GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-11 22:30:20 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000065 ST932031 rev.0001 298,09GB Running: gmer.exe; Driver: C:\Users\madziola\AppData\Local\Temp\axlyqpod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x92627AC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x926E3012] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x926285A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x9263463C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x92634688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x92634822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x926345AA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x926E33EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x926345F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x926E367C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x926E3766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x926347DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x92629390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x92627B2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x9262CB86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x92627716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x926E34CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x92627B90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x9262CF7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x92629E78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x92634666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x926346AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x92634846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x926345D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x9262C47E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x9263475A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x9263461A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x9262C86A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x92634800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x926E326A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x92629CEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x926299FA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x92627BF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x92627C5C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x926E35C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x926277B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x92627982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x92627910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x9262955A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x926296BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x92627A0A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x926E3338] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x926291EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x92627CC2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x926E319C] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83476A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 834B0212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 834B7460 4 Bytes [C4, 7A, 62, 92] {LES EDI, [EDX+0x62]; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 834B7488 4 Bytes [12, 30, 6E, 92] {ADC DH, [EAX]; OUTS DX, BYTE [ESI]; XCHG EDX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 834B74E8 4 Bytes [A2, 85, 62, 92] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 834B753C 5 Bytes [3C, 46, 63, 92, 88] .text ntkrnlpa.exe!KeRemoveQueueEx + 11AD 834B7542 2 Bytes [63, 92] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 836724EF 4 Bytes CALL 9262A55F \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 8368C357 4 Bytes CALL 9262A575 \SystemRoot\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9322E000, 0x35356D, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1512] kernel32.dll!SetUnhandledExceptionFilter 764DF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[2388] kernel32.dll!SetUnhandledExceptionFilter 764DF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[3224] ntdll.dll!DbgUiRemoteBreakin 776DF1D3 1 Byte [C3] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys ---- Threads - GMER 2.1 ---- Thread System [4:4140] BD650F2E ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c0f8daf0e71a Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCD 0x5A 0x59 0x9C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c0f8daf0e71a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0xCD 0x5A 0x59 0x9C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@058D7934 1377 ---- EOF - GMER 2.1 ----