GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-02 19:25:35 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 WDC_WD1600JS-60MHB5 rev.10.02E04 149,05GB Running: zddrlk4i.exe; Driver: C:\DOCUME~1\natala\USTAWI~1\Temp\afkyikoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xA8E65ACC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xA90EF464] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xA8E665AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xA8EAC620] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xA8E726A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xA8E726EC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xA8E72886] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xA8EABFD4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xA8E7260E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xA8E72730] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xA8E72656] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xA8E66AE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xA8E72840] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xA8E67398] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xA8E65B32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xA8EACCE6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xA8EACF9C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xA8E6ABEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xA8EACB51] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xA8EAC9BC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xA90EF53C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xA8E6571E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xA90EF91E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xA8E65B98] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xA8E6AFE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xA8E67EDC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xA8E726CA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xA8E7270E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xA8E728AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xA8EAC330] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xA8E72634] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xA8E6A4E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xA8E727BE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xA8E7267E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xA8E6A8CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xA8E72864] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xA90EF6BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xA8EAC837] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xA8E67CF4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xA8EAC689] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xA8E6784A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xA90FCE74] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xA90FD7E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xA8EAB617] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xA8E65BFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xA8E65C64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xA8E67212] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xA8E657B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xA8E6598A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xA8EACDED] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xA8E65918] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xA8E67562] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xA8E676C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xA8E65A12] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xA8E67050] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xA8E671F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xA90EC906] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xA8E65CCA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xA8E66606] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 243C 80501140 4 Bytes JMP A6A8E6AB .text ntkrnlpa.exe!ZwCallbackReturn + 2508 8050120C 8 Bytes JMP E72634A8 .text ntkrnlpa.exe!ZwCallbackReturn + 2678 8050137C 12 Bytes [FE, 5B, E6, A8, 64, 5C, E6, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 2720 80501424 12 Bytes [62, 75, E6, A8, C4, 76, E6, ...] {BOUND ESI, [EBP-0x1a]; TEST AL, 0xc4; JBE 0xffffffed; TEST AL, 0x12; POP EDX; OUT 0xa8, AL} PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 8059A312 4 Bytes CALL A8E685AD \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[232] kernel32.dll!SetUnhandledExceptionFilter 7C810386 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1632] kernel32.dll!SetUnhandledExceptionFilter 7C810386 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[776] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002 IAT C:\WINDOWS\system32\services.exe[776] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys AttachedDevice \FileSystem\Fastfat \Fat fltMgr.sys ---- EOF - GMER 2.1 ----