GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-20 19:52:20 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3250410AS rev.3.AAF 232,88GB Running: vs9pyvig.exe; Driver: C:\DOCUME~1\Kaziu\USTAWI~1\Temp\pfldipow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB15B1AD6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xB182883C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB15B25B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB15F86A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB15BE6B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB15BE704] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB15BE89E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB15F8054] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB15BE626] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB15BE748] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB15BE66E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB15B2AEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB15BE858] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB15B33A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB15B1B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB15F8D66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB15F901C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB15B6BF2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB15F8BD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB15F8A3C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xB1828914] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB15B1728] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB1828CF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB15B1BA2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB15B6FE8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB15B3EE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB15BE6E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB15BE726] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB15BE8C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB15F83B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB15BE64C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB15B64EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB15BE7D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB15BE696] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB15B68D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB15BE87C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB1828A94] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB15F88B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB15B3CFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB15F8709] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB15B3854] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB1836B28] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xB18374EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB15F7697] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB15B1C08] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB15B1C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB15B321C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB15B17C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB15B1994] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB15F8E6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB15B1922] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB15B356C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB15B36CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB15B1A1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB15B305A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB15B31FC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xB1825AD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB15B1CD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB15B2610] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2BCC 805037E0 4 Bytes CALL BE00E940 .text ntkrnlpa.exe!ZwCallbackReturn + 2C08 8050381C 8 Bytes [EA, 2A, 5B, B1, 58, E8, 5B, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2C44 80503858 2 Bytes [F2, 6B] .text ntkrnlpa.exe!ZwCallbackReturn + 2CF0 80503904 8 Bytes [E8, 6F, 5B, B1, E6, 3E, 5B, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2D08 8050391C 4 Bytes CALL BF86EA7C \SystemRoot\System32\win32k.sys .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4EB4 4 Bytes CALL B15B45B7 \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB70F63C0, 0x829A2A, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB03AF300, 0x3AE88, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xB8470300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1416] kernel32.dll!SetUnhandledExceptionFilter 7C8447B5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3428] kernel32.dll!SetUnhandledExceptionFilter 7C8447B5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[796] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002 IAT C:\WINDOWS\system32\services.exe[796] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000 ---- Devices - GMER 2.1 ---- Device \Driver\Tcpip \Device\Ip aswStmXP.sys Device \Driver\Tcpip \Device\Tcp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.sys Device \Driver\Tcpip \Device\Udp aswStmXP.sys Device \Driver\Tcpip \Device\RawIp aswStmXP.sys Device \Driver\Tcpip \Device\IPMULTICAST aswStmXP.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- EOF - GMER 2.1 ----