GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-26 14:25:42 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB3O 298.09GB Running: xm77wpyy.exe; Driver: C:\Users\user\AppData\Local\Temp\kxldapob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x91B3DBA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x91B3E684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x91B4A6F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x91B4A744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x91B4A8DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x91B4A666] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8C78ADF0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x91B4A6AE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8C78B080] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8C78B16A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x91B4A898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x91B3F472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x91B3DC0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x91B42C68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x91B3D7F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8C78AED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x91B3DC72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x91B4305E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x91B3FF5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x91B4A722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x91B4A766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x91B4A902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x91B4A68C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x91B42560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x91B4A816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x91B4A6D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x91B4294C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x91B4A8BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8C78AC6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x91B3FDCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x91B3FADC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x91B3DCD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x91B3DD3E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8C78AFCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x91B3D892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x91B3DA64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x91B3D9F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x91B3F63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x91B3F79E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x91B3DAEC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8C78AD3C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x91B3F2CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x91B3DDA4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8C78ABA0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D 82A41A35 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82A7B392 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82A825B0 4 Bytes [A6, DB, B3, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82A82638 4 Bytes [84, E6, B3, 91] {TEST DH, AH; MOV BL, 0x91} .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82A8268C 8 Bytes [F8, A6, B4, 91, 44, A7, B4, ...] {CLC ; CMPSB ; MOV AH, 0x91; INC ESP; CMPSD ; MOV AH, 0x91} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82A82698 4 Bytes [DE, A8, B4, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82A826B4 4 Bytes [66, A6, B4, 91] {CMPSB ; MOV AH, 0x91} .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 82C3D50F 4 Bytes CALL 91B40641 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 82C57377 4 Bytes CALL 91B40657 \SystemRoot\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x997E4300, 0x1B7E, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\csrss.exe[424] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text C:\Windows\system32\wininit.exe[476] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text C:\Windows\system32\csrss.exe[484] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text C:\Windows\system32\services.exe[524] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text C:\Windows\system32\lsass.exe[548] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1364] kernel32.dll!SetUnhandledExceptionFilter 7784F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1364] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text C:\Windows\System32\hkcmd.exe[1384] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text C:\Windows\system32\wbem\wmiprvse.exe[1428] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text C:\ProgramData\IePluginServices\PluginService.exe[1508] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1516] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\avastui.exe[2680] kernel32.dll!SetUnhandledExceptionFilter 7784F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[2680] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text c:\Program Files\Microsoft Security Client\NisSrv.exe[2716] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2868] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[3140] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text C:\Program Files\Skype\Phone\Skype.exe[3308] kernel32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text ... .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] ntdll.dll!NtCreateFile 779F5608 5 Bytes JMP 5FB3C820 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] ntdll.dll!NtFlushBuffersFile 779F5998 5 Bytes JMP 5FB0F374 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] ntdll.dll!NtQueryFullAttributesFile 779F6028 5 Bytes JMP 5FB0F090 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] ntdll.dll!NtReadFile 779F62F8 5 Bytes JMP 5FB0F270 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] ntdll.dll!NtReadFileScatter 779F6308 5 Bytes JMP 6046923A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] ntdll.dll!NtWriteFile 779F6AA8 5 Bytes JMP 5FB3D710 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] ntdll.dll!NtWriteFileGather 779F6AB8 5 Bytes JMP 604691E9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] ntdll.dll!LdrUnloadDll 77A0C8DE 5 Bytes JMP 000E03FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] ntdll.dll!LdrLoadDll 77A122AE 5 Bytes JMP 6C8E1F43 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 778494E6 7 Bytes JMP 603CFDEA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] KERNEL32.dll!QueryPerformanceCounter + 13 7784C4E5 7 Bytes JMP 603CFE0D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] KERNEL32.dll!LoadAppInitDlls + 355 7784F5A6 7 Bytes JMP 5FB3934D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] KERNEL32.dll!GetBinaryTypeW + 70 77866AAC 1 Byte [62] .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] USER32.dll!GetWindowInfo 778F4B5E 5 Bytes JMP 602D62F6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3548] GDI32.dll!GetViewportOrgEx + 26C 77B9884B 7 Bytes JMP 603CFD6B C:\Program Files\Mozilla Firefox\xul.dll ---- EOF - GMER 2.1 ----