GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-29 19:28:57 Windows 6.2.9200 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP3T0L0-5 WDC_WD10EZRX-00L4HB0 rev.01.01A01 931,51GB Running: gmer.exe; Driver: C:\Users\Stasiek\AppData\Local\Temp\pxldypob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x91488F40] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x91488604] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0x91415C14] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x91489B2C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0x9148998A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x9148834C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x91489FFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x91489E9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x91488252] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x914882C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x914880F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0x91489B4C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x9148859E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x91488538] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwReplyWaitReceivePortEx [0x9148B0C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwReplyWaitReceivePort [0x9148F344] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x9148A33C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x9148A62E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x91418BD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x9149565C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x9148CB08] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x91495476] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x914955B6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x9148C71C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x9149542C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x914956A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x91495506] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x914954C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x9148A816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x9148D21A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x914884D2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x91418E36] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x91488058] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0x91418A54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x9148CE24] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x9148846C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x91489CD2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x91495638] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x91489636] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0x9148941A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x9149544E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0x91495528] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x91495406] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x9149567E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x914954E4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x91495498] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x91488EE4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAlpcSendWaitReceivePort [0x9148B0EE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x9141897C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x91488406] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwCallbackReturn + 16C 81D32F8C 12 Bytes [4C, 83, 48, 91, FE, 9F, 48, ...] {DEC ESP; OR DWORD [EAX-0x6f], -0x2; LAHF ; DEC EAX; XCHG ECX, EAX; PUSHF ; SAHF ; DEC EAX; XCHG ECX, EAX} .text ntoskrnl.exe!ZwCallbackReturn + 42C 81D3324C 4 Bytes JMP CA9E3AD2 .text ntoskrnl.exe!ZwCallbackReturn + 44C 81D3326C 4 Bytes JMP CA9A4EF2 .text ntoskrnl.exe!ZwCallbackReturn + 604 81D33424 12 Bytes [38, 56, 49, 91, 36, 96, 48, ...] .text ntoskrnl.exe!ZwCallbackReturn + 730 81D33550 4 Bytes JMP C35CB1D6 .text ntoskrnl.exe!ZwReplacePartitionUnit + 26AB 81DAB3C5 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 66A 81DAFCBA 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1432] KERNEL32.DLL!SetUnhandledExceptionFilter 762046B5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtUnmapViewOfSection + 5 76EF4BA9 7 Bytes [BA, 68, 7F, 14, 01, FF, E2] {MOV EDX, 0x1147f68; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtTerminateProcess 76EF4CD8 5 Bytes JMP 003874BF C:\Program Files\Google\Chrome\Application\chrome.exe .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtSetInformationThread + 5 76EF4FC1 7 Bytes [BA, 28, 7E, 14, 01, FF, E2] {MOV EDX, 0x1147e28; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtSetInformationFile + 5 76EF5039 7 Bytes [BA, 28, 7D, 14, 01, FF, E2] {MOV EDX, 0x1147d28; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtQueryFullAttributesFile + 5 76EF5851 7 Bytes CALL 75F06CD2 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtQueryAttributesFile + 5 76EF592D 7 Bytes [BA, A8, 7C, 14, 01, FF, E2] {MOV EDX, 0x1147ca8; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThreadTokenEx + 5 76EF5A95 7 Bytes CALL 75F06F18 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThreadToken + 5 76EF5AA9 7 Bytes [BA, 68, 7E, 14, 01, FF, E2] {MOV EDX, 0x1147e68; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenThread + 5 76EF5ABD 7 Bytes [BA, 68, 7D, 14, 01, FF, E2] {MOV EDX, 0x1147d68; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcessTokenEx + 5 76EF5B35 7 Bytes [BA, A8, 7E, 14, 01, FF, E2] {MOV EDX, 0x1147ea8; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcessToken + 5 76EF5B49 7 Bytes CALL 75F06FCB C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenProcess + 5 76EF5B5D 7 Bytes [BA, A8, 7D, 14, 01, FF, E2] {MOV EDX, 0x1147da8; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtOpenFile + 5 76EF5C39 7 Bytes [BA, 68, 7C, 14, 01, FF, E2] {MOV EDX, 0x1147c68; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtMapViewOfSection + 5 76EF5D15 7 Bytes [BA, 28, 7F, 14, 01, FF, E2] {MOV EDX, 0x1147f28; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!NtCreateFile + 5 76EF65B9 7 Bytes [BA, 28, 7C, 14, 01, FF, E2] {MOV EDX, 0x1147c28; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!LdrUnloadDll 76F01D41 5 Bytes JMP 011F03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[2364] ntdll.dll!LdrLoadDll 76F13D8A 5 Bytes JMP 011F01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtUnmapViewOfSection + 5 76EF4BA9 4 Bytes [BA, 68, 2F, FC] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtUnmapViewOfSection + A 76EF4BAE 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtTerminateProcess 76EF4CD8 5 Bytes JMP 003874BF C:\Program Files\Google\Chrome\Application\chrome.exe .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtSetInformationThread + 5 76EF4FC1 4 Bytes [BA, 28, 2E, FC] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtSetInformationThread + A 76EF4FC6 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtSetInformationFile + 5 76EF5039 4 Bytes [BA, 28, 2D, FC] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtSetInformationFile + A 76EF503E 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtQueryFullAttributesFile + 5 76EF5851 4 Bytes CALL 75F05482 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtQueryFullAttributesFile + A 76EF5856 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtQueryAttributesFile + 5 76EF592D 4 Bytes [BA, A8, 2C, FC] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtQueryAttributesFile + A 76EF5932 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenThreadTokenEx + 5 76EF5A95 4 Bytes CALL 75F056C8 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenThreadTokenEx + A 76EF5A9A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenThreadToken + 5 76EF5AA9 4 Bytes [BA, 68, 2E, FC] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenThreadToken + A 76EF5AAE 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenThread + 5 76EF5ABD 4 Bytes [BA, 68, 2D, FC] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenThread + A 76EF5AC2 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenProcessTokenEx + 5 76EF5B35 4 Bytes [BA, A8, 2E, FC] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenProcessTokenEx + A 76EF5B3A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenProcessToken + 5 76EF5B49 4 Bytes CALL 75F0577B C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenProcessToken + A 76EF5B4E 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenProcess + 5 76EF5B5D 4 Bytes [BA, A8, 2D, FC] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenProcess + A 76EF5B62 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenFile + 5 76EF5C39 4 Bytes [BA, 68, 2C, FC] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtOpenFile + A 76EF5C3E 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtMapViewOfSection + 5 76EF5D15 4 Bytes [BA, 28, 2F, FC] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtMapViewOfSection + A 76EF5D1A 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtCreateFile + 5 76EF65B9 4 Bytes [BA, 28, 2C, FC] .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!NtCreateFile + A 76EF65BE 2 Bytes [FF, E2] {JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!LdrUnloadDll 76F01D41 5 Bytes JMP 010603FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[4304] ntdll.dll!LdrLoadDll 76F13D8A 5 Bytes JMP 010601F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!LdrUnloadDll 76F01D41 5 Bytes JMP 010E03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[4512] ntdll.dll!LdrLoadDll 76F13D8A 5 Bytes JMP 010E01F8 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[5596] KERNEL32.DLL!SetUnhandledExceptionFilter 762046B5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!NtMapViewOfSection + 5 76EF5D15 7 Bytes [BA, 18, F0, 8F, 66, FF, E2] {MOV EDX, 0x668ff018; JMP EDX} .text C:\Program Files\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!LdrUnloadDll 76F01D41 5 Bytes JMP 010403FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[5952] ntdll.dll!LdrLoadDll 76F13D8A 5 Bytes JMP 010401F8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -873063261 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@B1F6998D 154 ---- EOF - GMER 2.1 ----