GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-05 17:56:57 Windows 5.1.2600 Dodatek Service Pack 3 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-3 ST3320613AS rev.SD11 298,09GB Running: v3e8gvvq.exe; Driver: C:\DOCUME~1\Kamil\USTAWI~1\Temp\pxtdapow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xAC8ACACC] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xACBC82F0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xAC8AD5AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xAC8F3600] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xAC8B967A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xAC8B96C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xAC8B9860] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xAC8F2FB4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xAC8B95E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xAC8B970A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xAC8B9630] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xAC8ADAE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xAC8B981A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xAC8AE398] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xAC8ACB32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xAC8F3CC6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xAC8F3F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xAC8B1BEA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xAC8F3B31] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xAC8F399C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xACBC83C8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xAC8AC71E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xACBC87AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xAC8ACB98] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xAC8B1FE0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xAC8AEEDC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xAC8B96A4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xAC8B96E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xAC8B9884] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xAC8F3310] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xAC8B960E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xAC8B14E2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xAC8B9798] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xAC8B9658] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xAC8B18CE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xAC8B983E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xACBC8548] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xAC8F3817] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xAC8AECF4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xAC8F3669] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xAC8AE84A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xACBD5CF8] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xACBD6664] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xAC8F25F7] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xAC8ACBFE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xAC8ACC64] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xAC8AE212] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xAC8AC7B8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xAC8AC98A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xAC8F3DCD] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xAC8AC918] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xAC8AE562] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xAC8AE6C4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xAC8ACA12] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xAC8AE050] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xAC8AE1F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xACBC5792] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xAC8ACCCA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xAC8AD606] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwCallbackReturn + 2D34 8050461C 4 Bytes [E8, 95, 8B, AC] .text ntkrnlpa.exe!ZwCallbackReturn + 2D98 80504680 4 Bytes JMP 96AC8B1B .text ntkrnlpa.exe!ZwCallbackReturn + 2F58 80504840 4 Bytes CALL D030F4CF .text ntkrnlpa.exe!ZwCallbackReturn + 2FD4 805048BC 12 Bytes [FE, CB, 8A, AC, 64, CC, 8A, ...] {DEC BL; MOV CH, [ESP+0x12ac8acc]; LOOP 0xffffff95; LODSB } .text ntkrnlpa.exe!ZwCallbackReturn + 307C 80504964 12 Bytes [62, E5, 8A, AC, C4, E6, 8A, ...] PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 5EC 805A64DC 4 Bytes CALL AC8AF5AD \SystemRoot\system32\drivers\aswSnx.sys .text C:\WINDOWS\system32\DRIVERS\ati2mtag.sys section is writeable [0xB95B2000, 0x1E2E7A, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[1260] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1364] kernel32.dll!SetUnhandledExceptionFilter 7C844EE5 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\CCleaner\CCleaner.exe[1696] USER32.dll!SetScrollInfo 7E369056 5 Bytes JMP 004F22B4 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1696] USER32.dll!GetScrollInfo 7E37DFE2 5 Bytes JMP 004F2210 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1696] USER32.dll!ShowScrollBar 7E37F2F2 5 Bytes JMP 004F2243 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1696] USER32.dll!GetScrollPos 7E37F704 5 Bytes JMP 004F21EB C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1696] USER32.dll!SetScrollPos 7E37F750 5 Bytes JMP 004F218E C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1696] USER32.dll!GetScrollRange 7E37F787 5 Bytes JMP 004F21B3 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1696] USER32.dll!SetScrollRange 7E37F99B 5 Bytes JMP 004F227D C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1696] USER32.dll!EnableScrollBar 7E3B8005 5 Bytes JMP 004F22E8 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] ntdll.dll!NtCreateFile 7C90D0AE 5 Bytes JMP 012C0BCB C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] ntdll.dll!NtFlushBuffersFile 7C90D32E 5 Bytes JMP 012C0916 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] ntdll.dll!NtQueryFullAttributesFile 7C90D7AE 5 Bytes JMP 012C0A43 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] ntdll.dll!NtReadFile 7C90D9CE 5 Bytes JMP 012C0950 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] ntdll.dll!NtReadFileScatter 7C90D9DE 5 Bytes JMP 015D9BCE C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] ntdll.dll!NtWriteFile 7C90DF7E 5 Bytes JMP 012C0D6F C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] ntdll.dll!NtWriteFileGather 7C90DF8E 5 Bytes JMP 015D9C1E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] ntdll.dll!LdrLoadDll 7C91632D 5 Bytes JMP 0087921C C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] ntdll.dll!LdrUnloadDll 7C9171CD 5 Bytes JMP 003003FC .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] KERNEL32.dll!lstrlenW + 43 7C809AEC 7 Bytes JMP 015C6DFA C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B9A0 7 Bytes JMP 015C5622 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] KERNEL32.dll!ValidateLocale + B648 7C844EE0 7 Bytes JMP 01366358 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] user32.dll!GetWindowInfo 7E37C49C 5 Bytes JMP 01FD8E4A C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[4076] GDI32.dll!SetDIBitsToDevice + 20A 77F19E14 7 Bytes JMP 015C3E16 C:\Program Files\Mozilla Firefox\xul.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\winlogon.exe[724] @ C:\WINDOWS\system32\winlogon.exe [ntdll.dll!NtLockProductActivationKeys] [0500073E] C:\WINDOWS\system32\antiwpa.dll IAT C:\WINDOWS\system32\winlogon.exe[724] @ C:\WINDOWS\system32\winlogon.exe [USER32.dll!GetSystemMetrics] [05000756] C:\WINDOWS\system32\antiwpa.dll IAT C:\WINDOWS\system32\services.exe[768] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003D0002 IAT C:\WINDOWS\system32\services.exe[768] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003D0000 ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\Tcpip \Device\Ip aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\Udp aswTdi.sys AttachedDevice \Driver\Tcpip \Device\RawIp aswTdi.sys Device \Driver\usb_rndisx \Device\{7F7D40F9-44B6-4AAA-9531-5391356C54CD} RNDISMPX.SYS AttachedDevice \FileSystem\Fastfat \Fat fltmgr.sys ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 malicious Win32:MBRoot code @ sector 61 ! Disk \Device\Harddisk0\DR0 PE file @ sector 625121280 ! ---- EOF - GMER 2.1 ----