GMER 2.1.19115 - http://www.gmer.net Rootkit scan 2013-03-03 15:56:37 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP4T0L0-4 SAMSUNG_HD252HJ rev.1AC01113 232,89GB Running: z56x6kj7.exe; Driver: C:\Users\Sniper\AppData\Local\Temp\ufdiqpoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAddBootEntry [0x8CAFE4BA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwAllocateVirtualMemory [0x93119C22] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwAssignProcessToJobObject [0x8CAFEED6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEvent [0x8CB09FA8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateEventPair [0x8CB09FF4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateIoCompletion [0x8CB0A176] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateMutant [0x8CB09F16] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwCreateSection [0x93119FA6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateSemaphore [0x8CB09F5E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThread [0x8CAFF11C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateThreadEx [0x8CAFF2F4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwCreateTimer [0x8CB0A130] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDebugActiveProcess [0x8CAFF93E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwDeleteBootEntry [0x8CAFE508] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwFreeVirtualMemory [0x93119CEA] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwLoadDriver [0x931183EC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwModifyBootEntry [0x8CAFE556] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeKey [0x8CB03534] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwNotifyChangeMultipleKeys [0x8CB003A6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEvent [0x8CB09FD2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenEventPair [0x8CB0A016] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenIoCompletion [0x8CB0A19A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenMutant [0x8CB09F3C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSection [0x8CB0A0BA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenSemaphore [0x8CB09F86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwOpenTimer [0x8CB0A154] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwProtectVirtualMemory [0x93119E4A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueryObject [0x8CB00272] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwQueueApcThreadEx [0x8CAFFF86] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootEntryOrder [0x8CAFE5A4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetBootOptions [0x8CAFE5F2] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetContextThread [0x8CAFF7BE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemInformation [0x8CAFE1FA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSetSystemPowerState [0x8CAFE3AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwShutdownSystem [0x8CAFE350] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendProcess [0x8CAFFAF8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSuspendThread [0x8CAFFC54] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwSystemDebugControl [0x8CAFE41A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwTerminateProcess [0x93119EFE] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwTerminateThread [0x8CAFF636] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwUnloadDriver [0x9311841C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) ZwVdmControl [0x8CAFE640] SSDT \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/AVAST Software) ZwWriteVirtualMemory [0x93119D96] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 1409 8343C989 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8345C4E2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 1393 83463750 4 Bytes [BA, E4, AF, 8C] .text ntoskrnl.exe!KeRemoveQueueEx + 13BB 83463778 4 Bytes [22, 9C, 11, 93] .text ntoskrnl.exe!KeRemoveQueueEx + 141B 834637D8 4 Bytes [D6, EE, AF, 8C] .text ntoskrnl.exe!KeRemoveQueueEx + 146F 8346382C 8 Bytes [A8, 9F, B0, 8C, F4, 9F, B0, ...] {TEST AL, 0x9f; MOV AL, 0x8c; HLT ; LAHF ; MOV AL, 0x8c} .text ntoskrnl.exe!KeRemoveQueueEx + 147B 83463838 4 Bytes [76, A1, B0, 8C] {JBE 0xffffffa3; MOV AL, 0x8c} .text ... PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 108 83617136 4 Bytes CALL 8CB00A8D \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) PAGE ntoskrnl.exe!ZwAlpcSendWaitReceivePort + 122 83653DE7 4 Bytes CALL 8CB00AA3 \SystemRoot\System32\Drivers\aswSnx.SYS (avast! Virtualization Driver/AVAST Software) .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9401B000, 0x136CEC, 0xE8000020] ? C:\Users\Sniper\AppData\Local\Temp\ALSysIO.sys Nie można odnaleźć określonego pliku. ! PAGE spsys.sys!?SPRevision@@3PADA + 4F90 94F0C000 148 Bytes [8B, FF, 55, 8B, EC, 33, C0, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5025 94F0C095 141 Bytes JMP 83436146 \SystemRoot\system32\ntoskrnl.exe (NT Kernel & System/Microsoft Corporation) PAGE spsys.sys!?SPRevision@@3PADA + 50B3 94F0C123 629 Bytes [75, F0, 94, FE, 05, 34, 75, ...] PAGE spsys.sys!?SPRevision@@3PADA + 5329 94F0C399 101 Bytes [6A, 28, 59, A5, 5E, C6, 03, ...] PAGE spsys.sys!?SPRevision@@3PADA + 538F 94F0C3FF 148 Bytes [18, 5D, C2, 14, 00, 8B, FF, ...] PAGE ... .text kernel32.dll!GetBinaryTypeW + 70 766C69F4 1 Byte [62] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\taskeng.exe[192] kernel32.dll!GetBinaryTypeW + 70 766C69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[416] kernel32.dll!GetBinaryTypeW + 70 766C69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[496] kernel32.dll!GetBinaryTypeW + 70 766C69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[508] kernel32.dll!GetBinaryTypeW + 70 766C69F4 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1328] kernel32.dll!SetUnhandledExceptionFilter 766AF4FB 4 Bytes [C2, 04, 00, 90] {RET 0x4; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1328] kernel32.dll!GetBinaryTypeW + 70 766C69F4 1 Byte [62] .text C:\Windows\system32\atieclxx.exe[1348] kernel32.dll!GetBinaryTypeW + 70 766C69F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1504] kernel32.dll!GetBinaryTypeW + 70 766C69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[1560] kernel32.dll!GetBinaryTypeW + 70 766C69F4 1 Byte [62] .text C:\Windows\system32\PnkBstrA.exe[1608] kernel32.dll!GetBinaryTypeW + 70 766C69F4 1 Byte [62] .text ... .text C:\Program Files\Mozilla Firefox\firefox.exe[3808] ntdll.dll!LdrUnloadDll 77B0C86E 5 Bytes JMP 001203FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3808] ntdll.dll!LdrLoadDll 77B1223E 5 Bytes JMP 6205A650 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3808] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 766A93D6 7 Bytes JMP 62297DF7 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3808] KERNEL32.dll!QueryPerformanceCounter + 13 766AC435 7 Bytes JMP 62297E1A C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3808] KERNEL32.dll!LoadAppInitDlls + 355 766AF4F6 7 Bytes JMP 6205EDB3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3808] KERNEL32.dll!GetBinaryTypeW + 70 766C69F4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3808] USER32.dll!UnhookWindowsHookEx 767CCC7B 5 Bytes JMP 00130A08 .text C:\Program Files\Mozilla Firefox\firefox.exe[3808] USER32.dll!UnhookWinEvent 767CD924 5 Bytes JMP 001303FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3808] USER32.dll!SetWindowsHookExW 767D210A 5 Bytes JMP 00130804 .text C:\Program Files\Mozilla Firefox\firefox.exe[3808] USER32.dll!SetWinEventHook 767D507E 5 Bytes JMP 001301F8 .text C:\Program Files\Mozilla Firefox\firefox.exe[3808] USER32.dll!SetWindowsHookExA 767F6DFA 5 Bytes JMP 00130600 .text C:\Program Files\Mozilla Firefox\firefox.exe[3808] GDI32.dll!GetViewportOrgEx + 26C 77C4884B 7 Bytes JMP 62297D78 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Users\Sniper\Downloads\z56x6kj7.exe[3944] kernel32.dll!GetBinaryTypeW + 70 766C69F4 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1328] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73B9F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) IAT C:\Program Files\AVAST Software\Avast\AvastUI.exe[2052] @ C:\Windows\system32\USER32.dll [KERNEL32.dll!LoadLibraryExW] [73B9F6D0] C:\Program Files\AVAST Software\Avast\aswCmnBS.dll (Common functions/AVAST Software) ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/AVAST Software) ---- EOF - GMER 2.1 ----