GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-03 18:32:48 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD800BB-55JKC0 rev.05.01C05 74,53GB Running: b2ucwwue.exe; Driver: C:\Users\Krz\AppData\Local\Temp\uxriypow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xCDC49AA0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xCDC4A57E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xCDC565C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xCDC56614] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xCDC567AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xCDC56536] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0xCDD006D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xCDC5657E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xCDC4AAB4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThreadEx [0xCDC4ACD0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xCDC56768] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xCDC4B36C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xCDC49B06] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xCDC4EB40] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xCDC496F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xCDD007B2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xCDC49B6C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xCDC4EF36] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xCDC4BE54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xCDC565F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xCDC56636] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xCDC567D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xCDC5655C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xCDC4E43A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xCDC566E6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xCDC565A6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xCDC4E822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xCDC5678C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xCDD00556] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xCDC4BCC8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0xCDC4B9D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xCDC49BD2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xCDC49C38] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0xCDD008AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xCDC4978C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xCDC4995E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xCDC498EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xCDC4B536] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xCDC4B698] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xCDC499E6] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0xCDD00624] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xCDC4B1C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xCDC49C9E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xCDC4A5DA] INT 0x52 ? C2EECA58 INT 0x53 ? C2EECCD8 INT 0x61 ? C3F45A58 INT 0x74 ? C3F45558 INT 0x84 ? C2EEC058 INT 0x94 ? C2EEC2D8 INT 0xA3 ? C2E73058 INT 0xA4 ? C2EEC7D8 INT 0xB1 ? C2E73CD8 INT 0xB2 ? C3F457D8 INT 0xB3 ? C2E737D8 INT 0xB4 ? C2E732D8 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 140D E367BA09 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 E36B51F2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB E36BC220 4 Bytes [A0, 9A, C4, CD] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 E36BC2A8 4 Bytes [7E, A5, C4, CD] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 E36BC2FC 8 Bytes [C8, 65, C5, CD, 14, 66, C5, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 E36BC308 4 Bytes [AE, 67, C5, CD] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF E36BC324 4 Bytes [36, 65, C5, CD] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 E38774DF 4 Bytes CALL CDC4C517 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 E3891333 4 Bytes CALL CDC4C52D \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\HTC\Internet Pass-Through\PassThruSvr.exe[316] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text C:\Windows\system32\taskhost.exe[348] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[404] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text C:\Windows\system32\wininit.exe[460] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text C:\Windows\system32\csrss.exe[476] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!SetUnhandledExceptionFilter 754DF4FB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1468] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text C:\Windows\system32\Dwm.exe[1520] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text C:\Windows\System32\spoolsv.exe[1656] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text C:\Windows\system32\svchost.exe[1684] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1748] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text ... .text C:\Program Files\AVAST Software\Avast\avastui.exe[4040] kernel32.dll!SetUnhandledExceptionFilter 754DF4FB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[4040] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text C:\Windows\system32\SearchProtocolHost.exe[4160] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text C:\Users\Krz\Desktop\b2ucwwue.exe[4752] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text C:\Windows\system32\taskeng.exe[4804] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text C:\Windows\system32\sppsvc.exe[5004] kernel32.dll!GetBinaryTypeW + 70 754F69F4 1 Byte [62] .text ... ---- Files - GMER 2.1 ---- File C:\ProgramData\Microsoft\RAC\Temp\sqlAA2E.tmp 20480 bytes File C:\ProgramData\Microsoft\RAC\Temp\sqlAA6D.tmp 20480 bytes ---- EOF - GMER 2.1 ----