GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-01 18:22:11 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T1L0-c WDC_WD400EB-75CPF0 rev.06.04G06 37,27GB Running: 5fn8cl9v.exe; Driver: C:\DOCUME~1\user\USTAWI~1\Temp\uwddapod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xEB3BCAC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xF1EA80BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xEB3BD5A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xEB4035A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xEB3C963C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xEB3C9688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xEB3C9822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xEB402F54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xEB3C95AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xEB3C96CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xEB3C95F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xEB3BDAD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xEB3C97DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xEB3BE390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xEB3BCB2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xEB403C66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xEB403F1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xEB3C1B86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xEB403AD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xEB40393C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xEB3BC716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xF1EA8574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xEB3BCB90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xEB3C1F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xEB3BEE78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xEB3C9666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xEB3C96AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xEB3C9846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xEB4032B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xEB3C95D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xEB3C147E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xEB3C975A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xEB3C961A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xEB3C186A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xEB3C9800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xF1EA8312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xEB4037B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xEB3BECEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xEB403609] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xEB3BE842] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xF1EB6358] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xF1EB6CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xEB402597] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xEB3BCBF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xEB3BCC5C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xEB3BE20A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xEB3BC7B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xEB3BC982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xEB403D6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xEB3BC910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xEB3BE55A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xEB3BE6BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xEB3BCA0A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xEB3BE048] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xEB3BE1EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xEB3BCCC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xEB3BD5FE] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D74 80504600 8 Bytes [74, 85, EA, F1, 90, CB, 3B, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2E94 80504720 4 Bytes CALL CF053260 .text ntkrnlpa.exe!ZwCallbackReturn + 2F10 8050479C 12 Bytes [F6, CB, 3B, EB, 5C, CC, 3B, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504844 12 Bytes [5A, E5, 3B, EB, BC, E6, 3B, ...] {POP EDX; IN EAX, 0x3b; JMP 0xffffffc1; OUT 0x3b, AL; JMP 0x13; RETF 0xeb3b} .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xF6002360, 0x354C5F, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1104] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1688] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2208] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 010E0102 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2208] USER32.dll!SetWindowLongA + 19 7E37C2B6 7 Bytes JMP 010E0173 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2208] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 010E261E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[2208] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 010DD8F6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] ntdll.dll!NtCreateFile 7C90D090 5 Bytes JMP 018E9AE0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] ntdll.dll!NtFlushBuffersFile 7C90D310 5 Bytes JMP 018CC434 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] ntdll.dll!NtQueryFullAttributesFile 7C90D790 5 Bytes JMP 018CC150 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] ntdll.dll!NtReadFile 7C90D9B0 5 Bytes JMP 018CC330 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] ntdll.dll!NtReadFileScatter 7C90D9C0 5 Bytes JMP 022EF60F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] ntdll.dll!NtWriteFile 7C90DF60 5 Bytes JMP 018EA9F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] ntdll.dll!NtWriteFileGather 7C90DF70 5 Bytes JMP 022EF5BE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] ntdll.dll!LdrLoadDll 7C9163A3 5 Bytes JMP 00881F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] ntdll.dll!LdrUnloadDll 7C91736B 5 Bytes JMP 003003FC .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] KERNEL32.dll!lstrlenW + 43 7C809ADC 7 Bytes JMP 02214AC3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B990 7 Bytes JMP 02214AA0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] KERNEL32.dll!ValidateLocale + B1E8 7C8449F8 7 Bytes JMP 018E63D0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] user32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 0210B991 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4056] GDI32.dll!SetDIBitsToDevice + 209 77F19E04 7 Bytes JMP 02214A21 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[604] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[604] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip {371bcf01-e691-44bf-9345-60788e5d16a5}t.sys AttachedDevice \Driver\Tcpip \Device\Tcp {371bcf01-e691-44bf-9345-60788e5d16a5}t.sys AttachedDevice \Driver\Tcpip \Device\Udp {371bcf01-e691-44bf-9345-60788e5d16a5}t.sys AttachedDevice \Driver\Tcpip \Device\RawIp {371bcf01-e691-44bf-9345-60788e5d16a5}t.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----