GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-12 14:39:19 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 TOSHIBA_MK1637GSX rev.DL030M 149,05GB Running: 68u2slbr.exe; Driver: C:\DOCUME~1\BOREK\USTAWI~1\Temp\ugtdqpow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xED4DAAC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xED7550BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xED4DB5A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xED5215A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xED4E763C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xED4E7688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xED4E7822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xED520F54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xED4E75AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xED4E76CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xED4E75F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xED4DBAD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xED4E77DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xED4DC390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xED4DAB2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xED521C66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xED521F1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xED4DFB86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xED521AD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xED52193C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xED4DA716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xED755574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xED4DAB90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xED4DFF7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xED4DCE78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xED4E7666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xED4E76AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xED4E7846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xED5212B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xED4E75D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xED4DF47E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xED4E775A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xED4E761A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xED4DF86A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xED4E7800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xED755312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xED5217B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xED4DCCEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xED521609] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xED4DC842] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xED763358] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xED763CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xED520597] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xED4DABF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xED4DAC5C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xED4DC20A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xED4DA7B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xED4DA982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xED521D6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xED4DA910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xED4DC55A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xED4DC6BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xED4DAA0A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xED4DC048] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xED4DC1EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xED4DACC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xED4DB5FE] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [F6, AB, 4D, ED, 5C, AC, 4D, ...] {IMUL BYTE [EBX-0x53a312b3]; DEC EBP; IN EAX, DX; OR AL, DL; DEC EBP; IN EAX, DX} .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [5A, C5, 4D, ED, BC, C6, 4D, ...] {POP EDX; LDS ECX, [EBP-0x13]; MOV ESP, 0xaed4dc6; STOSB ; DEC EBP; IN EAX, DX} PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL ED4DD549 \SystemRoot\system32\drivers\aswSnx.sys init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF61CCEBF] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Alwil Software\Avast5\AvastSvc.exe[1852] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2584] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003C01F8 .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2584] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003C03FC .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2584] USER32.dll!DialogBoxParamW 7E3747AB 5 Bytes JMP 4059F4C1 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2584] USER32.dll!DialogBoxIndirectParamW 7E382072 5 Bytes JMP 4071512E C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2584] USER32.dll!MessageBoxIndirectA 7E38A082 5 Bytes JMP 407150AF C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2584] USER32.dll!DialogBoxParamA 7E38B144 5 Bytes JMP 407150F3 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2584] USER32.dll!MessageBoxExW 7E3A0838 5 Bytes JMP 4071503B C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2584] USER32.dll!MessageBoxExA 7E3A085C 5 Bytes JMP 40715075 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2584] USER32.dll!DialogBoxIndirectParamA 7E3A6D7D 5 Bytes JMP 40715169 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2584] USER32.dll!MessageBoxIndirectW 7E3B64D5 5 Bytes JMP 405C17B2 C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Internet Explorer\IEXPLORE.EXE[2584] ole32.dll!OleLoadFromStream 7751988B 5 Bytes JMP 4071532B C:\WINDOWS\system32\IEFRAME.dll .text C:\Program Files\Alwil Software\Avast5\AvastUI.exe[3420] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1148] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[1148] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- EOF - GMER 2.1 ----