GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-07 15:40:24 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-2 TOSHIBA_MK2552GSX rev.LV010M 232,89GB Running: g30y8qw7.exe; Driver: C:\Users\Macio\AppData\Local\Temp\pwddikob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8B2D1BA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8B2D2684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8B2DE6F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8B2DE744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8B2DE8DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8B2DE666] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8BB9EDF0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8B2DE6AE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8BB9F080] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8BB9F16A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8B2DE898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8B2D3472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8B2D1C0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8B2D6C68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8B2D17F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8BB9EED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8B2D1C72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8B2D705E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8B2D3F5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8B2DE722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8B2DE766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8B2DE902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8B2DE68C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8B2D6560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8B2DE816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8B2DE6D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8B2D694C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8B2DE8BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8BB9EC6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8B2D3DCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8B2D3ADC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8B2D1CD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8B2D1D3E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8BB9EFCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8B2D1892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8B2D1A64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8B2D19F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8B2D363C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8B2D379E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8B2D1AEC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8BB9ED3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8B2D32CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8B2D1DA4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8BB9EBA0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 82E753D9 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82EAED52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82EB5DC0 4 Bytes [A6, 1B, 2D, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82EB5E48 4 Bytes [84, 26, 2D, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82EB5E9C 8 Bytes [F8, E6, 2D, 8B, 44, E7, 2D, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82EB5EA8 4 Bytes [DE, E8, 2D, 8B] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82EB5EC4 4 Bytes [66, E6, 2D, 8B] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 83070397 4 Bytes CALL 8B2D4641 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 8308A1A0 4 Bytes CALL 8B2D4657 \SystemRoot\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x90E25000, 0x2D5378, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\PnkBstrA.exe[112] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[360] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[408] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[412] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[480] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!SetUnhandledExceptionFilter 7730F4FB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text C:\Windows\system32\atieclxx.exe[1500] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1704] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1836] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text C:\Windows\Explorer.EXE[1860] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\avastui.exe[2596] kernel32.dll!SetUnhandledExceptionFilter 7730F4FB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[2596] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text C:\Program Files\Windows Sidebar\sidebar.exe[2608] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text C:\Windows\system32\SearchIndexer.exe[2764] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text C:\Windows\system32\WUDFHost.exe[2924] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3104] kernel32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text ... .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtCreateFile 77AA55C8 5 Bytes JMP 5C8EA210 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtFlushBuffersFile 77AA5958 5 Bytes JMP 5C8CEB90 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtQueryFullAttributesFile 77AA5FE8 5 Bytes JMP 5C8E9C70 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtReadFile 77AA62B8 5 Bytes JMP 5C8CEC80 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtReadFileScatter 77AA62C8 5 Bytes JMP 5D1E4CE1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtWriteFile 77AA6A68 5 Bytes JMP 5C8EACB0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!NtWriteFileGather 77AA6A78 5 Bytes JMP 5D1E4C90 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!LdrUnloadDll 77ABC86E 5 Bytes JMP 000E03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!LdrLoadDll 77AC223E 1 Byte [E9] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] ntdll.dll!LdrLoadDll 77AC223E 5 Bytes JMP 717C1F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 773093D6 7 Bytes JMP 5D151CEB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] KERNEL32.dll!QueryPerformanceCounter + 13 7730C435 7 Bytes JMP 5D151D0E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] KERNEL32.dll!LoadAppInitDlls + 355 7730F4F6 7 Bytes JMP 5C8E6A9C C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] KERNEL32.dll!GetBinaryTypeW + 70 773269F4 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] USER32.dll!GetWindowInfo 773B4B5E 5 Bytes JMP 5D0578E5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[5800] GDI32.dll!GetViewportOrgEx + 26C 7645884B 7 Bytes JMP 5D151C6C C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [746F2437] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [746D5600] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [746D56BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [746F24B2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [746E8514] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [746E4CC8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [746E506F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [746E5144] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [746E6671] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [746E826B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [746E87BA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [746E901B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [746EE1BE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll IAT C:\Windows\Explorer.EXE[1860] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [746E4BFA] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\gdiplus.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00037a88c747 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00037a88c747 (not active ControlSet) ---- EOF - GMER 2.1 ----