GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-29 13:07:56 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\0000005f SAMSUNG_ rev.1AC0 232,89GB Running: mvolvzbo.exe; Driver: C:\Users\Dorota\AppData\Local\Temp\kwrdrpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x91499AC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x915550BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x9149A5A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x914A663C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x914A6688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x914A6822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x914A65AA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x91555494] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x914A65F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x91555724] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x9155580E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x914A67DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x9149B390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x91499B2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x9149EB86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x91499716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x91555574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x91499B90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x9149EF7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x9149BE78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x914A6666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x914A66AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x914A6846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x914A65D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x9149E47E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x914A675A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x914A661A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x9149E86A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x914A6800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x91555312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x9149BCEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x9149B9FA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x91499BF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x91499C5C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x91555670] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x914997B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x91499982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x91499910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x9149B55A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x9149B6BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x91499A0A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x915553E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x9149B1EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x91499CC2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x91555244] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 14A5 82A5CA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A96372 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82A9D5C0 4 Bytes [C4, 9A, 49, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82A9D5E8 4 Bytes [BA, 50, 55, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82A9D648 4 Bytes [A2, A5, 49, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82A9D69C 8 Bytes [3C, 66, 4A, 91, 88, 66, 4A, ...] {CMP AL, 0x66; DEC EDX; XCHG ECX, EAX; MOV [ESI+0x4a], AH; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82A9D6A8 4 Bytes [22, 68, 4A, 91] {AND CH, [EAX+0x4a]; XCHG ECX, EAX} .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82C58553 4 Bytes CALL 9149C55F \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82C723BB 4 Bytes CALL 9149C575 \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1460] kernel32.dll!SetUnhandledExceptionFilter 757FF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[3488] kernel32.dll!SetUnhandledExceptionFilter 757FF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] ntdll.dll!NtCreateFile 76EA5608 5 Bytes JMP 5CF39AE0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] ntdll.dll!NtFlushBuffersFile 76EA5998 5 Bytes JMP 5CF1C434 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] ntdll.dll!NtQueryFullAttributesFile 76EA6028 5 Bytes JMP 5CF1C150 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] ntdll.dll!NtReadFile 76EA62F8 5 Bytes JMP 5CF1C330 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] ntdll.dll!NtReadFileScatter 76EA6308 5 Bytes JMP 5D93F60F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] ntdll.dll!NtWriteFile 76EA6AA8 5 Bytes JMP 5CF3A9F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] ntdll.dll!NtWriteFileGather 76EA6AB8 5 Bytes JMP 5D93F5BE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] ntdll.dll!LdrUnloadDll 76EBC8DE 5 Bytes JMP 001E03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] ntdll.dll!LdrLoadDll 76EC22AE 5 Bytes JMP 60211F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 757F94E6 7 Bytes JMP 5D864AA0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] KERNEL32.dll!QueryPerformanceCounter + 13 757FC4E5 7 Bytes JMP 5D864AC3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] KERNEL32.dll!LoadAppInitDlls + 355 757FF5A6 7 Bytes JMP 5CF363D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] user32.dll!GetWindowInfo 76A94B5E 5 Bytes JMP 5D75B991 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3616] GDI32.dll!GetViewportOrgEx + 26C 76A3884B 7 Bytes JMP 5D864A21 C:\Program Files\Mozilla Firefox\xul.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Providers\Client Side Rendering Print Provider\Servers\INPLUS-4\Printers\{47081E76-A9AF-4DAD-8B05-74524339FDD8}\PrinterDriverData@RegWriteTest 1 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Providers\Client Side Rendering Print Provider\Servers\INPLUS-4\Printers\{47081E76-A9AF-4DAD-8B05-74524339FDD8}\PrinterDriverData@RegWriteTest 1 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Providers\Client Side Rendering Print Provider\Servers\INPLUS-4\Printers\{47081E76-A9AF-4DAD-8B05-74524339FDD8}\PrinterDriverData@RegWriteTestI 1 ---- EOF - GMER 2.1 ----