GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-13 00:25:08 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEVT-22ZCT0 rev.11.01A11 298,09GB Running: 6opju9wl.exe; Driver: C:\Users\Domunuta\AppData\Local\Temp\pgddqpoc.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8BF21ACC] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8BF225AA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateEvent [0x8BF2E692] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8BF2E6DE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8BF2E878] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateMutant [0x8BF2E600] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwCreateSection [0x8BB34426] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8BF2E648] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateThread [0x8BF22AE0] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x8BF22CFC] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateTimer [0x8BF2E832] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8BF23398] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8BF21B32] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8BF26BE4] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwLoadDriver [0x8BF2171E] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8BB34506] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8BF21B98] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8BF26FDA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8BF23EDE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenEvent [0x8BF2E6BC] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8BF2E700] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8BF2E89C] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenMutant [0x8BF2E626] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenProcess [0x8BF264DE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenSection [0x8BF2E7B0] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8BF2E670] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenThread [0x8BF268C6] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenTimer [0x8BF2E856] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8BB342AA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwQueryObject [0x8BF23CF4] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8BF23A02] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8BF21BFE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8BF21C64] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwSetContextThread [0x8BB34602] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8BF217B8] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8BF2198A] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8BF21918] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8BF23562] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSuspendThread [0x8BF236C4] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8BF21A12] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwTerminateProcess [0x8BB34378] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwTerminateThread [0x8BF231F2] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwVdmControl [0x8BF21CCA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x8BF22606] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1409 82C4B9A5 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C6B512 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 1393 82C72988 4 Bytes [CC, 1A, F2, 8B] .text ntoskrnl.exe!KeRemoveQueueEx + 141B 82C72A10 4 Bytes [AA, 25, F2, 8B] .text ntoskrnl.exe!KeRemoveQueueEx + 146F 82C72A64 8 Bytes [92, E6, F2, 8B, DE, E6, F2, ...] .text ntoskrnl.exe!KeRemoveQueueEx + 147B 82C72A70 4 Bytes CALL 8DB6B667 .text ntoskrnl.exe!KeRemoveQueueEx + 1497 82C72A8C 4 Bytes [00, E6, F2, 8B] .text ... PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 108 82E261B1 4 Bytes CALL 8BF245C5 \??\C:\Windows\system32\drivers\aswSnx.sys PAGE ntoskrnl.exe!ZwAlpcSendWaitReceivePort + 122 82E62EED 4 Bytes CALL 8BF245DB \??\C:\Windows\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9340A000, 0x2D5378, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[348] kernel32.dll!GetBinaryTypeW + 70 76596AAC 1 Byte [62] .text C:\Windows\system32\csrss.exe[384] kernel32.dll!GetBinaryTypeW + 70 76596AAC 1 Byte [62] .text C:\Windows\system32\wininit.exe[448] kernel32.dll!GetBinaryTypeW + 70 76596AAC 1 Byte [62] .text C:\Windows\system32\csrss.exe[456] kernel32.dll!GetBinaryTypeW + 70 76596AAC 1 Byte [62] .text C:\Windows\system32\services.exe[504] kernel32.dll!GetBinaryTypeW + 70 76596AAC 1 Byte [62] .text ... .text C:\Program Files\Mozilla Firefox\firefox.exe[5456] ntdll.dll!LdrUnloadDll 76DFC8DE 5 Bytes JMP 000E03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[5456] ntdll.dll!LdrLoadDll 76E022AE 5 Bytes JMP 6C621FD9 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5456] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 765794E6 7 Bytes JMP 580840E1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5456] KERNEL32.dll!QueryPerformanceCounter + 13 7657C4E5 7 Bytes JMP 58084104 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5456] KERNEL32.dll!LoadAppInitDlls + 355 7657F5A6 7 Bytes JMP 57753255 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5456] KERNEL32.dll!GetBinaryTypeW + 70 76596AAC 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[5456] GDI32.dll!GetViewportOrgEx + 26C 76F1884B 7 Bytes JMP 58084062 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\system32\DllHost.exe[5608] kernel32.dll!GetBinaryTypeW + 70 76596AAC 1 Byte [62] .text C:\Windows\system32\taskeng.exe[6012] kernel32.dll!GetBinaryTypeW + 70 76596AAC 1 Byte [62] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5a678 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5a678@143605905d8f 0xEA 0xEC 0xEB 0x33 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5a678@940070fb1d79 0xFD 0xA9 0x46 0x13 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5a678@0026e21743e4 0x0B 0x8B 0x30 0x7D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076c5a678@0025e76aa21e 0x50 0x37 0xFC 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5a678 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5a678@143605905d8f 0xEA 0xEC 0xEB 0x33 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5a678@940070fb1d79 0xFD 0xA9 0x46 0x13 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5a678@0026e21743e4 0x0B 0x8B 0x30 0x7D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076c5a678@0025e76aa21e 0x50 0x37 0xFC 0xD8 ... Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\E20D62C3-8DE5-46CC-9882-102502FC7BB8@IPAddress ::1 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Superfetch@VirtualStoreSize 1320 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3f4-81b6-11e3-b00d-0c6076c5a678} 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3f4-81b6-11e3-b00d-0c6076c5a678}\C 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3f4-81b6-11e3-b00d-0c6076c5a678}\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3f4-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3f4-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3f4-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta\AppData\Roaming 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3f4-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta\AppData\Roaming\.minecraft 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3f4-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta\AppData\Roaming\.minecraft\assets 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3f4-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta\AppData\Roaming\.minecraft\assets\sound 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3f4-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta\AppData\Roaming\.minecraft\assets\sound\mob 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3fc-81b6-11e3-b00d-0c6076c5a678} 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3fc-81b6-11e3-b00d-0c6076c5a678}\C 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3fc-81b6-11e3-b00d-0c6076c5a678}\C\Users 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3fc-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3fc-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta\AppData 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3fc-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta\AppData\Roaming 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3fc-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta\AppData\Roaming\.minecraft 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3fc-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta\AppData\Roaming\.minecraft\assets 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3fc-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta\AppData\Roaming\.minecraft\assets\sound 0 bytes File C:\avast! sandbox\S-1-5-21-3867551667-1530956314-2525137787-1001\r161\Uninstall.exe_{e1e4f3fc-81b6-11e3-b00d-0c6076c5a678}\C\Users\Domunuta\AppData\Roaming\.minecraft\assets\sound\ambient 0 bytes ---- EOF - GMER 2.1 ----