GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-10 17:49:35 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-4 WDC_WD400JB-00ENA0 rev.05.03E05 37,27GB Running: qddeoxb8.exe; Driver: C:\DOCUME~1\Admin\USTAWI~1\Temp\kwkiqpod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xF687FAC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xF6B720BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xF68805A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xF68C65A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xF688C63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xF688C688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xF688C822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xF68C5F54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xF688C5AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xF688C6CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xF688C5F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xF6880AD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xF688C7DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xF6881390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xF687FB2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xF68C6C66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xF68C6F1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xF6884B86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xF68C6AD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xF68C693C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xF687F716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xF6B72574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xF687FB90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xF6884F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xF6881E78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xF688C666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xF688C6AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xF688C846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xF68C62B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xF688C5D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xF688447E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xF688C75A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xF688C61A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xF688486A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xF688C800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xF6B72312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xF68C67B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xF6881CEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xF68C6609] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xF6881842] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xF6B80358] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xF6B80CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xF68C5597] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xF687FBF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xF687FC5C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xF688120A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xF687F7B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xF687F982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xF68C6D6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xF687F910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xF688155A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xF68816BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xF687FA0A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xF6881048] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xF68811EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xF687FCC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xF68805FE] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + 398 804E296C 12 Bytes [F6, FB, 87, F6, 5C, FC, 87, ...] {IDIV BL; XCHG ESI, ESI; POP ESP; CLD ; XCHG ESI, ESI; OR DL, [EDX]; MOV DH, DH} .text ntoskrnl.exe!_abnormal_termination + 440 804E2A14 12 Bytes [5A, 15, 88, F6, BC, 16, 88, ...] {POP EDX; ADC EAX, 0x16bcf688; MOV DH, DH; OR BH, DL; XCHG ESI, ESI} PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056BC20 4 Bytes CALL F6882549 \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\Explorer.EXE[1260] SHELL32.dll!StrStrW 7C9CEF18 8 Bytes [80, 11, 60, 19, C0, 11, 60, ...] {ADC BYTE [ECX], 0x60; SBB EAX, EAX; ADC [EAX+0x19], ESP} .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1292] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2284] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 01959870 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] ntdll.dll!NtFlushBuffersFile 7C90D32E 2 Bytes JMP 0164D335 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] ntdll.dll!NtFlushBuffersFile + 3 7C90D331 2 Bytes [D4, 84] {AAM 0x84} .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 0164D5B0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 0164D390 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 022B8330 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 0195A7F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 022B82DF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 00881F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003003FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] KERNEL32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 021F9983 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 021F9960 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] KERNEL32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 01956164 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] user32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 020FB65E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2468] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 021F98E1 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[580] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[580] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- Processes - GMER 2.1 ---- Library C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll (*** hidden *** ) @ C:\WINDOWS\Explorer.EXE [1260] 0x10000000 ---- EOF - GMER 2.1 ----