GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2012-06-30 12:59:22 Windows 6.1.7600 Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST31000340NS rev.SN06 Running: d7h4b7z8.exe; Driver: C:\Users\Kuba\AppData\Local\Temp\aftcaaog.sys ---- System - GMER 1.0.15 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x9281CDF8] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x95B03A5A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x9281D85E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x928222E4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x92822330] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x92822422] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x92822252] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSection [0x92822374] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x9282229A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x928223DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x9281CE44] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x95B03B34] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwLoadDriver [0x9281CAD6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x9281CE90] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x9281FD1C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x9281DB02] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x9282230E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x92822352] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x92822446] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x92822278] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x928223AE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x928222C2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x92822400] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x95B03CA0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x9281D9CE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x9281CEDC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x9281CF28] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x9281CB46] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x9281CCEA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x9281CC92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x9281CD5A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x95B03D60] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x9281CF74] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x95B03BE0] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateProcessEx [0x95B19D92] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- .text ntkrnlpa.exe!ZwSaveKeyEx + 13AD 83094579 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830B8F52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!RtlSidHashLookup + 214 830C0714 4 Bytes [F8, CD, 81, 92] {CLC ; INT 0x81; XCHG EDX, EAX} .text ntkrnlpa.exe!RtlSidHashLookup + 23C 830C073C 4 Bytes [5A, 3A, B0, 95] .text ntkrnlpa.exe!RtlSidHashLookup + 29C 830C079C 4 Bytes [5E, D8, 81, 92] .text ntkrnlpa.exe!RtlSidHashLookup + 2F0 830C07F0 8 Bytes [E4, 22, 82, 92, 30, 23, 82, ...] .text ntkrnlpa.exe!RtlSidHashLookup + 2FC 830C07FC 4 Bytes [22, 24, 82, 92] {AND AH, [EDX+EAX*4]; XCHG EDX, EAX} .text ... PAGE ntkrnlpa.exe!ObMakeTemporaryObject 83259F59 3 Bytes JMP 95B16C8C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject + 4 83259F5D 1 Byte [12] PAGE ntkrnlpa.exe!ObInsertObject + 27 83273C5F 5 Bytes JMP 95B18764 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 832BE0EA 4 Bytes CALL 9281E1B5 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 832C61C5 4 Bytes CALL 9281E1CB \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 8332BE52 7 Bytes JMP 95B19D96 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) .text win32k.sys!EngMultiByteToUnicodeN + 7240 82869869 5 Bytes JMP 92820536 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngIsSemaphoreOwned + 8A1B 8288086D 5 Bytes JMP 9282067C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngEraseSurface + 7C90 8289D15F 5 Bytes JMP 9282073C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngEraseSurface + BF73 828A1442 5 Bytes JMP 928212EA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XFORMOBJ_iGetXform + 1C30 828B356D 5 Bytes JMP 928207FE \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XFORMOBJ_iGetXform + 3318 828B4C55 5 Bytes JMP 9281FF84 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!XFORMOBJ_iGetXform + 401D 828B595A 5 Bytes JMP 928210BA \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 6CB 828BA1DB 5 Bytes JMP 9282070C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetGammaTable + 177B 828BB28B 5 Bytes JMP 92820562 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAllocMem + 8F96 828C6291 5 Bytes JMP 92820724 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bEnum + 7A2D 828D782C 5 Bytes JMP 9281FFF4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bEnum + 8714 828D8513 5 Bytes JMP 9281FE4E \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bEnum + 9311 828D9110 5 Bytes JMP 92820384 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateSemaphore + A7EB 828F3FDB 5 Bytes JMP 92820F8C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCreateSemaphore + CB9D 828F638D 5 Bytes JMP 9281FD52 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngBitBlt + 56E 828FF939 5 Bytes JMP 92821036 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngBitBlt + 5201 829045CC 5 Bytes JMP 928214F2 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLpkInstalled + 6119 82917842 5 Bytes JMP 9281FE66 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLpkInstalled + 11641 82922D6A 5 Bytes JMP 9282107C \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngLpkInstalled + 1AE7F 8292C5A8 5 Bytes JMP 92822544 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!STROBJ_bEnum + 9767 8293FA7F 5 Bytes JMP 928202E4 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngPlgBlt + 26C1 82947B45 5 Bytes JMP 928213A8 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_bPolyBezierTo + F8 8295B449 5 Bytes JMP 928201AC \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngAcquireSemaphoreSharedNoWait + 1F5A 8296B437 5 Bytes JMP 92821450 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!PATHOBJ_vGetBounds + EB5 82995C7F 5 Bytes JMP 928200B0 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngCTGetCurrentGamma + 1C7A 82999C9C 5 Bytes JMP 92820104 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngSetPointerShape + B31 8299C7C4 5 Bytes JMP 928207E6 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!EngSetPointerShape + C86 8299C919 5 Bytes JMP 92821232 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_cEnumStart + 6CE0 829A55A5 5 Bytes JMP 9281FF22 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text win32k.sys!CLIPOBJ_cEnumStart + A3D9 829A8C9E 5 Bytes JMP 92820248 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE spsys.sys!?SPRevision@@3PADA + 4F90 B5059000 290 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 50B3 B5059123 629 Bytes [45, 05, B5, FE, 05, 34, 45, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 B5059399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F B50593FF 51 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE spsys.sys!?SPRevision@@3PADA + 53C3 B5059433 96 Bytes [04, B5, 85, C9, 7C, 18, 8D, ...] PAGE ... ---- User code sections - GMER 1.0.15 ---- .text C:\PROGRA~1\Raptr\raptr.exe[124] ntdll.dll!LdrUnloadDll 7762BE7F 5 Bytes JMP 001603FC .text C:\PROGRA~1\Raptr\raptr.exe[124] ntdll.dll!LdrLoadDll 7762F585 5 Bytes JMP 001601F8 .text C:\PROGRA~1\Raptr\raptr.exe[124] kernel32.dll!GetBinaryTypeW + 70 75B37964 1 Byte [62] .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!UnhookWindowsHookEx 772CCC7B 5 Bytes JMP 00200A08 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!SetForegroundWindow 772CD3AE 5 Bytes JMP 075D8A78 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!DestroyWindow 772CD5EF 5 Bytes JMP 075D5A60 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!UnhookWinEvent 772CD924 5 Bytes JMP 002003FC .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!ShowWindow 772D147A 5 Bytes JMP 075D4A58 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!SetWindowsHookExW 772D210A 5 Bytes JMP 00200804 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!PeekMessageA 772D2EB2 5 Bytes JMP 075DB290 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!DispatchMessageA 772D3569 5 Bytes JMP 075D2A48 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!SetWindowPos 772D3581 5 Bytes JMP 075D6A68 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!SetWinEventHook 772D507E 5 Bytes JMP 002001F8 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!EndPaint 772D7B73 5 Bytes JMP 6632B990 C:\PROGRA~1\Raptr\QtWebKit4.dll (C++ application development framework./Nokia Corporation and/or its subsidiary(-ies)) .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!BeginPaint 772D7B87 5 Bytes JMP 6632B920 C:\PROGRA~1\Raptr\QtWebKit4.dll (C++ application development framework./Nokia Corporation and/or its subsidiary(-ies)) .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!DispatchMessageW 772D8E8D 5 Bytes JMP 075D3A50 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!PeekMessageW 772D91B5 5 Bytes JMP 075DC298 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!BringWindowToTop 772F1B1D 5 Bytes JMP 075DD2A0 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!AnimateWindow 772F1D32 5 Bytes JMP 075D7A70 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!SetCapture 772F6B2A 5 Bytes JMP 075D9A80 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!WindowFromPoint 772F6D0C 5 Bytes JMP 075D1A40 .text C:\PROGRA~1\Raptr\raptr.exe[124] USER32.dll!SetWindowsHookExA 772F6DFA 5 Bytes JMP 00200600 .text C:\PROGRA~1\Raptr\raptr.exe[124] GDI32.dll!BitBlt 75D57180 5 Bytes JMP 075D0A38 .text C:\Program Files\Xfire\Xfire.exe[128] ntdll.dll!LdrUnloadDll 7762BE7F 5 Bytes JMP 001603FC .text C:\Program Files\Xfire\Xfire.exe[128] ntdll.dll!LdrLoadDll 7762F585 5 Bytes JMP 001601F8 .text C:\Program Files\Xfire\Xfire.exe[128] kernel32.dll!CreateProcessA 75AD2062 5 Bytes JMP 06B29904 C:\Program Files\Xfire\xfire_toucan_45547.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[128] kernel32.dll!CreateThread 75B227FD 5 Bytes JMP 06B291AE C:\Program Files\Xfire\xfire_toucan_45547.dll (Xfire Toucan DLL/Xfire Inc.) .text C:\Program Files\Xfire\Xfire.exe[128] kernel32.dll!GetBinaryTypeW + 70 75B37964 1 Byte [62] .text C:\Program Files\Xfire\Xfire.exe[128] GDI32.dll!BitBlt &nb