GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-12 19:51:34 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 SAMSUNG_HD502HI rev.1AG01118 465,76GB Running: 7u49smv8.exe; Driver: C:\Users\Aneta\AppData\Local\Temp\fwddakog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwAddBootEntry [0x89F31644] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwAllocateVirtualMemory [0x90A29668] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwAssignProcessToJobObject [0x89F320D6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateEvent [0x89F3D89A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateEventPair [0x89F3D8E6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateIoCompletion [0x89F3DA80] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateMutant [0x89F3D808] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwCreateSection [0x90A29A00] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateSemaphore [0x89F3D850] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateThread [0x89F325D4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateThreadEx [0x89F327F0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwCreateTimer [0x89F3DA3A] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwDebugActiveProcess [0x89F32E8C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwDeleteBootEntry [0x89F316AA] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwDuplicateObject [0x89F366AC] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwFreeVirtualMemory [0x90A29730] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwLoadDriver [0x90A27C80] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwModifyBootEntry [0x89F31710] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwNotifyChangeKey [0x89F36A76] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwNotifyChangeMultipleKeys [0x89F3391C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenEvent [0x89F3D8C4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenEventPair [0x89F3D908] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenIoCompletion [0x89F3DAA4] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenMutant [0x89F3D82E] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenProcess [0x89F35F92] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenSection [0x89F3D9B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenSemaphore [0x89F3D878] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenThread [0x89F36384] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwOpenTimer [0x89F3DA5E] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwProtectVirtualMemory [0x90A29890] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwQueryObject [0x89F337E8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwQueueApcThreadEx [0x89F334F6] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetBootEntryOrder [0x89F31776] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetBootOptions [0x89F317DC] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetContextThread [0x89F32D06] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetSystemInformation [0x89F3132C] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSetSystemPowerState [0x89F31502] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwShutdownSystem [0x89F31490] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSuspendProcess [0x89F33056] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSuspendThread [0x89F331B8] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwSystemDebugControl [0x89F3158A] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwTerminateProcess [0x90A29958] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwTerminateThread [0x89F32CE6] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwUnloadDriver [0x90A27CB0] SSDT \SystemRoot\System32\Drivers\aswSnx.SYS ZwVdmControl [0x89F31842] SSDT \SystemRoot\System32\Drivers\aswSP.SYS ZwWriteVirtualMemory [0x90A297DC] Code \SystemRoot\System32\Drivers\aswSP.SYS ObMakeTemporaryObject ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRollbackEnlistment + 140D 82C429A9 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 82C624F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 1393 82C69768 4 Bytes [44, 16, F3, 89] .text ntoskrnl.exe!KeRemoveQueueEx + 13BB 82C69790 4 Bytes [68, 96, A2, 90] .text ntoskrnl.exe!KeRemoveQueueEx + 141B 82C697F0 4 Bytes [D6, 20, F3, 89] .text ntoskrnl.exe!KeRemoveQueueEx + 146F 82C69844 8 Bytes [9A, D8, F3, 89, E6, D8, F3, ...] .text ntoskrnl.exe!KeRemoveQueueEx + 147B 82C69850 4 Bytes [80, DA, F3, 89] .text ... .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91413000, 0x267978, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\15.2.0\ToolbarUpdater.exe[108] kernel32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[444] kernel32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[516] kernel32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[532] kernel32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Windows\system32\services.exe[568] kernel32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text ... .text C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe[2076] ntdll.dll!LdrUnloadDll 77B3C86E 5 Bytes JMP 001503FC .text C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe[2076] ntdll.dll!LdrLoadDll 77B4223E 5 Bytes JMP 001501F8 .text C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe[2076] KERNEL32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe[2076] USER32.dll!UnhookWindowsHookEx 764DCC7B 5 Bytes JMP 00160A08 .text C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe[2076] USER32.dll!UnhookWinEvent 764DD924 5 Bytes JMP 001603FC .text C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe[2076] USER32.dll!SetWindowsHookExW 764E210A 5 Bytes JMP 00160804 .text C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe[2076] USER32.dll!SetWinEventHook 764E507E 5 Bytes JMP 001601F8 .text C:\Windows\system32\Macromed\Flash\FlashUtil32_11_7_700_224_ActiveX.exe[2076] USER32.dll!SetWindowsHookExA 76506DFA 5 Bytes JMP 00160600 .text C:\Windows\system32\Ati2evxx.exe[2512] kernel32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\MOM.exe[2532] KERNEL32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Program Files\AVG Secure Search\vprot.exe[2584] kernel32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2648] kernel32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Program Files\Zune\ZuneLauncher.exe[2672] kernel32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2732] ntdll.dll!LdrUnloadDll 77B3C86E 5 Bytes JMP 000703FC .text C:\Windows\system32\svchost.exe[2732] ntdll.dll!LdrLoadDll 77B4223E 5 Bytes JMP 000701F8 .text C:\Windows\system32\svchost.exe[2732] KERNEL32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[2732] USER32.dll!UnhookWindowsHookEx 764DCC7B 5 Bytes JMP 00090A08 .text C:\Windows\system32\svchost.exe[2732] USER32.dll!UnhookWinEvent 764DD924 5 Bytes JMP 000903FC .text C:\Windows\system32\svchost.exe[2732] USER32.dll!SetWindowsHookExW 764E210A 5 Bytes JMP 00090804 .text C:\Windows\system32\svchost.exe[2732] USER32.dll!SetWinEventHook 764E507E 5 Bytes JMP 000901F8 .text C:\Windows\system32\svchost.exe[2732] USER32.dll!SetWindowsHookExA 76506DFA 5 Bytes JMP 00090600 .text C:\Windows\system32\SearchIndexer.exe[3324] kernel32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3452] kernel32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CCC.exe[3564] KERNEL32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Windows\System32\svchost.exe[4048] kernel32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[4516] ntdll.dll!LdrUnloadDll 77B3C86E 5 Bytes JMP 000E03FC .text C:\Program Files\Internet Explorer\iexplore.exe[4516] ntdll.dll!LdrLoadDll 77B4223E 5 Bytes JMP 000E01F8 .text C:\Program Files\Internet Explorer\iexplore.exe[4516] KERNEL32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[4516] user32.DLL!UnhookWindowsHookEx 764DCC7B 5 Bytes JMP 00100A08 .text C:\Program Files\Internet Explorer\iexplore.exe[4516] user32.DLL!UnhookWinEvent 764DD924 5 Bytes JMP 001003FC .text C:\Program Files\Internet Explorer\iexplore.exe[4516] user32.DLL!SetWindowsHookExW 764E210A 5 Bytes JMP 00100804 .text C:\Program Files\Internet Explorer\iexplore.exe[4516] user32.DLL!SetWinEventHook 764E507E 5 Bytes JMP 001001F8 .text C:\Program Files\Internet Explorer\iexplore.exe[4516] user32.DLL!SetWindowsHookExA 76506DFA 5 Bytes JMP 00100600 .text C:\Program Files\Internet Explorer\iexplore.exe[4516] shell32.DLL!RealDriveType + 173D 76BBFE30 4 Bytes CALL 94F2E3AB .text C:\Program Files\Internet Explorer\iexplore.exe[4516] shell32.DLL!RealDriveType + 1745 76BBFE38 8 Bytes [1B, 57, 1E, 6F, 97, 83, 1F, ...] {SBB EDX, [EDI+0x1e]; OUTS DX, DWORD [ESI]; XCHG EDI, EAX; SBB DWORD [EDI], 0x6f} .text C:\Windows\system32\wuauclt.exe[4672] ntdll.dll!LdrUnloadDll 77B3C86E 5 Bytes JMP 000803FC .text C:\Windows\system32\wuauclt.exe[4672] ntdll.dll!LdrLoadDll 77B4223E 5 Bytes JMP 000801F8 .text C:\Windows\system32\wuauclt.exe[4672] KERNEL32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Windows\system32\wuauclt.exe[4672] USER32.dll!UnhookWindowsHookEx 764DCC7B 5 Bytes JMP 00150A08 .text C:\Windows\system32\wuauclt.exe[4672] USER32.dll!UnhookWinEvent 764DD924 5 Bytes JMP 001503FC .text C:\Windows\system32\wuauclt.exe[4672] USER32.dll!SetWindowsHookExW 764E210A 5 Bytes JMP 00150804 .text C:\Windows\system32\wuauclt.exe[4672] USER32.dll!SetWinEventHook 764E507E 5 Bytes JMP 001501F8 .text C:\Windows\system32\wuauclt.exe[4672] USER32.dll!SetWindowsHookExA 76506DFA 5 Bytes JMP 00150600 .text C:\Windows\system32\sppsvc.exe[4712] ntdll.dll!LdrUnloadDll 77B3C86E 5 Bytes JMP 000F03FC .text C:\Windows\system32\sppsvc.exe[4712] ntdll.dll!LdrLoadDll 77B4223E 5 Bytes JMP 000F01F8 .text C:\Windows\system32\sppsvc.exe[4712] KERNEL32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Windows\system32\sppsvc.exe[4712] USER32.dll!UnhookWindowsHookEx 764DCC7B 5 Bytes JMP 00250A08 .text C:\Windows\system32\sppsvc.exe[4712] USER32.dll!UnhookWinEvent 764DD924 5 Bytes JMP 002503FC .text C:\Windows\system32\sppsvc.exe[4712] USER32.dll!SetWindowsHookExW 764E210A 5 Bytes JMP 00250804 .text C:\Windows\system32\sppsvc.exe[4712] USER32.dll!SetWinEventHook 764E507E 5 Bytes JMP 002501F8 .text C:\Windows\system32\sppsvc.exe[4712] USER32.dll!SetWindowsHookExA 76506DFA 5 Bytes JMP 00250600 .text C:\Program Files\Internet Explorer\iexplore.exe[4904] ntdll.dll!LdrUnloadDll 77B3C86E 5 Bytes JMP 000E03FC .text C:\Program Files\Internet Explorer\iexplore.exe[4904] ntdll.dll!LdrLoadDll 77B4223E 5 Bytes JMP 000E01F8 .text C:\Program Files\Internet Explorer\iexplore.exe[4904] KERNEL32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[4904] user32.DLL!UnhookWindowsHookEx 764DCC7B 5 Bytes JMP 00110A08 .text C:\Program Files\Internet Explorer\iexplore.exe[4904] user32.DLL!UnhookWinEvent 764DD924 5 Bytes JMP 001103FC .text C:\Program Files\Internet Explorer\iexplore.exe[4904] user32.DLL!SetWindowsHookExW 764E210A 5 Bytes JMP 00110804 .text C:\Program Files\Internet Explorer\iexplore.exe[4904] user32.DLL!SetWinEventHook 764E507E 5 Bytes JMP 001101F8 .text C:\Program Files\Internet Explorer\iexplore.exe[4904] user32.DLL!SetWindowsHookExA 76506DFA 5 Bytes JMP 00110600 .text C:\Program Files\Internet Explorer\iexplore.exe[4904] shell32.DLL!RealDriveType + 173D 76BBFE30 4 Bytes CALL 94F2E3AB .text C:\Program Files\Internet Explorer\iexplore.exe[4904] shell32.DLL!RealDriveType + 1745 76BBFE38 8 Bytes [1B, 57, 1E, 6F, 97, 83, 1F, ...] {SBB EDX, [EDI+0x1e]; OUTS DX, DWORD [ESI]; XCHG EDI, EAX; SBB DWORD [EDI], 0x6f} .text C:\Windows\System32\MsSpellCheckingFacility.exe[5000] ntdll.dll!LdrUnloadDll 77B3C86E 5 Bytes JMP 000E03FC .text C:\Windows\System32\MsSpellCheckingFacility.exe[5000] ntdll.dll!LdrLoadDll 77B4223E 5 Bytes JMP 000E01F8 .text C:\Windows\System32\MsSpellCheckingFacility.exe[5000] KERNEL32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Windows\System32\MsSpellCheckingFacility.exe[5000] USER32.dll!UnhookWindowsHookEx 764DCC7B 5 Bytes JMP 000F0A08 .text C:\Windows\System32\MsSpellCheckingFacility.exe[5000] USER32.dll!UnhookWinEvent 764DD924 5 Bytes JMP 000F03FC .text C:\Windows\System32\MsSpellCheckingFacility.exe[5000] USER32.dll!SetWindowsHookExW 764E210A 5 Bytes JMP 000F0804 .text C:\Windows\System32\MsSpellCheckingFacility.exe[5000] USER32.dll!SetWinEventHook 764E507E 5 Bytes JMP 000F01F8 .text C:\Windows\System32\MsSpellCheckingFacility.exe[5000] USER32.dll!SetWindowsHookExA 76506DFA 5 Bytes JMP 000F0600 .text C:\Program Files\Internet Explorer\iexplore.exe[5012] ntdll.dll!LdrUnloadDll 77B3C86E 5 Bytes JMP 000703FC .text C:\Program Files\Internet Explorer\iexplore.exe[5012] ntdll.dll!LdrLoadDll 77B4223E 5 Bytes JMP 000701F8 .text C:\Program Files\Internet Explorer\iexplore.exe[5012] KERNEL32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] .text C:\Program Files\Internet Explorer\iexplore.exe[5012] user32.DLL!UnhookWindowsHookEx 764DCC7B 5 Bytes JMP 00090A08 .text C:\Program Files\Internet Explorer\iexplore.exe[5012] user32.DLL!UnhookWinEvent 764DD924 5 Bytes JMP 000903FC .text C:\Program Files\Internet Explorer\iexplore.exe[5012] user32.DLL!SetWindowsHookExW 764E210A 5 Bytes JMP 00090804 .text C:\Program Files\Internet Explorer\iexplore.exe[5012] user32.DLL!SetWinEventHook 764E507E 5 Bytes JMP 000901F8 .text C:\Program Files\Internet Explorer\iexplore.exe[5012] user32.DLL!SetWindowsHookExA 76506DFA 5 Bytes JMP 00090600 .text C:\Users\Aneta\Desktop\7u49smv8.exe[6028] kernel32.dll!GetBinaryTypeW + 70 779D69F4 1 Byte [62] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----