GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-18 16:42:26 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-4 ST9250410AS rev.D005SDM1 232,89GB Running: 90znzuhg.exe; Driver: C:\Users\Owner\AppData\Local\Temp\awddrkog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x880A7AC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x881630BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x880A85A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x880B463C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x880B4688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x880B4822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x880B45AA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x88163494] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x880B45F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x88163724] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8816380E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x880B47DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x880A9390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x880A7B2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x880ACB86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x880A7716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x88163574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x880A7B90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x880ACF7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x880A9E78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x880B4666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x880B46AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x880B4846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x880B45D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x880AC47E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x880B475A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x880B461A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x880AC86A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x880B4800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x88163312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x880A9CEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x880A99FA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x880A7BF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x880A7C5C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x88163670] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x880A77B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x880A7982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x880A7910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x880A955A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x880A96BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x880A7A0A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x881633E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x880A91EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x880A7CC2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x88163244] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82C50A09 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C8A1F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82C91220 4 Bytes [C4, 7A, 0A, 88] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82C91248 4 Bytes [BA, 30, 16, 88] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82C912A8 4 Bytes [A2, 85, 0A, 88] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82C912FC 8 Bytes [3C, 46, 0B, 88, 88, 46, 0B, ...] {CMP AL, 0x46; OR ECX, [EAX-0x77f4b978]} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82C91308 4 Bytes [22, 48, 0B, 88] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1356] kernel32.dll!SetUnhandledExceptionFilter 75EDF4FB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2240] kernel32.dll!SetUnhandledExceptionFilter 75EDF4FB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----