemory [0xA8951F1A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0xA89522F4] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0xA99B9E56] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 2.0 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 81CEF890 4 Bytes [BA, 14, 95, A8] .text ntkrnlpa.exe!KeSetEvent + 131 81CEF8B4 4 Bytes [22, 0C, 9A, A9] .text ntkrnlpa.exe!KeSetEvent + 191 81CEF914 4 Bytes [D6, 1E, 95, A8] .text ntkrnlpa.exe!KeSetEvent + 1D1 81CEF954 8 Bytes [A8, CF, 95, A8, F4, CF, 95, ...] .text ntkrnlpa.exe!KeSetEvent + 1DD 81CEF960 4 Bytes [76, D1, 95, A8] .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 81E1A62F 5 Bytes JMP A99B6CF6 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObInsertObject 81E73543 5 Bytes JMP A99B8810 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 81E7CE68 4 Bytes CALL A8953A8D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 81E80ADC 4 Bytes CALL A8953AA3 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 81ED4DCA 7 Bytes JMP A99B9E5A \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text ntdll.dll!LdrLoadDll 77929378 5 Bytes [E9, 7B, 6E, 93, 88] {JMP 0x88936e80} .text ntdll.dll!LdrUnloadDll 7793B680 5 Bytes [E9, 77, 4D, 92, 88] {JMP 0x88924d7c} ---- User code sections - GMER 2.0 ---- .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2064] kernel32.dll!GetBinaryTypeW + 70 76202467 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2716] kernel32.dll!SetUnhandledExceptionFilter 761DA8C5 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2716] kernel32.dll!GetBinaryTypeW + 70 76202467 1 Byte [62] .text C:\Windows\system32\wermgr.exe[3184] ntdll.dll!LdrLoadDll 77929378 5 Bytes JMP 000601F8 .text C:\Windows\system32\wermgr.exe[3184] ntdll.dll!LdrUnloadDll 7793B680 5 Bytes JMP 000603FC .text C:\Windows\system32\wermgr.exe[3184] KERNEL32.dll!GetBinaryTypeW + 70 76202467 1 Byte [62] .text C:\Windows\system32\wermgr.exe[3184] ADVAPI32.dll!CreateServiceW 77229EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\wermgr.exe[3184] ADVAPI32.dll!DeleteService 7722A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\wermgr.exe[3184] ADVAPI32.dll!SetServiceObjectSecurity 77266CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\wermgr.exe[3184] ADVAPI32.dll!ChangeServiceConfigA 77266DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\wermgr.exe[3184] ADVAPI32.dll!ChangeServiceConfigW 77266F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\wermgr.exe[3184] ADVAPI32.dll!ChangeServiceConfig2A 77267099 5 Bytes JMP 00070C0C .text C:\Windows\system32\wermgr.exe[3184] ADVAPI32.dll!ChangeServiceConfig2W 772671E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\wermgr.exe[3184] ADVAPI32.dll!CreateServiceA 772672A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\wermgr.exe[3184] USER32.dll!SetWindowsHookExA 772B6322 5 Bytes JMP 000C0600 .text C:\Windows\system32\wermgr.exe[3184] USER32.dll!SetWindowsHookExW 772B87AD 5 Bytes JMP 000C0804 .text C:\Windows\system32\wermgr.exe[3184] USER32.dll!UnhookWindowsHookEx 772B98DB 5 Bytes JMP 000C0A08 .text C:\Windows\system32\wermgr.exe[3184] USER32.dll!SetWinEventHook 772B9F3A 5 Bytes JMP 000C01F8 .text C:\Windows\system32\wermgr.exe[3184] USER32.dll!UnhookWinEvent 772BC06F 5 Bytes JMP 000C03FC .text C:\Windows\system32\WUDFHost.exe[5308] ntdll.dll!LdrLoadDll 77929378 5 Bytes JMP 000601F8 .text C:\Windows\system32\WUDFHost.exe[5308] ntdll.dll!LdrUnloadDll 7793B680 5 Bytes JMP 000603FC .text C:\Windows\system32\WUDFHost.exe[5308] KERNEL32.dll!GetBinaryTypeW + 70 76202467 1 Byte [62] .text C:\Windows\system32\WUDFHost.exe[5308] ADVAPI32.dll!CreateServiceW 77229EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\WUDFHost.exe[5308] ADVAPI32.dll!DeleteService 7722A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\WUDFHost.exe[5308] ADVAPI32.dll!SetServiceObjectSecurity 77266CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\WUDFHost.exe[5308] ADVAPI32.dll!ChangeServiceConfigA 77266DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\WUDFHost.exe[5308] ADVAPI32.dll!ChangeServiceConfigW 77266F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\WUDFHost.exe[5308] ADVAPI32.dll!ChangeServiceConfig2A 77267099 5 Bytes JMP 00070C0C .text C:\Windows\system32\WUDFHost.exe[5308] ADVAPI32.dll!ChangeServiceConfig2W 772671E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\WUDFHost.exe[5308] ADVAPI32.dll!CreateServiceA 772672A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\WUDFHost.exe[5308] USER32.dll!SetWindowsHookExA 772B6322 5 Bytes JMP 00080600 .text C:\Windows\system32\WUDFHost.exe[5308] USER32.dll!SetWindowsHookExW 772B87AD 5 Bytes JMP 00080804 .text C:\Windows\system32\WUDFHost.exe[5308] USER32.dll!UnhookWindowsHookEx 772B98DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\WUDFHost.exe[5308] USER32.dll!SetWinEventHook 772B9F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\WUDFHost.exe[5308] USER32.dll!UnhookWinEvent 772BC06F 5 Bytes JMP 000803FC .text C:\Windows\system32\taskmgr.exe[5844] ntdll.dll!LdrLoadDll 77929378 5 Bytes JMP 000601F8 .text C:\Windows\system32\taskmgr.exe[5844] ntdll.dll!LdrUnloadDll 7793B680 5 Bytes JMP 000603FC .text C:\Windows\system32\taskmgr.exe[5844] KERNEL32.dll!GetBinaryTypeW + 70 76202467 1 Byte [62] .text C:\Windows\system32\taskmgr.exe[5844] ADVAPI32.dll!CreateServiceW 77229EB4 5 Bytes JMP 000703FC .text C:\Windows\system32\taskmgr.exe[5844] ADVAPI32.dll!DeleteService 7722A07E 5 Bytes JMP 00070600 .text C:\Windows\system32\taskmgr.exe[5844] ADVAPI32.dll!SetServiceObjectSecurity 77266CD9 5 Bytes JMP 00071014 .text C:\Windows\system32\taskmgr.exe[5844] ADVAPI32.dll!ChangeServiceConfigA 77266DD9 5 Bytes JMP 00070804 .text C:\Windows\system32\taskmgr.exe[5844] ADVAPI32.dll!ChangeServiceConfigW 77266F81 5 Bytes JMP 00070A08 .text C:\Windows\system32\taskmgr.exe[5844] ADVAPI32.dll!ChangeServiceConfig2A 77267099 5 Bytes JMP 00070C0C .text C:\Windows\system32\taskmgr.exe[5844] ADVAPI32.dll!ChangeServiceConfig2W 772671E1 5 Bytes JMP 00070E10 .text C:\Windows\system32\taskmgr.exe[5844] ADVAPI32.dll!CreateServiceA 772672A1 5 Bytes JMP 000701F8 .text C:\Windows\system32\taskmgr.exe[5844] USER32.dll!SetWindowsHookExA 772B6322 5 Bytes JMP 00080600 .text C:\Windows\system32\taskmgr.exe[5844] USER32.dll!SetWindowsHookExW 772B87AD 5 Bytes JMP 00080804 .text C:\Windows\system32\taskmgr.exe[5844] USER32.dll!UnhookWindowsHookEx 772B98DB 5 Bytes JMP 00080A08 .text C:\Windows\system32\taskmgr.exe[5844] USER32.dll!SetWinEventHook 772B9F3A 5 Bytes JMP 000801F8 .text C:\Windows\system32\taskmgr.exe[5844] USER32.dll!UnhookWinEvent 772BC06F 5 Bytes JMP 000803FC .text G:\dcpqq9bn.exe[6000] ntdll.dll!LdrLoadDll 77929378 5 Bytes JMP 002601F8 .text G:\dcpqq9bn.exe[6000] ntdll.dll!LdrUnloadDll 7793B680 5 Bytes JMP 002603FC .text G:\dcpqq9bn.exe[6000] KERNEL32.dll!GetBinaryTypeW + 70 76202467 1 Byte [62] .text G:\dcpqq9bn.exe[6000] ADVAPI32.dll!CreateServiceW 77229EB4 5 Bytes JMP 002803FC .text G:\dcpqq9bn.exe[6000] ADVAPI32.dll!DeleteService 7722A07E 5 Bytes JMP 00280600 .text G:\dcpqq9bn.exe[6000] ADVAPI32.dll!SetServiceObjectSecurity 77266CD9 5 Bytes JMP 00281014 .text G:\dcpqq9bn.exe[6000] ADVAPI32.dll!ChangeServiceConfigA 77266DD9 5 Bytes JMP 00280804 .text G:\dcpqq9bn.exe[6000] ADVAPI32.dll!ChangeServiceConfigW 77266F81 5 Bytes JMP 00280A08 .text G:\dcpqq9bn.exe[6000] ADVAPI32.dll!ChangeServiceConfig2A 77267099 5 Bytes JMP 00280C0C .text G:\dcpqq9bn.exe[6000] ADVAPI32.dll!ChangeServiceConfig2W 772671E1 5 Bytes JMP 00280E10 .text G:\dcpqq9bn.exe[6000] ADVAPI32.dll!CreateServiceA 772672A1 5 Bytes JMP 002801F8 .text G:\dcpqq9bn.exe[6000] USER32.dll!SetWindowsHookExA 772B6322 5 Bytes JMP 00290600 .text G:\dcpqq9bn.exe[6000] USER32.dll!SetWindowsHookExW 772B87AD 5 Bytes JMP 00290804 .text G:\dcpqq9bn.exe[6000] USER32.dll!UnhookWindowsHookEx 772B98DB 5 Bytes JMP 00290A08 .text G:\dcpqq9bn.exe[6000] USER32.dll!SetWinEventHook 772B9F3A 5 Bytes JMP 002901F8 .text G:\dcpqq9bn.exe[6000] USER32.dll!UnhookWinEvent 772BC06F 5 Bytes JMP 002903FC ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2064] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [69D2F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Windows\Explorer.EXE[2480] @ C:\Windows\system32\ole32.dll [msvcrt.dll!free] [6F40F3FB] C:\Windows\AppPatch\AcSpecfc.DLL (Windows Compatibility DLL/Microsoft Corporation) IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2716] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [69D2F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Processes - GMER 2.0 ---- Library c:\windows\system32\y (*** hidden *** ) @ C:\Windows\system32\svchost.exe [1012] 0x45670000 Library c:\windows\system32\y (*** hidden *** ) @ C:\Windows\Explorer.EXE [2480] 0x45670000 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0016411f4ab6 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001a6b004b77 Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\0016411f4ab6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001a6b004b77 (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows\Windows Error Reporting\Debug@StoreLocation C:\ProgramData\Microsoft\Windows\WER\ReportQueue\Report100a7848 ---- Files - GMER 2.0 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-2993633223-2727232338-3083519205-1003 0 bytes File C:\avast! sandbox\S-1-5-21-2993633223-2727232338-3083519205-1003\r1 0 bytes File C:\avast! sandbox\S-1-5-21-2993633223-2727232338-3083519205-1003\r1\dcpqq9bn.exe_{68cd29da-70ba-11e2-ba80-0017a4e1c623} 0 bytes File C:\avast! sandbox\S-1-5-21-2993633223-2727232338-3083519205-1003\r1\OTL.exe_{68cd29cc-70ba-11e2-ba80-0017a4e1c623} 0 bytes File C:\avast! sandbox\S-1-5-21-2993633223-2727232338-3083519205-1003\r1\OTL.exe_{68cd29d3-70ba-11e2-ba80-0017a4e1c623} 0 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG1 9216 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{68cd29ce-70ba-11e2-ba80-0017a4e1c623}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{68cd29ce-70ba-11e2-ba80-0017a4e1c623}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{68cd29ce-70ba-11e2-ba80-0017a4e1c623}.TMContainer00000000000000000002.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{68cd29d5-70ba-11e2-ba80-0017a4e1c623}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{68cd29d5-70ba-11e2-ba80-0017a4e1c623}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{68cd29d5-70ba-11e2-ba80-0017a4e1c623}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 2.0 ----