GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-05 21:58:05 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500423AS rev.0001SDM5 465,76GB Running: kxvhznsy.exe; Driver: C:\Users\Oli\AppData\Local\Temp\uwldapow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8B533A9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8B53457A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8B5405C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8B540610] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8B5407AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8B540532] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x9081059A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8B54057A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0x8B534AB0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x8B534CCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8B540764] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8B535368] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8B533B02] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8B538B3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8B5336EE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x9081067A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8B533B68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8B538F32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8B535E50] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8B5405EE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8B540632] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8B5407CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8B540558] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8B538436] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8B5406E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8B5405A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8B53881E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8B540788] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x9081041E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8B535CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8B5359D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8B533BCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8B533C34] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x90810776] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8B533788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8B53395A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8B5338E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8B535532] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8B535694] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8B5339E2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x908104EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8B5351C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8B533C9A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x8B5345D6] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82A7BA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AB5212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82ABC460 4 Bytes [9C, 3A, 53, 8B] {PUSHF ; CMP DL, [EBX-0x75]} .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82ABC4E8 4 Bytes [7A, 45, 53, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82ABC53C 8 Bytes [C4, 05, 54, 8B, 10, 06, 54, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82ABC548 4 Bytes [AA, 07, 54, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82ABC564 4 Bytes [32, 05, 54, 8B] .text .. PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82C774DF 4 Bytes CALL 8B536513 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82C91347 4 Bytes CALL 8B536529 \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[436] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\system32\wininit.exe[476] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\system32\csrss.exe[488] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\system32\services.exe[532] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\system32\lsass.exe[548] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text .. .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtCreateFile + 6 774F560E 4 Bytes [28, 20, 28, 00] {SUB [EAX], AH; SUB [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtCreateFile + B 774F5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtMapViewOfSection + 6 774F5C6E 4 Bytes [28, 23, 28, 00] {SUB [EBX], AH; SUB [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtMapViewOfSection + B 774F5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtOpenFile + 6 774F5D1E 4 Bytes [68, 20, 28, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtOpenFile + B 774F5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtOpenProcess + 6 774F5DCE 4 Bytes [A8, 21, 28, 00] {TEST AL, 0x21; SUB [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtOpenProcess + B 774F5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtOpenProcessToken + B 774F5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtOpenProcessTokenEx + 6 774F5DEE 4 Bytes [A8, 22, 28, 00] {TEST AL, 0x22; SUB [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtOpenProcessTokenEx + B 774F5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtOpenThread + 6 774F5E4E 4 Bytes [68, 21, 28, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtOpenThread + B 774F5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtOpenThreadToken + 6 774F5E5E 4 Bytes [68, 22, 28, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtOpenThreadToken + B 774F5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtOpenThreadTokenEx + B 774F5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtQueryAttributesFile + 6 774F5F7E 4 Bytes [A8, 20, 28, 00] {TEST AL, 0x20; SUB [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtQueryAttributesFile + B 774F5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtQueryFullAttributesFile + B 774F6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtSetInformationFile + 6 774F667E 4 Bytes [28, 21, 28, 00] {SUB [ECX], AH; SUB [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtSetInformationFile + B 774F6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtSetInformationThread + 6 774F66DE 4 Bytes [28, 22, 28, 00] {SUB [EDX], AH; SUB [EAX], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtSetInformationThread + B 774F66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtUnmapViewOfSection + 6 774F69FE 4 Bytes [68, 23, 28, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!NtUnmapViewOfSection + B 774F6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!LdrUnloadDll 7750C8DE 5 Bytes JMP 003203FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] ntdll.dll!LdrLoadDll 775122AE 5 Bytes JMP 003201F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[944] KERNEL32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[964] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1008] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\system32\taskeng.exe[1132] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1164] ntdll.dll!NtMapViewOfSection + 6 774F5C6E 4 Bytes [18, 00, 10, 73] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1164] ntdll.dll!NtMapViewOfSection + B 774F5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1164] ntdll.dll!LdrUnloadDll 7750C8DE 5 Bytes JMP 000E03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1164] ntdll.dll!LdrLoadDll 775122AE 5 Bytes JMP 000E01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1164] KERNEL32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtCreateFile + 6 774F560E 4 Bytes [28, 5C, CC, 00] {SUB [ESP+ECX*8+0x0], BL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtCreateFile + B 774F5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtMapViewOfSection + 6 774F5C6E 4 Bytes [28, 5F, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtMapViewOfSection + B 774F5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenFile + 6 774F5D1E 4 Bytes [68, 5C, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenFile + B 774F5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenProcess + 6 774F5DCE 4 Bytes [A8, 5D, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenProcess + B 774F5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenProcessToken + 6 774F5DDE 4 Bytes CALL 76502A40 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenProcessToken + B 774F5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenProcessTokenEx + 6 774F5DEE 4 Bytes [A8, 5E, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenProcessTokenEx + B 774F5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenThread + 6 774F5E4E 4 Bytes [68, 5D, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenThread + B 774F5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenThreadToken + 6 774F5E5E 4 Bytes [68, 5E, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenThreadToken + B 774F5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenThreadTokenEx + 6 774F5E6E 4 Bytes CALL 76502AD1 C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtOpenThreadTokenEx + B 774F5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtQueryAttributesFile + 6 774F5F7E 4 Bytes [A8, 5C, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtQueryAttributesFile + B 774F5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtQueryFullAttributesFile + 6 774F602E 4 Bytes CALL 76502C8F C:\Windows\system32\SHELL32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtQueryFullAttributesFile + B 774F6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtSetInformationFile + 6 774F667E 4 Bytes [28, 5D, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtSetInformationFile + B 774F6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtSetInformationThread + 6 774F66DE 4 Bytes [28, 5E, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtSetInformationThread + B 774F66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtUnmapViewOfSection + 6 774F69FE 4 Bytes [68, 5F, CC, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!NtUnmapViewOfSection + B 774F6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!LdrUnloadDll 7750C8DE 5 Bytes JMP 00DC03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] ntdll.dll!LdrLoadDll 775122AE 5 Bytes JMP 00DC01F8 .text C:\Program Files\Google\Chrome\Application\chrome.exe[1268] KERNEL32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1280] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\system32\taskhost.exe[1400] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1420] kernel32.dll!SetUnhandledExceptionFilter 7587F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1420] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1548] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Users\Oli\Downloads\kxvhznsy.exe[1560] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1584] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\system32\svchost.exe[1684] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text .. .text C:\Windows\Explorer.EXE[2316] SHELL32.dll!SHFormatDrive + 7C7 760E48BC 8 Bytes [80, BB, 33, 73, A0, BB, 33, ...] .text C:\Program Files\TeamViewer\Version9\tv_w32.exe[2528] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Program Files\Realtek\Audio\HDA\RtHDVCpl.exe[2756] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2764] kernel32.dll!SetUnhandledExceptionFilter 7587F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2764] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\System32\igfxtray.exe[2780] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\System32\hkcmd.exe[2792] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Windows\System32\igfxpers.exe[2804] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[2924] kernel32.dll!GetBinaryTypeW + 70 75896AAC 1 Byte [62] .text .. ---- EOF - GMER 2.1 ----