GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-04 18:00:06 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-e ST980811AS rev.3.CDD 74,53GB Running: gmer.exe; Driver: C:\DOCUME~1\MARCIN~1.ANO\USTAWI~1\Temp\pgtdrpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xA83DCAC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xA87AA0BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xA83DD5A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xA84235A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xA83E963C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xA83E9688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xA83E9822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xA8422F54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xA83E95AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xA83E96CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xA83E95F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xA83DDAD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xA83E97DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xA83DE390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xA83DCB2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xA8423C66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xA8423F1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xA83E1B86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xA8423AD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xA842393C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xA83DC716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xA87AA574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xA83DCB90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xA83E1F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xA83DEE78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xA83E9666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xA83E96AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xA83E9846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xA84232B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xA83E95D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xA83E147E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xA83E975A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xA83E961A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xA83E186A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xA83E9800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xA87AA312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xA84237B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xA83DECEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xA8423609] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xA83DE842] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xA87B8358] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xA87B8CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xA8422597] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xA83DCBF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xA83DCC5C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xA83DE20A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xA83DC7B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xA83DC982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xA8423D6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xA83DC910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xA83DE55A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xA83DE6BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xA83DCA0A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xA83DE048] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xA83DE1EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xA83DCCC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xA83DD5FE] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2F58 80504840 4 Bytes CALL D030F082 .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [F6, CB, 3D, A8, 5C, CC, 3D, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [5A, E5, 3D, A8, BC, E6, 3D, ...] {POP EDX; IN EAX, 0x3d; TEST AL, 0xbc; OUT 0x3d, AL; TEST AL, 0xa; RETF 0xa83d} PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL A83DF549 \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\SearchIndexer.exe[1048] kernel32.dll!WriteFile 7C8112FF 7 Bytes JMP 00585C0C C:\WINDOWS\system32\MSSRCH.DLL .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1704] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3800] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[908] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[908] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip {5fa86e60-a54d-4e77-b1f1-f7bc1e215749}t.sys Device {82adbb5d-7d8c-4f2d-9936-53071e499858}t.sys Device tcpip.sys AttachedDevice \Driver\Tcpip \Device\RawIp {5fa86e60-a54d-4e77-b1f1-f7bc1e215749}t.sys ---- Files - GMER 2.1 ---- File C:\Program Files\Faster Light\bin\tmpF7.tmp (size mismatch) 400624/0 bytes executable ---- EOF - GMER 2.1 ----