GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-09 11:13:28 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MQ01ABD050 rev.AX001U 465,76GB Running: pey2ewz8.exe; Driver: C:\Users\Blysku\AppData\Local\Temp\afrdipod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x9004EAC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x9010A0BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x9004F5A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x9005B63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x9005B688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x9005B822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x9005B5AA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x9010A494] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x9005B5F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x9010A724] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x9010A80E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x9005B7DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x90050390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x9004EB2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x90053B86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x9004E716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x9010A574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x9004EB90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x90053F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x90050E78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x9005B666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x9005B6AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x9005B846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x9005B5D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x9005347E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x9005B75A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x9005B61A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x9005386A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x9005B800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x9010A312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x90050CEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x900509FA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x9004EBF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x9004EC5C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x9010A670] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x9004E7B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x9004E982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x9004E910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x9005055A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x900506BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x9004EA0A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x9010A3E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x900501EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x9004ECC2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x9010A244] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A839E9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82ABD1C2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82AC41E0 4 Bytes JMP C8F39004 .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82AC4208 4 Bytes [BA, A0, 10, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82AC4268 4 Bytes [A2, F5, 04, 90] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82AC42BC 8 Bytes [3C, B6, 05, 90, 88, B6, 05, ...] {CMP AL, 0xb6; ADD EAX, 0x5b68890; NOP } .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82AC42C8 4 Bytes [22, B8, 05, 90] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82C7F3C7 4 Bytes CALL 9005155F \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82C991B0 4 Bytes CALL 90051575 \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1456] kernel32.dll!SetUnhandledExceptionFilter 7680F4FB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] ntdll.dll!NtCreateFile 776055C8 5 Bytes JMP 5FE8D441 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] ntdll.dll!NtFlushBuffersFile 77605958 5 Bytes JMP 5FE8D181 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] ntdll.dll!NtQueryFullAttributesFile 77605FE8 5 Bytes JMP 5FE8D2B9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] ntdll.dll!NtReadFile 776062B8 5 Bytes JMP 5FE8D1BB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] ntdll.dll!NtReadFileScatter 776062C8 5 Bytes JMP 60273D7D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] ntdll.dll!NtWriteFile 77606A68 5 Bytes JMP 5FE8D5E5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] ntdll.dll!NtWriteFileGather 77606A78 5 Bytes JMP 60273DCD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] ntdll.dll!LdrUnloadDll 7761C86E 5 Bytes JMP 000E03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] ntdll.dll!LdrLoadDll 7762223E 5 Bytes JMP 6F60900C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 7680941E 7 Bytes JMP 6025ECDA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] KERNEL32.dll!QueryPerformanceCounter + 13 7680C435 7 Bytes JMP 6026041B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] KERNEL32.dll!LoadAppInitDlls + 355 7680F4F6 7 Bytes JMP 6001497B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] user32.dll!GetWindowInfo 75AE4B5E 5 Bytes JMP 60D4FA10 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2328] GDI32.dll!GetViewportOrgEx + 26C 759C884B 7 Bytes JMP 6025D492 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3252] kernel32.dll!SetUnhandledExceptionFilter 7680F4FB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- Threads - GMER 2.1 ---- Thread System [4:2508] B6853F2E ---- EOF - GMER 2.1 ----