GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-07 05:56:04 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD25 rev.01.0 232,89GB Running: bectqm8i.exe; Driver: C:\Users\Kasia\AppData\Local\Temp\ugddqpod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x92B34AA0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x92B3557E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x92B415C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x92B41614] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x92B417AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x92B41536] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x9035B6D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x92B4157E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0x92B35AB4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x92B41768] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x92B3636C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x92B34B06] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x92B39B40] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x92B346F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x9035B7B2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x92B34B6C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x92B39F36] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x92B36E54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x92B415F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x92B41636] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x92B417D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x92B4155C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x92B3943A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x92B416E6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x92B415A6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x92B39822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x92B4178C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x9035B556] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x92B36CC8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0x92B3681E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x92B34BD2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x92B34C38] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x9035B8AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x92B3478C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x92B3495E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x92B348EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x92B36536] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x92B36698] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x92B349E6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x9035B624] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x92B361C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x92B34C9E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x92B355DA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x92B35CD0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 830C0758 4 Bytes [A0, 4A, B3, 92] .text ntkrnlpa.exe!KeSetEvent + 191 830C07DC 4 Bytes [7E, 55, B3, 92] {JLE 0x57; MOV BL, 0x92} .text ntkrnlpa.exe!KeSetEvent + 1D1 830C081C 8 Bytes [C8, 15, B4, 92, 14, 16, B4, ...] {ENTER 0xb415, 0x92; ADC AL, 0x16; MOV AH, 0x92} .text ntkrnlpa.exe!KeSetEvent + 1DD 830C0828 4 Bytes [AE, 17, B4, 92] {SCASB ; POP SS; MOV AH, 0x92} .text ntkrnlpa.exe!KeSetEvent + 1F5 830C0840 4 Bytes [36, 15, B4, 92] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 8324E00F 4 Bytes CALL 92B37517 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 83251C83 4 Bytes CALL 92B3752D \SystemRoot\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8B553480, 0x3C939, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8B594900, 0x3CA, 0x48000040] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8F80D000, 0x1FB0FA, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\WLANExt.exe[124] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text C:\Windows\system32\Dwm.exe[612] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text C:\Windows\system32\csrss.exe[784] KERNEL32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text C:\Windows\system32\wininit.exe[844] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text C:\Windows\system32\csrss.exe[856] KERNEL32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2032] kernel32.dll!SetUnhandledExceptionFilter 76B4A9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[2032] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[2052] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text C:\Windows\system32\taskeng.exe[2096] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text C:\Windows\system32\svchost.exe[2136] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text C:\Windows\system32\taskeng.exe[2212] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\avastui.exe[2536] kernel32.dll!SetUnhandledExceptionFilter 76B4A9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[2536] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[2552] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[2592] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text C:\Windows\system32\taskeng.exe[2636] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[2988] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text ... .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] ntdll.dll!LdrLoadDll 77969378 5 Bytes JMP 6E0A1EAE C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] ntdll.dll!LdrUnloadDll 7797B680 5 Bytes JMP 001603FC .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] ntdll.dll!NtCreateFile 779A4264 5 Bytes JMP 5992B8D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] ntdll.dll!NtFlushBuffersFile 779A4764 5 Bytes JMP 59927B07 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] ntdll.dll!NtQueryFullAttributesFile 779A4C94 5 Bytes JMP 59927820 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] ntdll.dll!NtReadFile 779A4EC4 5 Bytes JMP 59927A00 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] ntdll.dll!NtReadFileScatter 779A4ED4 5 Bytes JMP 5A17CCC0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] ntdll.dll!NtWriteFile 779A54D4 5 Bytes JMP 5992BFE0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] ntdll.dll!NtWriteFileGather 779A54E4 5 Bytes JMP 5A17CC6F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] KERNEL32.dll!HeapSetInformation + 26 76B4A9B8 7 Bytes JMP 59928236 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] KERNEL32.dll!LockResource + C 76B66BD3 7 Bytes JMP 5A149E65 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] KERNEL32.dll!VirtualAllocEx + 54 76B6B030 7 Bytes JMP 5A149E88 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] KERNEL32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] USER32.dll!GetWindowInfo 7776428E 5 Bytes JMP 5A057585 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6168] GDI32.dll!SetStretchBltMode + 256 76F2745C 7 Bytes JMP 5A149DE6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\system32\conime.exe[6232] kernel32.dll!GetBinaryTypeW + 70 76B7252F 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\services.exe[888] @ C:\Windows\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 000F0002 IAT C:\Windows\system32\services.exe[888] @ C:\Windows\system32\services.exe [KERNEL32.dll!CreateProcessW] 000F0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp aswTdi.sys AttachedDevice \Driver\tdx \Device\Udp aswTdi.sys ---- EOF - GMER 2.1 ----