GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-11 01:01:23 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD1600BEVT-22ZCT0 rev.11.01A11 149,05GB Running: gmer.exe; Driver: C:\Users\Rafael\AppData\Local\Temp\kwrdypoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8D898BA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8D899684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8D8A56F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8D8A5744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8D8A58DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8D8A5666] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8D94FDF0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8D8A56AE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8D950080] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8D95016A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8D8A5898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8D89A472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8D898C0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8D89DC68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8D8987F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8D94FED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8D898C72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8D89E05E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8D89AF5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8D8A5722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8D8A5766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8D8A5902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8D8A568C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8D89D560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8D8A5816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8D8A56D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8D89D94C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8D8A58BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8D94FC6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8D89ADCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8D89AADC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8D898CD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8D898D3E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8D94FFCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8D898892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8D898A64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8D8989F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8D89A63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8D89A79E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8D898AEC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8D94FD3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8D89A2CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8D898DA4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8D94FBA0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A45A35 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A7F392 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82A865B0 4 Bytes [A6, 8B, 89, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82A86638 4 Bytes [84, 96, 89, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82A8668C 8 Bytes [F8, 56, 8A, 8D, 44, 57, 8A, ...] {CLC ; PUSH ESI; MOV CL, [EBP-0x7275a8bc]} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82A86698 4 Bytes [DE, 58, 8A, 8D] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82A866B4 4 Bytes [66, 56, 8A, 8D] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Google\Update\GoogleUpdate.exe[536] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Windows\system32\csrss.exe[596] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Windows\system32\wininit.exe[648] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Windows\system32\csrss.exe[656] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Windows\system32\winlogon.exe[712] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1592] kernel32.dll!SetUnhandledExceptionFilter 779CF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1592] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Program Files\Cisco Systems\VPN Client\cvpnd.exe[1620] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1724] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Windows\Explorer.EXE[1736] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1780] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\avastui.exe[1948] kernel32.dll!SetUnhandledExceptionFilter 779CF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[1948] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[1968] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1976] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[2380] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Program Files\TeamViewer\Version9\TeamViewer_Service.exe[2648] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] ntdll.dll!NtCreateFile 77BD5608 5 Bytes JMP 590AC420 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] ntdll.dll!NtFlushBuffersFile 77BD5998 5 Bytes JMP 59081594 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] ntdll.dll!NtQueryFullAttributesFile 77BD6028 5 Bytes JMP 590812B0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] ntdll.dll!NtReadFile 77BD62F8 5 Bytes JMP 59081490 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] ntdll.dll!NtReadFileScatter 77BD6308 5 Bytes JMP 599D97EB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] ntdll.dll!NtWriteFile 77BD6AA8 5 Bytes JMP 590AD2F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] ntdll.dll!NtWriteFileGather 77BD6AB8 5 Bytes JMP 599D979A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] ntdll.dll!LdrUnloadDll 77BEC8DE 5 Bytes JMP 000703FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] ntdll.dll!LdrLoadDll 77BF22AE 5 Bytes JMP 6C7D1F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 779C94E6 7 Bytes JMP 599400FF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] KERNEL32.dll!QueryPerformanceCounter + 13 779CC4E5 7 Bytes JMP 59940122 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] KERNEL32.dll!LoadAppInitDlls + 355 779CF5A6 7 Bytes JMP 590A8F84 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] KERNEL32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] USER32.dll!GetWindowInfo 774C4B5E 5 Bytes JMP 598468B0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2864] GDI32.dll!GetViewportOrgEx + 26C 7759884B 7 Bytes JMP 59940080 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Windows\system32\SearchIndexer.exe[3000] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Windows\system32\wbem\unsecapp.exe[3008] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Windows\System32\svchost.exe[3076] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3240] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Program Files\KeePass Password Safe 2\KeePass.exe[3308] KERNEL32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text ... .text C:\Program Files\OO Software\Defrag\oodag.exe[4580] kernel32.dll!SetUnhandledExceptionFilter 779CF5AB 5 Bytes JMP 00401B50 C:\Program Files\OO Software\Defrag\oodag.exe .text C:\Program Files\OO Software\Defrag\oodag.exe[4580] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text E:\jotdownloader\BESTplayer.exe[4592] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Program Files\OO Software\Defrag\oodcnt.exe[4964] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] .text C:\Windows\system32\AUDIODG.EXE[5960] kernel32.dll!GetBinaryTypeW + 70 779E6AAC 1 Byte [62] ---- Devices - GMER 2.1 ---- Device Ntfs.sys AttachedDevice tdrpm258.sys Device volmgr.sys AttachedDevice fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System Reg HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\System@OODEFRAG18.00.00.01PROFESSIONAL 266D7FACE57BB1C00220D34BB9F92201711994E0B3742F5729A43997BDF6C92182E3BADC870E784C324349C060B971844472D5F1DBF80A6C6C7860B2D0586F6AA9CDA0799A20B700350EF687B607B936BF343523A9F73D180AE8B0D63A6AF4BB3D652545F9C94E609FDBEC089B680712FEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CFEBC9E127BECC74CA9C6AECB7A5D14075D575E7D6A3B9808A6171C11EC38DE3DC038D530D6EB3452887089363BE01EBFE5CE3EFD3586D0976CE214ABE85847DE4FF481E93503960236C62A27CD8CD63CEAF895EE8C4CBA44DD923766A3720081F4893E448A1AA95A28633BED52F68D8F78E39910B3843122AE49DB58FECFF3D2E71F3435D0518D2B7898EBA69BCC5A149E0193257FCBF88682BA880F76A334C1024AC830458A3F18D4FA1CCFCC41C749800880D49A47CA68115C777A571FC45D306393107DA932EC81E2DE4ADE89D3CF55F0132B819B506228E9986EC5F9A15BF4845E116096CB17D2EEFD5E9EDE72F2E6FB309786742C37A6638D25B8F034146411AAD5293F66A7B37FF6B42EFE8A99162A706D5000F049810C2DB8F9436084A82BABE1E913CFD3A2B977DD80AB765457C222E3D771A7A041E901AAA734794F7EBB47A10408C9F7B006E64A60AA07D52E4EC7976B7F4BE801C8C9DEB60B483637ED1B6030158B9 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@9BABA9B8 141 ---- EOF - GMER 2.1 ----