GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-21 20:47:09 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD2500BEVT-80A23T0 rev.01.01A01 232,89GB Running: qsslsdpz.exe; Driver: C:\DOCUME~1\kamil1\USTAWI~1\Temp\pxtdqpod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB21C6AD6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xB24E283C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB21C75B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB220D6A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB21D36B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB21D3704] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB21D389E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB220D054] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB21D3626] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB21D3748] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB21D366E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB21C7AEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB21D3858] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB21C83A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB21C6B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB220DD66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB220E01C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB21CBBF2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB220DBD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB220DA3C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xB24E2914] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB21C6728] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB24E2CF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB21C6BA2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB21CBFE8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB21C8EE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB21D36E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB21D3726] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB21D38C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB220D3B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB21D364C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB21CB4EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB21D37D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB21D3696] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB21CB8D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB21D387C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB24E2A94] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB220D8B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB21C8CFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB220D709] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB21C8854] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB24F0B28] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xB24F14EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB220C697] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB21C6C08] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB21C6C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB21C821C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB21C67C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB21C6994] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB220DE6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB21C6922] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB21C856C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB21C86CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB21C6A1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB21C805A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB21C81FC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xB24DFAD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB21C6CD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB21C7610] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D5C 80504644 8 Bytes [EA, 7A, 1C, B2, 58, 38, 1D, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2E44 8050472C 8 Bytes [E8, BF, 1C, B2, E6, 8E, 1C, ...] {CALL 0xe6b21cc4; MOV DS, [EDX+ESI*4]} .text ntkrnlpa.exe!ZwCallbackReturn + 2E70 80504758 4 Bytes [EA, B4, 1C, B2] .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [08, 6C, 1C, B2, 6E, 6C, 1C, ...] {OR [ESP+EBX-0x4e], CH; OUTS DX, BYTE [ESI]; INS BYTE [ES:EDI], DX; SBB AL, 0xb2; SBB AL, 0x82; SBB AL, 0xb2} .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [6C, 85, 1C, B2, CE, 86, 1C, ...] {INS BYTE [ES:EDI], DX; TEST [EDX+ESI*4], EBX; INTO ; XCHG [EDX+ESI*4], BL; SBB AL, 0x6a; SBB AL, 0xb2} .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB65C2380, 0x3D2245, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text e:\Program Files\AVAST Software\Avast\AvastSvc.exe[1760] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text E:\Program Files\AVAST Software\Avast\AvastUI.exe[3284] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[936] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[936] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip tcfd_vt_1_10_0_24.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 wdf01000.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 wdf01000.sys AttachedDevice \Driver\Tcpip \Device\Tcp tcfd_vt_1_10_0_24.sys AttachedDevice \Driver\Tcpip \Device\Udp tcfd_vt_1_10_0_24.sys AttachedDevice \Driver\Tcpip \Device\RawIp tcfd_vt_1_10_0_24.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- EOF - GMER 2.1 ----