GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-24 20:34:06 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\00000067 TOSHIBA_ rev.GT00 596,17GB Running: wowmrgsi.exe; Driver: C:\Users\Peyton88\AppData\Local\Temp\kxldaaoc.sys ---- System - GMER 2.1 ---- SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8A8AEB10] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8A8AF5EE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateEvent [0x8A8BB5E0] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8A8BB62C] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8A8BB7C6] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateMutant [0x8A8BB54E] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateSection [0x8A8BB670] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8A8BB596] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateThread [0x8A8AFB24] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x8A8AFD40] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwCreateTimer [0x8A8BB780] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8A8B03DC] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8A8AEB76] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8A8B3B58] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwLoadDriver [0x8A8AE75E] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8A8AEBDC] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8A8B3F4E] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8A8B0E6C] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenEvent [0x8A8BB60A] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8A8BB64E] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8A8BB7EA] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenMutant [0x8A8BB574] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenProcess [0x8A8B3452] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenSection [0x8A8BB6FE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8A8BB5BE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenThread [0x8A8B383A] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwOpenTimer [0x8A8BB7A4] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x900280CC] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwQueryObject [0x8A8B0D38] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8A8B0A46] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8A8AEC42] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8A8AECA8] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwSetContextThread [0x90028316] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8A8AE7F8] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8A8AE9CE] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8A8AE95C] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8A8B05A6] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSuspendThread [0x8A8B0708] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8A8AEA56] SSDT \??\C:\Windows\system32\drivers\aswSP.sys ZwTerminateProcess [0x90028194] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwTerminateThread [0x8A8B0236] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwVdmControl [0x8A8AED0E] SSDT \??\C:\Windows\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x8A8AF64A] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82C86A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CC0212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82CC7460 4 Bytes [10, EB, 8A, 8A] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82CC74E8 4 Bytes [EE, F5, 8A, 8A] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82CC753C 8 Bytes [E0, B5, 8B, 8A, 2C, B6, 8B, ...] {LOOPNZ 0xffffffb7; MOV ECX, [EDX-0x757449d4]} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82CC7548 4 Bytes [C6, B7, 8B, 8A] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82CC7564 4 Bytes [4E, B5, 8B, 8A] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82E824CF 4 Bytes CALL 8A8B152F \??\C:\Windows\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82E9C323 4 Bytes CALL 8A8B1545 \??\C:\Windows\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8A536000, 0x3C849, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x8A57B000, 0x3DC, 0x48000040] .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x94E04000, 0x14A61A, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Qualcomm Atheros\Bluetooth Suite\BtvStack.exe[348] kernel32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text C:\Windows\system32\csrss.exe[428] kernel32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text C:\Windows\system32\wininit.exe[524] kernel32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text C:\Windows\system32\csrss.exe[536] kernel32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text C:\Windows\system32\services.exe[584] kernel32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text ... .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[2460] kernel32.dll!SetUnhandledExceptionFilter 75CEF4EB 5 Bytes [33, C0, C2, 04, 00] {XOR EAX, EAX; RET 0x4} .text C:\Program Files\Real\RealPlayer\Update\realsched.exe[2460] kernel32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text C:\Program Files\Uniblue\DriverScanner\dsmonitor.exe[2468] kernel32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2532] kernel32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2672] ntdll.dll!LdrUnloadDll 76EEC8DE 5 Bytes JMP 000E03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2672] ntdll.dll!LdrLoadDll 76EF22AE 5 Bytes JMP 72401FFD C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2672] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 75CE941E 7 Bytes JMP 5856049D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2672] KERNEL32.dll!QueryPerformanceCounter + 13 75CEC425 7 Bytes JMP 58560455 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2672] KERNEL32.dll!LoadAppInitDlls + 355 75CEF4E6 7 Bytes JMP 58175A06 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2672] KERNEL32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[2672] GDI32.dll!GetViewportOrgEx + 26C 755C884B 7 Bytes JMP 585604C4 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Users\Peyton88\Downloads\FRST.exe[2688] kernel32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text C:\Program Files\Qualcomm Atheros\Bluetooth Suite\adminservice.exe[2748] kernel32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text C:\Windows\notepad.exe[2804] kernel32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2820] kernel32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text C:\Program Files\RealNetworks\RealDownloader\rndlresolversvc.exe[2888] kernel32.dll!GetBinaryTypeW + 70 75D069E4 1 Byte [62] .text ... ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp aswTdi.sys AttachedDevice \Driver\tdx \Device\Udp aswTdi.sys ---- EOF - GMER 2.1 ----