GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-15 22:46:10 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9250320AS rev.SD58 232,89GB Running: 0qmnqief.exe; Driver: C:\Users\SAWEK~1\AppData\Local\Temp\ufdiqpob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8F621BA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8F622684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8F62E6F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8F62E744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8F62E8DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8F62E666] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8F6D8DF0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8F62E6AE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8F6D9080] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8F62E898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8F623472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8F621C0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8F626C68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8F6217F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8F6D8ED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8F621C72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8F62705E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8F623F5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8F62E722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8F62E766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8F62E902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8F62E68C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8F626560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8F62E816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8F62E6D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8F62694C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8F62E8BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8F6D8C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8F623DCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0x8F623924] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8F621CD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8F621D3E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8F6D8FCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8F621892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8F621A64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8F6219F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8F62363C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8F62379E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8F621AEC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8F6D8D3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8F6232CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8F621DA4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8F6D8BA0] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8F6D916A] INT 0x51 ? 8679CCB8 INT 0x51 ? 8679CCB8 INT 0x51 ? 8679CCB8 INT 0x72 ? 8679CCB8 INT 0x82 ? 8679CCB8 INT 0x92 ? 8679CCB8 INT 0xA2 ? 858BFCB8 INT 0xA2 ? 858BFCB8 INT 0xA2 ? 858BFCB8 INT 0xA2 ? 858BFCB8 INT 0xA2 ? 8679CCB8 INT 0xA2 ? 8679CCB8 INT 0xA2 ? 858BFCB8 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!KeSetEvent + 10D 82AE4758 4 Bytes [A6, 1B, 62, 8F] {CMPSB ; SBB ESP, [EDX-0x71]} .text ntkrnlpa.exe!KeSetEvent + 191 82AE47DC 4 Bytes [84, 26, 62, 8F] .text ntkrnlpa.exe!KeSetEvent + 1D1 82AE481C 8 Bytes [F8, E6, 62, 8F, 44, E7, 62, ...] .text ntkrnlpa.exe!KeSetEvent + 1DD 82AE4828 4 Bytes CALL B2DAD78F .text ntkrnlpa.exe!KeSetEvent + 1F5 82AE4840 4 Bytes [66, E6, 62, 8F] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 110 82C7200F 4 Bytes CALL 8F624641 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 121 82C75C83 4 Bytes CALL 8F624657 \SystemRoot\system32\drivers\aswSnx.sys .sptd1 C:\Windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x80753774] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0xAFCDA300, 0x3AF78, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0xAFD1D300, 0x1BCE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\svchost.exe[264] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\Windows\system32\csrss.exe[524] KERNEL32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\Windows\system32\wininit.exe[568] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\Windows\system32\csrss.exe[576] KERNEL32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\Windows\system32\winlogon.exe[624] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1624] kernel32.dll!SetUnhandledExceptionFilter 76F3A9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1624] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\ProgramData\MobileBrServ\mbbservice.exe[1648] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\Windows\system32\WLANExt.exe[1652] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\Windows\System32\svchost.exe[1672] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1724] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text ... .text C:\Program Files\LuckyTab\LuckyTab.exe[2320] ntdll.dll!LdrAccessResource 7702CFA9 5 Bytes JMP 0051C7A0 C:\Program Files\LuckyTab\LuckyTab.exe .text C:\Program Files\LuckyTab\LuckyTab.exe[2320] ntdll.dll!LdrFindResource_U 7702DE7F 5 Bytes JMP 0051C710 C:\Program Files\LuckyTab\LuckyTab.exe .text C:\Program Files\LuckyTab\LuckyTab.exe[2320] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\Program Files\LuckyTab\LuckyTab.exe[2320] USER32.dll!LoadStringA 75A46243 5 Bytes JMP 0051C620 C:\Program Files\LuckyTab\LuckyTab.exe .text C:\Program Files\LuckyTab\LuckyTab.exe[2320] USER32.dll!LoadStringW 75A59CCB 5 Bytes JMP 0051C6B0 C:\Program Files\LuckyTab\LuckyTab.exe .text C:\Windows\system32\igfxsrvc.exe[2348] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2440] kernel32.dll!SetUnhandledExceptionFilter 76F3A9BD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2440] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\ProgramData\421e43cc-ed79-4e60-91b6-5efd8c307dd0\maintainer.exe[2504] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\Windows\System32\svchost.exe[2684] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\Windows\System32\svchost.exe[2768] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text C:\Windows\system32\svchost.exe[2780] kernel32.dll!GetBinaryTypeW + 70 76F6252F 1 Byte [62] .text ... ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [73F57817] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [73F9B4F1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [73F5BB22] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [73F4F695] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [73F575E9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [73F4E7CA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStreamICM] [73F873F5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromStream] [73F5DA60] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [73F4FFFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [73F4FF61] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [73F471CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFileICM] [73FDCB12] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipLoadImageFromFile] [73F7C8D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [73F4D968] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [73F46853] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [73F4687E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll IAT C:\Windows\Explorer.EXE[1736] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [73F52AD1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.0.6002.19096_none_9e59a14eca0fa8de\gdiplus.dll ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 858C71F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys Device \Driver\usbuhci \Device\USBPDO-0 868741F8 Device \Driver\usbuhci \Device\USBPDO-1 868741F8 Device \Driver\dtsoftbus01 \Device\00000053 869201F8 Device \Driver\usbehci \Device\USBPDO-2 867FD1F8 Device \Driver\dtsoftbus01 \Device\00000054 869201F8 Device \Driver\usbuhci \Device\USBPDO-3 868741F8 Device \Driver\usbuhci \Device\USBPDO-4 868741F8 AttachedDevice \Driver\tdx \Device\Tcp {ed7eb956-75ed-460d-8f69-29a93b07afd1}t.sys Device \Driver\usbuhci \Device\USBPDO-5 868741F8 Device \Driver\usbuhci \Device\USBPDO-6 868741F8 Device \Driver\usbehci \Device\USBPDO-7 867FD1F8 Device \Driver\cdrom \Device\CdRom0 8686A1F8 Device \Driver\USBSTOR \Device\00000065 853181F8 Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-0 858C41F8 Device \Driver\atapi \Device\Ide\IdePort0 858C41F8 Device \Driver\atapi \Device\Ide\IdePort1 858C41F8 Device \Driver\atapi \Device\Ide\IdePort2 858C41F8 Device \Driver\atapi \Device\Ide\IdePort3 858C41F8 Device \Driver\atapi \Device\Ide\IdeDeviceP3T0L0-3 858C41F8 Device \Driver\msahci \Device\Ide\PciIde0Channel0 858C51F8 Device \Driver\msahci \Device\Ide\PciIde0Channel1 858C51F8 Device \Driver\msahci \Device\Ide\PciIde0Channel4 858C51F8 Device \Driver\msahci \Device\Ide\PciIde0Channel5 858C51F8 Device \Driver\USBSTOR \Device\00000066 853181F8 Device \Driver\cdrom \Device\CdRom1 8686A1F8 Device \Driver\cdrom \Device\CdRom2 8686A1F8 Device \Driver\netbt \Device\NetBt_Wins_Export 86FD9440 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl 869201F8 Device \Driver\Smb \Device\NetbiosSmb 86FD71F8 AttachedDevice \Driver\tdx \Device\Udp {ed7eb956-75ed-460d-8f69-29a93b07afd1}t.sys Device \Driver\usbuhci \Device\USBFDO-0 868741F8 Device \Driver\usbuhci \Device\USBFDO-1 868741F8 Device \Driver\usbehci \Device\USBFDO-2 867FD1F8 Device \Driver\usbuhci \Device\USBFDO-3 868741F8 Device \Driver\usbuhci \Device\USBFDO-4 868741F8 Device \Driver\usbuhci \Device\USBFDO-5 868741F8 Device \Driver\netbt \Device\NetBT_Tcpip_{5F508BA3-6E9B-4EF7-B8CB-91B5EA700E5C} 86FD9440 Device \Driver\usbuhci \Device\USBFDO-6 868741F8 Device \Driver\usbehci \Device\USBFDO-7 867FD1F8 Device \FileSystem\cdfs \Cdfs 87FA61F8 ---- Trace I/O - GMER 2.1 ---- Trace ntkrnlpa.exe CLASSPNP.SYS disk.sys acpi.sys hal.dll >>UNKNOWN [0x858c41f8]<< 858c41f8 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0x86188600] 86188600 Trace 3 CLASSPNP.SYS[887d48b3] -> nt!IofCallDriver -> [0x85932b90] 85932b90 Trace 5 acpi.sys[807776bc] -> nt!IofCallDriver -> \Device\Ide\IdeDeviceP0T0L0-0[0x8591cb98] 8591cb98 Trace \Driver\atapi[0x84f6ea10] -> IRP_MJ_CREATE -> 0x858c41f8 858c41f8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet001\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet010\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@p0 C:\Program Files\DAEMON Tools Lite\ Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 ---- EOF - GMER 2.1 ----