GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-28 14:29:58 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-e MAXTOR_STM3160215AS rev.4.AAB 149,05GB Running: 7xohx5jz.exe; Driver: C:\DOCUME~1\Marek\USTAWI~1\Temp\fwpcraob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xA8355ACC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xA85D1464] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xA83565AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xA839C620] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xA83626A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xA83626EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xA8362886] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xA839BFD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xA836260E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xA8362730] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xA8362656] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xA8356AE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xA8362840] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xA8357398] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xA8355B32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xA839CCE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xA839CF9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xA835ABEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xA839CB51] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xA839C9BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xA85D153C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xA835571E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xA85D191E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xA8355B98] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xA835AFE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xA8357EDC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xA83626CA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xA836270E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xA83628AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xA839C330] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xA8362634] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xA835A4E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xA83627BE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xA836267E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xA835A8CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xA8362864] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xA85D16BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xA839C837] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xA8357CF4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xA839C689] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xA835784A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xA85DEE74] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xA85DF7E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xA839B617] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xA8355BFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xA8355C64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xA8357212] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xA83557B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xA835598A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xA839CDED] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xA8355918] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xA8357562] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xA83576C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xA8355A12] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xA8357050] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xA83571F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xA85CE906] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xA8355CCA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xA8356606] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwYieldExecution + 186 804E49B0 4 Bytes [EA, AB, 35, A8] .text ntoskrnl.exe!ZwYieldExecution + 3C2 804E4BEC 12 Bytes [FE, 5B, 35, A8, 64, 5C, 35, ...] .text ntoskrnl.exe!ZwYieldExecution + 46A 804E4C94 12 Bytes [62, 75, 35, A8, C4, 76, 35, ...] .text ntoskrnl.exe!ZwYieldExecution + 48E 804E4CB8 4 Bytes JMP CDFCF519 PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 80575B10 4 Bytes CALL A83585AD \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\winlogon.exe[680] ntdll.dll!NtLockProductActivationKeys 7C90D490 5 Bytes JMP 10001000 C:\WINDOWS\system32\antiwpa.dll .text C:\WINDOWS\system32\winlogon.exe[680] USER32.dll!GetSystemMetrics 7E368F9C 5 Bytes JMP 10001018 C:\WINDOWS\system32\antiwpa.dll .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1400] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1848] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[724] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[724] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- EOF - GMER 2.1 ----