GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-05 13:27:31 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T0L0-7 WDC_WD1600AAJS-75M0A0 rev.01.03E01 149,01GB Running: dyxsmp9m.exe; Driver: C:\DOCUME~1\Magda\USTAWI~1\Temp\uwlcqpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xA816DAC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xA84880BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xA816E5A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xA81B45A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xA817A63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xA817A688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xA817A822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xA81B3F54] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xA817A5AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xA817A6CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xA817A5F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xA816EAD8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xA817A7DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xA816F390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xA816DB2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xA81B4C66] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xA81B4F1C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xA8172B86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xA81B4AD1] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xA81B493C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xA816D716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xA8488574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xA816DB90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xA8172F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xA816FE78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xA817A666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xA817A6AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xA817A846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xA81B42B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xA817A5D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xA817247E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xA817A75A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xA817A61A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xA817286A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xA817A800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xA8488312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xA81B47B7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xA816FCEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xA81B4609] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xA816F842] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xA8496358] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xA8496CC4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xA81B3597] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xA816DBF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xA816DC5C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xA816F20A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xA816D7B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xA816D982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xA81B4D6D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xA816D910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xA816F55A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xA816F6BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xA816DA0A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xA816F048] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xA816F1EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xA816DCC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xA816E5FE] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D5C 80504644 8 Bytes JMP A7DCA816 .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [F6, DB, 16, A8, 5C, DC, 16, ...] .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [5A, F5, 16, A8, BC, F6, 16, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL A8170549 \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1060] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1412] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 012C0BCB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 012C0916 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 012C0A43 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 012C0950 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 015D9BCE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 012C0D6F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 015D9C1E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0087921C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003003FC .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] KERNEL32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 015C6DFA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 015C5622 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] KERNEL32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 01366358 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] user32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 01FD8E4A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[3620] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 015C3E16 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3876] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 003D921C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3876] USER32.dll!DefWindowProcA + 11A 7E37C298 7 Bytes JMP 01DE1014 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3876] USER32.dll!SetWindowLongA + 19 7E37C2B6 7 Bytes JMP 01DE10E9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3876] USER32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 01DE33D1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\plugin-container.exe[3876] USER32.dll!GetMenuContextHelpId + 1A 7E3B5319 7 Bytes JMP 01DE19C4 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[720] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip tbfd_1_10_0_16.sys AttachedDevice \Driver\Tcpip \Device\Tcp tbfd_1_10_0_16.sys AttachedDevice \Driver\Tcpip \Device\Udp tbfd_1_10_0_16.sys AttachedDevice \Driver\Tcpip \Device\RawIp tbfd_1_10_0_16.sys ---- EOF - GMER 2.1 ----