GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-03 07:02:31 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600BEVS-22RST0 rev.04.01G04 149,05GB Running: ffoifvdq.exe; Driver: C:\DOCUME~1\ADMINI~1\USTAWI~1\Temp\kwloypoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xEBA39BA6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xEBA3A684] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xEBA7ED80] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xEBA466F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xEBA46744] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xEBA468DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xEBA7E734] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xEBA46666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xEBA46788] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xEBA466AE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xEBA3ABBA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xEBA46898] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xEBA3B472] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xEBA39C0C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xEBA7F446] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xEBA7F6FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xEBA3EC68] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xEBA7F2B1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xEBA7F11C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xEBA397F8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xEBCA9ED0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xEBA39C72] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xEBA3F05E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xEBA3BF5A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xEBA46722] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xEBA46766] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xEBA46902] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xEBA7EA90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xEBA4668C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xEBA3E560] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xEBA46816] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xEBA466D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xEBA3E94C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xEBA468BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xEBCA9C6E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xEBA7EF97] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xEBA3BDCE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xEBA7EDE9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xEBA3B924] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xEBCB7E1A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xEBA7DD77] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xEBA39CD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xEBA39D3E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xEBA3B2EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xEBA39892] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xEBA39A64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xEBA7F54D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xEBA399F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xEBA3B63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xEBA3B79E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xEBA39AEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xEBA3B12A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xEBA3B2CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xEBA39DA4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xEBA3A6E0] INT 0x06 \??\C:\WINDOWS\system32\drivers\Haspnt.sys B734A16D INT 0x0E \??\C:\WINDOWS\system32\drivers\Haspnt.sys B7349FC2 ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2DA4 80504610 8 Bytes [90, EA, A7, EB, 8C, 66, A4, ...] {NOP ; JMP FAR 0xeba4:0x668ceba7} .text ntkrnlpa.exe!ZwCallbackReturn + 2DC8 80504634 4 Bytes [4C, E9, A3, EB] .text ntkrnlpa.exe!ZwCallbackReturn + 2F14 80504780 12 Bytes [D8, 9C, A3, EB, 3E, 9D, A3, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2FBC 80504828 12 Bytes [3C, B6, A3, EB, 9E, B7, A3, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A533E 4 Bytes CALL EBA3C62B \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\atksgt.sys section is writeable [0xB6FC0300, 0x3B6D8, 0xE8000020] .text C:\WINDOWS\system32\drivers\hardlock.sys section is writeable [0xB6E50400, 0x7960C, 0xE8000020] .protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB6EF2420] C:\WINDOWS\system32\drivers\hardlock.sys entry point in ".protect˙˙˙˙hardlockentry point in ".protect˙˙˙˙hardlockentry point in ".p" section [0xB6EF2420] .protect˙˙˙˙hardlockunknown last code section [0xB6EF2200, 0x5049, 0xE0000020] C:\WINDOWS\system32\drivers\hardlock.sys unknown last code section [0xB6EF2200, 0x5049, 0xE0000020] .text C:\WINDOWS\system32\DRIVERS\lirsgt.sys section is writeable [0xF788C300, 0x1BEE, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\svchost.exe[124] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[124] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[212] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[212] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[256] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\Explorer.EXE[256] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[528] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jucheck.exe[528] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[696] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[696] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[696] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[832] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\Java\jre7\bin\jqs.exe[832] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[960] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\Common Files\Java\Java Update\jusched.exe[960] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\LEXBCES.EXE[1068] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\LEXBCES.EXE[1068] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\LEXPPS.EXE[1108] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\LEXPPS.EXE[1108] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1120] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\spoolsv.exe[1120] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\smss.exe[1160] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1216] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\csrss.exe[1216] KERNEL32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1248] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\winlogon.exe[1248] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\acs.exe[1276] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\acs.exe[1276] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1300] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\services.exe[1300] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1312] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\lsass.exe[1312] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1500] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1500] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1520] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1520] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1600] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1600] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1652] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\System32\svchost.exe[1652] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1712] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[1712] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1732] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\Ati2evxx.exe[1732] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\quiz games\quiz_games_notification_service.exe[1896] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Documents and Settings\Administrator\Ustawienia lokalne\Dane aplikacji\quiz games\quiz_games_notification_service.exe[1896] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1976] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\Common Files\LightScribe\LSSrvc.exe[1976] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2112] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2112] kernel32.dll!SetUnhandledExceptionFilter 7C8447ED 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2112] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[2148] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\Samsung\ComSMMgr\ssmmgr.exe[2148] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\MySQL\MySQL Server 5.4\bin\mysqld.exe[2156] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\MySQL\MySQL Server 5.4\bin\mysqld.exe[2156] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe[2168] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\Lexmark 1200 Series\lxczbmgr.exe[2168] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[2212] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\Sony Ericsson\Sony Ericsson PC Suite\SupServ.exe[2212] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Skype\Phone\Skype.exe[2224] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\Skype\Phone\Skype.exe[2224] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[2236] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\CyberLink\Shared files\RichVideo.exe[2236] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe[2300] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\ASUS\NB Probe\SPM\spmgr.exe[2300] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2328] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\svchost.exe[2328] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Lexmark 1200 Series\lxczbmon.exe[2368] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\Lexmark 1200 Series\lxczbmon.exe[2368] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\PdaNet for Android\PdaNetPC.exe[2380] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\PdaNet for Android\PdaNetPC.exe[2380] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\System32\StkCSrv.exe[2420] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\System32\StkCSrv.exe[2420] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3096] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3096] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Documents and Settings\Administrator\Pulpit\ffoifvdq.exe[3432] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Documents and Settings\Administrator\Pulpit\ffoifvdq.exe[3432] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\Program Files\Opera\opera.exe[3544] ntdll.dll!LdrLoadDll 7C915CD3 5 Bytes JMP 003C01F8 .text C:\Program Files\Opera\opera.exe[3544] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\Program Files\Opera\opera.exe[3544] ntdll.dll!LdrUnloadDll 7C916C9B 5 Bytes JMP 003C03FC .text C:\Program Files\Opera\opera.exe[3544] KERNEL32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] .text C:\WINDOWS\system32\wbem\unsecapp.exe[4076] ntdll.dll!RtlDosSearchPath_U + 1D1 7C916ADA 1 Byte [62] .text C:\WINDOWS\system32\wbem\unsecapp.exe[4076] kernel32.dll!GetBinaryTypeW + 80 7C867E3C 1 Byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1300] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002 IAT C:\WINDOWS\system32\services.exe[1300] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys Device \Driver\aksusb \Device\0000008c AKSCLASS.SYS AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- EOF - GMER 2.1 ----