GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-29 00:56:12 Windows 6.0.6001 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST916031 rev.HP07 149,05GB Running: du195qui.exe; Driver: C:\Users\Michal\AppData\Local\Temp\uwdiypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8D01CAC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x8D0D8012] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8D01D5A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8D02963C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8D029688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8D029822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8D0295AA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8D0D83EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8D0295F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8D0D867C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8D0297DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8D01E390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8D01CB2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8D021B86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8D01C716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8D0D84CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8D01CB90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8D021F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8D01EE78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8D029666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8D0296AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8D029846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8D0295D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8D02147E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8D02975A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8D02961A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8D02186A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8D029800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8D0D826A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8D01ECEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0x8D01E842] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8D01CBF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8D01CC5C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8D0D85C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8D01C7B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8D01C982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8D01C910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8D01E55A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8D01E6BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8D01CA0A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8D0D8338] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8D01E1EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8D01CCC2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8D0D819C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8D0D8766] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetTimerEx + 340 81CCD994 4 Bytes [C4, CA, 01, 8D] .text ntkrnlpa.exe!KeSetTimerEx + 364 81CCD9B8 4 Bytes [12, 80, 0D, 8D] .text ntkrnlpa.exe!KeSetTimerEx + 3C4 81CCDA18 4 Bytes [A2, D5, 01, 8D] .text ntkrnlpa.exe!KeSetTimerEx + 404 81CCDA58 8 Bytes [3C, 96, 02, 8D, 88, 96, 02, ...] {CMP AL, 0x96; ADD CL, [EBP-0x72fd6978]} .text ntkrnlpa.exe!KeSetTimerEx + 410 81CCDA64 4 Bytes [22, 98, 02, 8D] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 81E311B6 4 Bytes CALL 8D01F55F \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 81E40B0D 4 Bytes CALL 8D01F575 \SystemRoot\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\nvlddmkm.sys section is writeable [0x8C605320, 0x3E4E87, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[632] kernel32.dll!SetUnhandledExceptionFilter 76C46E2D 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1888] kernel32.dll!SetUnhandledExceptionFilter 76C46E2D 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Internet Explorer\iexplore.exe[5948] ntdll.dll!LdrLoadDll 77987933 5 Bytes JMP 000601F8 .text C:\Program Files\Internet Explorer\iexplore.exe[5948] ntdll.dll!LdrUnloadDll 7799E89C 5 Bytes JMP 000603FC .text C:\Program Files\Internet Explorer\iexplore.exe[5948] USER32.dll!DialogBoxIndirectParamW 761EBD25 5 Bytes JMP 6CE45ACB C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5948] USER32.dll!DialogBoxParamW 76201FD5 5 Bytes JMP 6CE45A55 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5948] USER32.dll!DialogBoxParamA 762280B2 5 Bytes JMP 6CE45A90 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5948] USER32.dll!DialogBoxIndirectParamA 762283DD 5 Bytes JMP 6CE45B06 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5948] USER32.dll!MessageBoxIndirectA 7623D471 5 Bytes JMP 6CE45A11 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5948] USER32.dll!MessageBoxIndirectW 7623D56B 5 Bytes JMP 6CE459CD C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5948] USER32.dll!MessageBoxExA 7623D5D1 5 Bytes JMP 6CE45993 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5948] USER32.dll!MessageBoxExW 7623D5F5 5 Bytes JMP 6CE45959 C:\Windows\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5948] SHELL32.dll!SHRestricted + DFD 76E08390 4 Bytes [99, 0B, 35, 6C] .text C:\Program Files\Internet Explorer\iexplore.exe[5948] SHELL32.dll!SHRestricted + E05 76E08398 8 Bytes [A7, 0A, 35, 6C, A4, 32, 34, ...] {CMPSD ; OR DH, [0x3432a46c]; INS BYTE [ES:EDI], DX} .text C:\Program Files\Internet Explorer\iexplore.exe[5948] SHELL32.dll!SHBindToObject + 693 76E0A9B8 4 Bytes [99, 0B, 35, 6C] .text C:\Program Files\Internet Explorer\iexplore.exe[5948] SHELL32.dll!SHBindToObject + 69B 76E0A9C0 4 Bytes [A7, 0A, 35, 6C] .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] ntdll.dll!LdrLoadDll 77987933 5 Bytes JMP 6D831F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] ntdll.dll!LdrUnloadDll 7799E89C 5 Bytes JMP 000603FC .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] ntdll.dll!NtCreateFile 779B8008 5 Bytes JMP 5FBDC820 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] ntdll.dll!NtFlushBuffersFile 779B8508 5 Bytes JMP 5FBAF374 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] ntdll.dll!NtQueryFullAttributesFile 779B8A38 5 Bytes JMP 5FBAF090 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] ntdll.dll!NtReadFile 779B8C68 5 Bytes JMP 5FBAF270 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] ntdll.dll!NtReadFileScatter 779B8C78 5 Bytes JMP 6050923A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] ntdll.dll!NtWriteFile 779B9278 5 Bytes JMP 5FBDD710 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] ntdll.dll!NtWriteFileGather 779B9288 5 Bytes JMP 605091E9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] KERNEL32.dll!HeapSetInformation + 26 76C46E28 7 Bytes JMP 5FBD934D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] KERNEL32.dll!LockResource + C 76C67F2B 7 Bytes JMP 6046FDEA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] KERNEL32.dll!VirtualAllocEx + 54 76C6B86A 7 Bytes JMP 6046FE0D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] user32.dll!GetWindowInfo 761F0560 5 Bytes JMP 603762F6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[6012] GDI32.dll!StretchDIBits + 179 766975BB 7 Bytes JMP 6046FD6B C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp aswTdi.sys AttachedDevice \Driver\tdx \Device\Udp aswTdi.sys ---- Processes - GMER 2.1 ---- Process (*** hidden *** ) [4] 8483EBD8 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----