GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-25 15:35:58 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 SAMSUNG_ rev.2AC1 232,89GB Running: gmer.exe; Driver: C:\Users\Alek\AppData\Local\Temp\aftcqaog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x89726AA0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8972757E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x897335C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x89733614] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x897337AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x89733536] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x867856D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8973357E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0x89727AB4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x89727CD0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x89733768] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8972836C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x89726B06] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8972BB40] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x897266F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x867857B2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x89726B6C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8972BF36] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x89728E54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x897335F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x89733636] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x897337D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8973355C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8972B43A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x897336E6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x897335A6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8972B822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8973378C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x86785556] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x89728CC8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x897289D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x89726BD2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x89726C38] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x867858AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8972678C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8972695E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x897268EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x89728536] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x89728698] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x897269E6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x86785624] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x897281C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x89726C9E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x897275DA] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 81C5AA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 81C94212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 81C9B460 4 Bytes [A0, 6A, 72, 89] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 81C9B4E8 4 Bytes [7E, 75, 72, 89] {JLE 0x77; JB 0xffffff8d} .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 81C9B53C 8 Bytes [C8, 35, 73, 89, 14, 36, 73, ...] {ENTER 0x7335, 0x89; ADC AL, 0x36; JAE 0xffffff91} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 81C9B548 4 Bytes [AE, 37, 73, 89] {SCASB ; AAA ; JAE 0xffffff8d} .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 81C9B564 4 Bytes [36, 35, 73, 89] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[236] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text C:\windows\system32\csrss.exe[468] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text C:\windows\system32\wininit.exe[516] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text C:\windows\system32\csrss.exe[524] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text C:\windows\system32\winlogon.exe[580] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1380] kernel32.dll!SetUnhandledExceptionFilter 7647F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1380] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text C:\windows\system32\WLANExt.exe[1388] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text C:\windows\system32\conhost.exe[1404] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text C:\windows\system32\Dwm.exe[1480] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text C:\windows\Explorer.EXE[1492] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\avastui.exe[1716] kernel32.dll!SetUnhandledExceptionFilter 7647F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[1716] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text C:\Program Files\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe[1728] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text C:\windows\System32\spoolsv.exe[1760] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[1772] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text C:\windows\system32\taskhost.exe[1868] kernel32.dll!GetBinaryTypeW + 70 76496AAC 1 Byte [62] .text ... ---- Devices - GMER 2.1 ---- Device \Driver\BTHUSB \Device\0000006c bthport.sys Device \Driver\BTHUSB \Device\0000006e bthport.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\4cedde7d6526 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\506313ba9225 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e839df03ec4c Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\4cedde7d6526 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\506313ba9225 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e839df03ec4c (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{3F37BCFE-F1BB-11DF-BE8C-806E6F6E6963} 673634904 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----