GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-13 21:30:37 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1200JB-00GVA0 rev.08.02D08 111,79GB Running: 65tgtyev.exe; Driver: C:\DOCUME~1\Jan\USTAWI~1\Temp\fgtdypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xAFDB2AD6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xB00E783C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xAFDB35B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xAFDF96A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xAFDBF6B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xAFDBF704] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xAFDBF89E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xAFDF9054] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xAFDBF626] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xAFDBF748] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xAFDBF66E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xAFDB3AEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xAFDBF858] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xAFDB43A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xAFDB2B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xAFDF9D66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xAFDFA01C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xAFDB7BF2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xAFDF9BD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xAFDF9A3C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xB00E7914] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xAFDB2728] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB00E7CF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xAFDB2BA2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xAFDB7FE8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xAFDB4EE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xAFDBF6E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xAFDBF726] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xAFDBF8C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xAFDF93B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xAFDBF64C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xAFDB74EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xAFDBF7D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xAFDBF696] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xAFDB78D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xAFDBF87C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB00E7A94] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xAFDF98B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xAFDB4CFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xAFDF9709] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xAFDB4854] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB00F5B28] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xB00F64EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xAFDF8697] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xAFDB2C08] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xAFDB2C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xAFDB421C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xAFDB27C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xAFDB2994] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xAFDF9E6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xAFDB2922] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xAFDB456C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xAFDB46CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xAFDB2A1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xAFDB405A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xAFDB41FC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xB00E4AD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xAFDB2CD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xAFDB3610] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C6C 80503A40 8 Bytes [EA, 3A, DB, AF, 58, F8, DB, ...] {JMP FAR 0xdbf8:0x58afdb3a; SCASD } .text ntkrnlpa.exe!ZwCallbackReturn + 2D54 80503B28 8 Bytes [E8, 7F, DB, AF, E6, 4E, DB, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2D80 80503B54 4 Bytes JMP D6AFDB74 .text ntkrnlpa.exe!ZwCallbackReturn + 2EE4 80503CB8 12 Bytes [08, 2C, DB, AF, 6E, 2C, DB, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2F8C 80503D60 12 Bytes [6C, 45, DB, AF, CE, 46, DB, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A4F7E 4 Bytes CALL AFDB55B7 \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB8711000, 0x1C5DC8, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Avast\AvastUI.exe[1216] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Real\RealPlayer\update\realsched.exe[1288] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\Avast\AvastSvc.exe[1640] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\WINDOWS\Explorer.EXE[1752] SHELL32.dll!StrStrW 7C9CED60 8 Bytes [80, 11, 60, 19, C0, 11, 60, ...] {ADC BYTE [ECX], 0x60; SBB EAX, EAX; ADC [EAX+0x19], ESP} .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 0141374A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 0141348A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 014135C2 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 014134C4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 0176CB1D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 014138EE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 0176CB6D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!RtlAllocateHeap + 270 7C910334 7 Bytes JMP 00414A6C C:\Program Files\Mozilla Firefox\firefox.exe .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!LdrLoadDll 7C915CBB 5 Bytes JMP 0030A161 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] ntdll.dll!LdrUnloadDll 7C916C83 5 Bytes JMP 002F03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] KERNEL32.dll!lstrlenW + 43 7C809A5C 7 Bytes JMP 01755EF6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B910 7 Bytes JMP 0175510F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] KERNEL32.dll!ValidateLocale + AFA8 7C8447E8 7 Bytes JMP 014DDBC1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] USER32.dll!GetWindowInfo 7E36E77C 5 Bytes JMP 0224E1E3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2296] GDI32.dll!SetDIBitsToDevice + 20D 77F19A9C 7 Bytes JMP 01754981 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002 IAT C:\WINDOWS\system32\services.exe[804] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000 ---- Devices - GMER 2.1 ---- Device \Driver\Tcpip \Device\Ip aswStmXP.sys Device \Driver\Tcpip \Device\Tcp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.sys Device \Driver\Tcpip \Device\Udp aswStmXP.sys Device \Driver\Tcpip \Device\RawIp aswStmXP.sys Device \Driver\Tcpip \Device\IPMULTICAST aswStmXP.sys ---- EOF - GMER 2.1 ----