GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-10 21:49:28 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000LM024_HN-M101MBB rev.2AR10002 931,51GB Running: gmer.exe; Driver: C:\Users\JAREK\AppData\Local\Temp\kwddykog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8B4D3AA0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8B4D457E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8B4E05C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8B4E0614] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8B4E07AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8B4E0536] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8B58A6D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8B4E057E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0x8B4D4AB4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x8B4D4CD0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8B4E0768] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8B4D536C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8B4D3B06] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8B4D8B40] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8B4D36F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8B58A7B2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8B4D3B6C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8B4D8F36] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8B4D5E54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8B4E05F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8B4E0636] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8B4E07D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8B4E055C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8B4D843A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8B4E06E6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8B4E05A6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8B4D8822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8B4E078C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8B58A556] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8B4D5CC8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8B4D59D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8B4D3BD2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8B4D3C38] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8B58A8AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8B4D378C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8B4D395E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8B4D38EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8B4D5536] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8B4D5698] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8B4D39E6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8B58A624] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8B4D51C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8B4D3C9E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x8B4D45DA] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82C91A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CCB212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82CD2460 4 Bytes [A0, 3A, 4D, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82CD24E8 4 Bytes [7E, 45, 4D, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82CD253C 8 Bytes [C8, 05, 4E, 8B, 14, 06, 4E, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82CD2548 4 Bytes [AE, 07, 4E, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82CD2564 4 Bytes [36, 05, 4E, 8B] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82E8D4CF 4 Bytes CALL 8B4D6517 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82EA7323 4 Bytes CALL 8B4D652D \SystemRoot\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x91415000, 0x3CA345, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\taskeng.exe[148] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\Program Files\globalUpdate\Update\GoogleUpdate.exe[392] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\Windows\system32\csrss.exe[444] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[448] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\Windows\system32\wininit.exe[532] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1520] kernel32.dll!SetUnhandledExceptionFilter 7721F4EB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1520] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\ProgramData\IePluginService\PluginService.exe[1648] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1820] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[1844] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\Program Files\Bench\Wd\wd.exe[1860] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\avastui.exe[2724] kernel32.dll!SetUnhandledExceptionFilter 7721F4EB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[2724] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[2760] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\Program Files\Bench\Proxy\pwdg.exe[2788] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[3000] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\Windows\System32\dinotify.exe[3128] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text ... .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] ntdll.dll!NtClose 77795508 5 Bytes JMP 6348CFC0 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] ntdll.dll!NtCreateFile 77795608 5 Bytes JMP 6348CE00 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] ntdll.dll!NtFlushBuffersFile 77795998 5 Bytes JMP 634ABCA0 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] ntdll.dll!NtLockFile 77795BD8 5 Bytes JMP 634ABD90 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] ntdll.dll!NtOpenFile 77795D18 5 Bytes JMP 6348CD70 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] ntdll.dll!NtQueryInformationFile 77796058 5 Bytes JMP 6348D040 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] ntdll.dll!NtReadFile 777962F8 5 Bytes JMP 6348CEA0 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] ntdll.dll!NtSetInformationFile 77796678 5 Bytes JMP 6348D0D0 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] ntdll.dll!NtUnlockFile 777969D8 5 Bytes JMP 634ABE20 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] ntdll.dll!NtWriteFile 77796AA8 5 Bytes JMP 6348CF30 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] ntdll.dll!LdrUnloadDll 777AC8DE 5 Bytes JMP 000F03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] ntdll.dll!LdrLoadDll 777B22AE 5 Bytes JMP 62745B60 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] KERNEL32.dll!MoveFileExW 77218DF8 4 Bytes JMP 63417430 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] KERNEL32.dll!GetFileSizeEx 772199F9 4 Bytes JMP 63417610 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] KERNEL32.dll!ReadFile 77219BAE 7 Bytes JMP 634174D0 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] KERNEL32.dll!GetFileInformationByHandle 7721BDF5 4 Bytes JMP 634172C0 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] KERNEL32.dll!CloseHandle 7721E858 4 Bytes JMP 63417580 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] KERNEL32.dll!CreateFileW 7721E895 4 Bytes JMP 63417360 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] KERNEL32.dll!SetFilePointer 772205FD 4 Bytes JMP 634176B0 C:\Program Files\Settings Manager\systemk\systemk.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4816] KERNEL32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\Windows\system32\vssvc.exe[5640] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] .text C:\Windows\system32\AUDIODG.EXE[5668] kernel32.dll!GetBinaryTypeW + 70 772369E4 1 Byte [62] ---- Devices - GMER 2.1 ---- Device \Driver\BTHUSB \Device\00000080 bthport.sys Device \Driver\BTHUSB \Device\0000007e bthport.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\fastfat \Fat systemkmgrc2.cfg ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\50b7c3e01bd4 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\50b7c3e01bd4 (not active ControlSet) ---- EOF - GMER 2.1 ----