GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-20 08:11:25 Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK3252GSX rev.LV010M 298,09GB Running: emq1egf3.exe; Driver: C:\Users\Ania\AppData\Local\Temp\kwtdrpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8F743A9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8F74457A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8F7505C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8F750610] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8F7507AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8F750532] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8F3866C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8F75057A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0x8F744AB0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8F750764] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8F745368] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8F743B02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8F748B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8F7436EE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8F3867A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8F743B68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8F748F32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8F745E50] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8F7505EE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8F750632] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8F7507CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8F750558] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8F748436] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8F7506E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8F7505A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8F74881E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8F750788] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8F386546] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8F745CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0x8F74581A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8F743BCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8F743C34] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8F38689E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8F743788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8F74395A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8F7438E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8F745532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8F745694] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8F7439E2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8F386614] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8F7451C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8F743C9A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x8F7445D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x8F744CCC] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetTimerEx + 340 82AC2964 4 Bytes [9C, 3A, 74, 8F] .text ntkrnlpa.exe!KeSetTimerEx + 3C4 82AC29E8 4 Bytes [7A, 45, 74, 8F] {JP 0x47; JZ 0xffffff93} .text ntkrnlpa.exe!KeSetTimerEx + 404 82AC2A28 8 Bytes [C4, 05, 75, 8F, 10, 06, 75, ...] {LES EAX, [0x6108f75]; JNZ 0xffffff97} .text ntkrnlpa.exe!KeSetTimerEx + 410 82AC2A34 4 Bytes [AA, 07, 75, 8F] {STOSB ; POP ES; JNZ 0xffffff93} .text ntkrnlpa.exe!KeSetTimerEx + 428 82AC2A4C 4 Bytes [32, 05, 75, 8F] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82C26666 4 Bytes CALL 8F746513 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82C35FC9 4 Bytes CALL 8F746529 \SystemRoot\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8AB59480, 0x3C939, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8AB9A900, 0x3CA, 0x48000040] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8E602000, 0x1FB0FA, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\spoolsv.exe[292] kernel32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text C:\Windows\system32\svchost.exe[428] kernel32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text C:\Windows\System32\svchost.exe[720] kernel32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text C:\Windows\system32\csrss.exe[752] KERNEL32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text C:\Windows\system32\csrss.exe[812] KERNEL32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text ... .text D:\AVAST Software\Avast\AvastSvc.exe[1908] kernel32.dll!SetUnhandledExceptionFilter 75C4700D 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text D:\AVAST Software\Avast\AvastSvc.exe[1908] kernel32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text C:\Windows\system32\svchost.exe[1972] kernel32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2096] KERNEL32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text D:\Programy\sony\PMBDeviceInfoProvider.exe[2184] kernel32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text C:\Windows\System32\svchost.exe[2196] kernel32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text ... .text D:\AVAST Software\Avast\AvastUI.exe[3708] kernel32.dll!SetUnhandledExceptionFilter 75C4700D 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text D:\AVAST Software\Avast\AvastUI.exe[3708] kernel32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text C:\Program Files\Toshiba\SmartFaceV\SmartFaceVWatchSrv.exe[3724] kernel32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[3888] kernel32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[4104] KERNEL32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text C:\Program Files\Toshiba\ConfigFree\CFSwMgr.exe[4180] kernel32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text ... .text D:\Mozilla Firefox\firefox.exe[5952] ntdll.dll!LdrLoadDll 76FE79B3 5 Bytes JMP 6C381FD9 D:\Mozilla Firefox\mozglue.dll .text D:\Mozilla Firefox\firefox.exe[5952] ntdll.dll!LdrUnloadDll 76FFE5AC 5 Bytes JMP 001603FC .text D:\Mozilla Firefox\firefox.exe[5952] KERNEL32.dll!HeapSetInformation + 26 75C47008 7 Bytes JMP 5DD53255 D:\Mozilla Firefox\xul.dll .text D:\Mozilla Firefox\firefox.exe[5952] KERNEL32.dll!LockResource + C 75C6813B 7 Bytes JMP 5E6840E1 D:\Mozilla Firefox\xul.dll .text D:\Mozilla Firefox\firefox.exe[5952] KERNEL32.dll!VirtualAllocEx + 54 75C6BA7A 7 Bytes JMP 5E684104 D:\Mozilla Firefox\xul.dll .text D:\Mozilla Firefox\firefox.exe[5952] KERNEL32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] .text D:\Mozilla Firefox\firefox.exe[5952] GDI32.dll!StretchDIBits + 179 76A275BB 7 Bytes JMP 5E684062 D:\Mozilla Firefox\xul.dll .text C:\Windows\system32\wbem\wmiprvse.exe[6112] kernel32.dll!GetBinaryTypeW + 70 75C71CE8 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\services.exe[856] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 000C0002 IAT C:\Windows\system32\services.exe[856] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 000C0000 IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73468864] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [734A9855] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7346B984] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [7345FB47] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73467A29] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [7345EA65] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [7349B12D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [7346BC4A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73460756] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [734606BD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [734571B3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [734ED9E0] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73487329] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7345E109] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7345697E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [734569A9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll IAT C:\Windows\Explorer.EXE[3164] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73462475] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6001.18551_none_9e7a1850c9c1b3dc\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp aswTdi.sys AttachedDevice \Driver\tdx \Device\Udp aswTdi.sys ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 84D5F910 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2946052F-3ADC-495E-A8B6-04518476F02B}@LeaseObtainedTime 1397940511 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2946052F-3ADC-495E-A8B6-04518476F02B}@T1 1398070111 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2946052F-3ADC-495E-A8B6-04518476F02B}@T2 1398167311 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2946052F-3ADC-495E-A8B6-04518476F02B}@LeaseTerminatesTime 1398199711 ---- EOF - GMER 2.1 ----