GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-09 22:16:29 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_HD252HJ rev.1AC01113 232,88GB Running: hdsgwqmk.exe; Driver: C:\DOCUME~1\SysOp\USTAWI~1\Temp\kgtdqpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB08513D4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xB0B6DA0A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB0851EB2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB08983FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB085E28A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB085E2D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB085E470] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB0897DB0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB085E1F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB085E31A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB085E240] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB08523E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB085E42A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB0852CA0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB085143A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB0898AC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB0898D78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB0855E32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB089892D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB0898798] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xB0B6DAE2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB0851026] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB0B6DEC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB08514A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB0856228] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB08537E4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB085E2B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB085E2F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB085E494] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB089810C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB085E21E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB085572A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB085E3A8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB085E268] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB0855B16] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB085E44E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB0B6DC62] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB0898613] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB08535FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB0898465] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB0853152] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB0B7C132] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xB0B7CAFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB08973F3] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB0851506] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB085156C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB0852B1A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB08510C0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB0851292] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB0898BC9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB0851220] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB0852E6A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB0852FCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB085131A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB0852958] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB0852AFA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xB0B6ACA2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB08515D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB0851F0E] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2C98 80504534 8 Bytes CALL AB00CA5C .text ntkrnlpa.exe!ZwCallbackReturn + 2F10 805047AC 12 Bytes [06, 15, 85, B0, 6C, 15, 85, ...] {PUSH ES; ADC EAX, 0x156cb085; TEST [EAX-0x4f7ad4e6], ESI} .text ntkrnlpa.exe!ZwCallbackReturn + 2FB8 80504854 12 Bytes [6A, 2E, 85, B0, CC, 2F, 85, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64B8 4 Bytes CALL B0853E5D \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\nv4_mini.sys section is writeable [0xB360D360, 0x3E57A5, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\CCleaner\CCleaner.exe[484] USER32.dll!SetScrollInfo 7E369046 5 Bytes JMP 00506FAE C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[484] USER32.dll!GetScrollInfo 7E3717D8 5 Bytes JMP 00506EF8 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[484] USER32.dll!ShowScrollBar 7E37F2E7 5 Bytes JMP 00506F31 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[484] USER32.dll!GetScrollPos 7E37F6F4 5 Bytes JMP 00506ECD C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[484] USER32.dll!SetScrollPos 7E37F740 5 Bytes JMP 00506E64 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[484] USER32.dll!GetScrollRange 7E37F777 5 Bytes JMP 00506E8F C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[484] USER32.dll!SetScrollRange 7E37F98B 5 Bytes JMP 00506F71 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[484] USER32.dll!EnableScrollBar 7E3B7F55 5 Bytes JMP 00506FE8 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[580] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1440] kernel32.dll!SetUnhandledExceptionFilter 7C8449FD 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[832] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[832] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- Device \Driver\Tcpip \Device\Ip aswStmXP.sys Device \Driver\Tcpip \Device\Tcp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.sys Device \Driver\Tcpip \Device\Udp aswStmXP.sys Device \Driver\Tcpip \Device\RawIp aswStmXP.sys Device \Driver\Tcpip \Device\IPMULTICAST aswStmXP.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00158315a310@20d607b76c75 0xD9 0xF3 0x16 0x54 ... Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00158315a310@001edc7d5736 0x78 0x20 0x18 0xB5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310@20d607b76c75 0xD9 0xF3 0x16 0x54 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310@001edc7d5736 0x78 0x20 0x18 0xB5 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158315a310@20d607b76c75 0xD9 0xF3 0x16 0x54 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\00158315a310@001edc7d5736 0x78 0x20 0x18 0xB5 ... ---- EOF - GMER 2.1 ----