GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-31 11:50:53 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 SAMSUNG_MP0402H rev.UC200-16 37,26GB Running: tb80j80w.exe; Driver: C:\DOCUME~1\Mariusz\USTAWI~1\Temp\kgloapog.sys ---- System - GMER 2.2 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xB210267C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xB245E860] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xB210315A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xB2149D3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xB210F8F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xB210F944] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xB210FADE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xB21496F0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xB210F866] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xB210F988] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xB210F8AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xB2103690] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xB210FA98] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xB2103DC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xB21026E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xB214A402] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xB214A6B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xB2107254] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xB214A26D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xB214A0D8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xB245E938] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwGetContextThread [0xB2104654] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xB21022CE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xB245ED1A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xB2102748] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xB210764A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xB2104BE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xB210F922] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xB210F966] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xB210FB02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xB2149A4C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xB210F88C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xB2106B2C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xB210FA16] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xB210F8D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xB2106F22] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xB210FABC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xB245EAB8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xB2149F53] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xB21049FE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xB2149DA5] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xB21043EC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xB246C9FC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xB246D3C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xB2148D33] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwResumeProcess [0xB2103F8C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwResumeThread [0xB2104198] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xB21027AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xB2102814] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xB210477E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xB2102368] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xB210253A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xB214A509] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xB21024C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xB2104092] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xB21042C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xB21025C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xB2103C00] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xB2103DA2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xB245BAF8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xB210287A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xB21031B6] INT 0x03 \WINDOWS\system32\ntkrnlpa.exe[unknown section] 804D70DB ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2468 80501CC4 4 Bytes CALL DCAACF0E .text ntkrnlpa.exe!ZwCallbackReturn + 2570 80501DCC 4 Bytes [38, E9, 45, B2] .text ntkrnlpa.exe!ZwCallbackReturn + 2648 80501EA4 4 Bytes [B8, EA, 45, B2] .text ntkrnlpa.exe!ZwCallbackReturn + 2754 80501FB0 12 Bytes [33, 8D, 14, B2, 8C, 3F, 10, ...] {XOR ECX, [EBP+0x3f8cb214]; ADC [EDX-0x4defbe68], DH} .text ntkrnlpa.exe!ZwCallbackReturn + 2770 80501FCC 12 Bytes [AE, 27, 10, B2, 14, 28, 10, ...] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 8059BA02 4 Bytes CALL B210525F \SystemRoot\system32\drivers\aswSnx.sys init C:\WINDOWS\system32\drivers\o2mmb.sys entry point in "init" section [0xF621A300] .text C:\WINDOWS\system32\drivers\aksfridge.sys section is writeable [0xB1845000, 0x48E1C, 0xE0000020] .init C:\WINDOWS\system32\drivers\aksfridge.sys entry point in ".init" section [0xB189B224] .init C:\WINDOWS\system32\drivers\aksfridge.sys unknown last code section [0xB189B000, 0x4000, 0xE20000E0] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB178C400, 0x6EB98, 0xE8000020] .protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xB1816C20] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protectÿÿÿÿhardlockentry point in ".protectÿÿÿÿhardlockentry point in ".p" section [0xB1816C20] .protectÿÿÿÿhardlockunknown last code section [0xB1816A00, 0x50CA, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB1816A00, 0x50CA, 0xE0000020] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[228] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3432] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Mozilla Firefox\firefox.exe[3608] ntdll.dll!LdrLoadDll 7C915C35 5 Bytes JMP 002FAF72 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3608] ntdll.dll!LdrUnloadDll 7C916AD5 5 Bytes JMP 5DDE03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3608] KERNEL32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 01856F1C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3608] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 0185653F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3608] KERNEL32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 015B69CE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3608] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 01855E8B C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3608] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 023CB658 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3608] USER32.dll!CreateWindowExW 7E37D0A3 5 Bytes JMP 01596DAB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3608] USER32.dll!CreateWindowExA 7E37E4A9 5 Bytes JMP 0193FD98 C:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.2 ---- Device \Driver\Tcpip \Device\Ip aswStmXP.sys Device \Driver\Tcpip \Device\Tcp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.sys Device \Driver\Tcpip \Device\Udp aswStmXP.sys Device \Driver\Tcpip \Device\RawIp aswStmXP.sys Device \Driver\Tcpip \Device\IPMULTICAST aswStmXP.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Registry - GMER 2.2 ---- Reg HKLM\SOFTWARE\Classes\Microsoft.PowerShellScript.1\shell\Uruchom za pomoc¹ programu PowerShell Reg HKLM\SOFTWARE\Classes\Microsoft.PowerShellScript.1\shell\Uruchom za pomoc¹ programu PowerShell\command Reg HKLM\SOFTWARE\Classes\Microsoft.PowerShellScript.1\shell\Uruchom za pomoc¹ programu PowerShell\command@ "C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe" "-file" "%1" ---- EOF - GMER 2.2 ----