GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-03-05 21:25:05 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP0T1L0-c ST1000DM003-1CH162 rev.CC46 931,51GB Running: ojih5scx.exe; Driver: C:\DOCUME~1\Mafia\USTAWI~1\Temp\uftdypog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xAB4D6ACC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xABBFC31C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xAB4D75AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xAB51D600] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xAB4E367A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xAB4E36C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xAB4E3860] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xAB51CFB4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xAB4E35E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xAB4E370A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xAB4E3630] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xAB4D7AE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xAB4E381A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xAB4D8398] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xAB4D6B32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xAB51DCC6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xAB51DF7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xAB4DBBEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xAB51DB31] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xAB51D99C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xABBFC3F4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xAB4D671E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xABBFC7D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xAB4D6B98] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xAB4DBFE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xAB4D8EDC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xAB4E36A4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xAB4E36E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xAB4E3884] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xAB51D310] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xAB4E360E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xAB4DB4E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xAB4E3798] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xAB4E3658] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xAB4DB8CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xAB4E383E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xABBFC574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xAB51D817] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xAB4D8CF4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xAB51D669] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xAB4D884A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xABC09D24] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xABC0A690] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xAB51C5F7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xAB4D6BFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xAB4D6C64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xAB4D8212] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xAB4D67B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xAB4D698A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xAB51DDCD] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xAB4D6918] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xAB4D8562] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xAB4D86C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xAB4D6A12] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xAB4D8050] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xAB4D81F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xABBF97BE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xAB4D6CCA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xAB4D7606] INT 0x62 ? 8B065CB8 INT 0x74 ? 8ADF4CB8 INT 0x82 ? 8B065CB8 INT 0x84 ? 8ADF4CB8 INT 0x94 ? 8ADF4CB8 INT 0xA4 ? 8ADF4CB8 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D34 8050461C 4 Bytes [E8, 35, 4E, AB] .text ntkrnlpa.exe!ZwCallbackReturn + 2D98 80504680 4 Bytes JMP 96AB4DBB .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [FE, 6B, 4D, AB, 64, 6C, 4D, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [62, 85, 4D, AB, C4, 86, 4D, ...] {BOUND EAX, [EBP-0x793b54b3]; DEC EBP; STOSD ; ADC CH, [EDX+0x4d]; STOSD } PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL AB4D95AD \SystemRoot\system32\drivers\aswSnx.sys .sptd1 C:\WINDOWS\system32\drivers\sptd.sys entry point in ".sptd1" section [0xF733B60C] .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xF5BC8000, 0xEDC62, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xA6CF5300, 0x3AF78, 0xE8000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xAB5CA300, 0x1BCE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[960] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3084] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1320] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1320] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 8B0641F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{8F1DE701-6B29-4BDE-BEEC-F359179BA0BE} 8A9541F8 AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys Device \Driver\usbuhci \Device\USBPDO-0 8AEF41F8 Device \Driver\usbuhci \Device\USBPDO-1 8AEF41F8 Device \Driver\usbuhci \Device\USBPDO-2 8AEF41F8 Device \Driver\usbuhci \Device\USBPDO-3 8AEF41F8 Device \Driver\usbehci \Device\USBPDO-4 8ADDC1F8 AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys Device \Driver\Cdrom \Device\CdRom0 8AED51F8 Device \Driver\atapi \Device\Ide\IdePort0 [F7220B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdePort1 [F7220B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T0L0-4 [F7220B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP0T1L0-c [F7220B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T0L0-18 [F7220B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\atapi \Device\Ide\IdeDeviceP1T1L0-20 [F7220B40] atapi.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 8A9541F8 Device \Driver\NetBT \Device\NetbiosSmb 8A9541F8 AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{D77B060E-0F14-49E6-9E7A-20EF85ACA2BC} 8A9541F8 Device \Driver\usbuhci \Device\USBFDO-0 8AEF41F8 Device \Driver\usbuhci \Device\USBFDO-1 8AEF41F8 Device \FileSystem\MRxSmb \Device\LanmanDatagramReceiver 8A9411F8 Device \Driver\usbuhci \Device\USBFDO-2 8AEF41F8 Device \FileSystem\MRxSmb \Device\LanmanRedirector 8A9411F8 Device \Driver\usbuhci \Device\USBFDO-3 8AEF41F8 Device \Driver\usbehci \Device\USBFDO-4 8ADDC1F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{3462A3F7-F40F-4436-8CC9-7EB1C7EF6C92} 8A9541F8 Device \FileSystem\Cdfs \Cdfs 890F71F8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\Services\BTHPORT\Parameters\Keys\00158315a310@0025e51e1919 0x6D 0x1F 0x0A 0x94 ... Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a310 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\00158315a310@0025e51e1919 0x6D 0x1F 0x0A 0x94 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\00158315a310@0025e51e1919 0x6D 0x1F 0x0A 0x94 ... Reg HKLM\SOFTWARE\Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\LocalServer32@ "C:\Program Files\Google\Chrome\Application\48.0.2564.109\delegate_execute.exe" Reg HKLM\SOFTWARE\Classes\CLSID\{5C65F4B0-3651-4514-B207-D10CB699B14B}\LocalServer32@ServerExecutable C:\Program Files\Google\Chrome\Application\48.0.2564.109\delegate_execute.exe ---- EOF - GMER 2.1 ----