GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-15 14:30:26 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 ST360015A rev.3.53 55,90GB Running: dexg4plo.exe; Driver: C:\TEMP\pwldqpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB66A7AD6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xB6A4A83C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB66A85B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB66EE6A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB66B46B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB66B4704] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB66B489E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB66EE054] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB66B4626] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB66B4748] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB66B466E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB66A8AEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB66B4858] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB66A93A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB66A7B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB66EED66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB66EF01C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB66ACBF2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB66EEBD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB66EEA3C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xB6A4A914] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB66A7728] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB6A4ACF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB66A7BA2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB66ACFE8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB66A9EE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB66B46E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB66B4726] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB66B48C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB66EE3B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB66B464C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB66AC4EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB66B47D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB66B4696] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB66AC8D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB66B487C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB6A4AA94] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB66EE8B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB66A9CFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB66EE709] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB66A9854] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB6A58B28] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xB6A594EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB66ED697] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB66A7C08] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB66A7C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB66A921C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB66A77C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB66A7994] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB66EEE6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB66A7922] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB66A956C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB66A96CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB66A7A1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB66A905A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB66A91FC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xB6A47AD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB66A7CD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB66A8610] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + 120 804E26F4 8 Bytes [EA, 8A, 6A, B6, 58, 48, 6B, ...] .text ntoskrnl.exe!_abnormal_termination + 170 804E2744 4 Bytes [3C, EA, 6E, B6] .text ntoskrnl.exe!_abnormal_termination + 208 804E27DC 8 Bytes [E8, CF, 6A, B6, E6, 9E, 6A, ...] {CALL 0xe6b66ad4; SAHF ; PUSH -0x4a} .text ntoskrnl.exe!_abnormal_termination + 234 804E2808 4 Bytes [EA, C4, 6A, B6] .text ntoskrnl.exe!_abnormal_termination + 2CC 804E28A0 4 Bytes [B7, E8, 6E, B6] .text ... PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BC20 4 Bytes CALL B66AA5B7 \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xBA09B360, 0x372FAD, 0xE8000020] init C:\WINDOWS\system32\drivers\ALCXSENS.SYS entry point in "init" section [0xB9FA1A80] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Mozilla Firefox\firefox.exe[272] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0117733B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[272] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 0117707B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[272] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 011771B3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[272] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 011770B5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[272] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 0172CA6C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[272] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 011774DF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[272] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 0172CABC C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[272] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0031A181 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[272] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003003FC .text C:\Program Files\Mozilla Firefox\firefox.exe[272] KERNEL32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01715D74 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[272] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 01714DD2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[272] KERNEL32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 0149D74F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[272] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01714644 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[272] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 021D45EF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[980] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1552] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[724] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[724] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- Device \Driver\Tcpip \Device\Ip aswStmXP.sys Device \Driver\Tcpip \Device\Tcp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.sys Device \Driver\Tcpip \Device\Udp aswStmXP.sys Device \Driver\Tcpip \Device\RawIp aswStmXP.sys Device \Driver\Tcpip \Device\IPMULTICAST aswStmXP.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- EOF - GMER 2.1 ----