GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-16 13:12:35 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.PB4O 465,76GB Running: 5u29e0wc.exe; Driver: C:\Users\Jacek\AppData\Local\Temp\pxldrpob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x91AAFAC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x91B6B0BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x91AB05A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x91ABC63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x91ABC688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x91ABC822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x91ABC5AA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x91B6B494] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x91ABC5F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x91B6B724] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x91B6B80E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x91ABC7DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x91AB1390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x91AAFB2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x91AB4B86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x91AAF716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x91B6B574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x91AAFB90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x91AB4F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x91AB1E78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x91ABC666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x91ABC6AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x91ABC846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x91ABC5D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x91AB447E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x91ABC75A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x91ABC61A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x91AB486A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x91ABC800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x91B6B312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x91AB1CEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x91AB19FA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x91AAFBF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x91AAFC5C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x91B6B670] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x91AAF7B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x91AAF982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x91AAF910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x91AB155A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x91AB16BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x91AAFA0A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x91B6B3E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x91AB11EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x91AAFCC2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x91B6B244] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 14A5 83880A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 838BA372 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 838C15C0 4 Bytes [C4, FA, AA, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 838C15E8 4 Bytes [BA, B0, B6, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 838C1648 4 Bytes [A2, 05, AB, 91] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 838C169C 8 Bytes [3C, C6, AB, 91, 88, C6, AB, ...] {CMP AL, 0xc6; STOSD ; XCHG ECX, EAX; MOV DH, AL; STOSD ; XCHG ECX, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 838C16A8 4 Bytes [22, C8, AB, 91] {AND CL, AL; STOSD ; XCHG ECX, EAX} .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 83A7C553 4 Bytes CALL 91AB255F \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 83A963BB 4 Bytes CALL 91AB2575 \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1348] kernel32.dll!SetUnhandledExceptionFilter 777CF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[3800] kernel32.dll!SetUnhandledExceptionFilter 777CF5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [72AF249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [72AD5652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [72AD5710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [72AF251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [72AE857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [72AE4D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [72AE50D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [72AE51AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [72AE66DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [72AE82D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [72AE8824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [72AE9085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [72AEE228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[2004] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [72AE4C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\tdx \Device\Tcp tcpipBM.sys AttachedDevice \Driver\tdx \Device\Udp ccnfd_1_10_0_6.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0c6076cc706f Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0c6076cc706f (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@58581E4C 6715 ---- EOF - GMER 2.1 ----