GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-05 19:20:56 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-3 TOSHIBA_MK1246GSX rev.LB213J 111,79GB Running: ybrhjd9t.exe; Driver: C:\Users\Magda\AppData\Local\Temp\fwddikoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8B055BA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8B056684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8B0626F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8B062744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8B0628DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8B062666] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8B10CDF0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8B0626AE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8B10D080] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8B10D16A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8B062898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8B057472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8B055C0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8B05AC68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8B0557F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8B10CED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8B055C72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8B05B05E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8B057F5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8B062722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8B062766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8B062902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8B06268C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8B05A560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8B062816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8B0626D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8B05A94C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8B0628BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8B10CC6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8B057DCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8B057ADC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8B055CD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8B055D3E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8B10CFCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8B055892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8B055A64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8B0559F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8B05763C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8B05779E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8B055AEC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8B10CD3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8B0572CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8B055DA4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8B10CBA0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A49A49 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A834D2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CC 82A8A501 3 Bytes [5B, 05, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82A8A588 4 Bytes [84, 66, 05, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82A8A5DC 8 Bytes [F8, 26, 06, 8B, 44, 27, 06, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82A8A5E8 4 Bytes [DE, 28, 06, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82A8A604 4 Bytes [66, 26, 06, 8B] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82C463F7 4 Bytes CALL 8B058641 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82C6020E 4 Bytes CALL 8B058657 \SystemRoot\system32\drivers\aswSnx.sys ? system32\drivers\ccnfd_1_10_0_2.sys System nie może odnaleźć określonej ścieżki. ! ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSvcM.exe[348] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[400] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[452] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[460] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text C:\Windows\system32\services.exe[508] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1360] kernel32.dll!SetUnhandledExceptionFilter 75F8F4FB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1360] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[1384] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1528] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text C:\Windows\Explorer.EXE[1544] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1596] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1884] kernel32.dll!SetUnhandledExceptionFilter 75F8F4FB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1884] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1928] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2152] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[2400] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[2856] kernel32.dll!GetBinaryTypeW + 70 75FA69F4 1 Byte [62] .text ... ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp ccnfd_1_10_0_2.sys AttachedDevice \Driver\tdx \Device\Udp ccnfd_1_10_0_2.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----