GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-06 18:56:40 Windows 5.1.2600 Dodatek Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 FUJITSU_ rev.0000 55,89GB Running: b00z7yrq.exe; Driver: C:\DOCUME~1\UZYTKO~1\USTAWI~1\Temp\uxtdypoc.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0xA96193D4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0xA99BE9F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0xA9619EB2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwClose [0xA96603FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0xA962628A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0xA96262D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0xA9626470] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateKey [0xA965FDB0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0xA96261F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0xA962631A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0xA9626240] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0xA961A3E8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0xA962642A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0xA961ACA0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0xA961943A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteKey [0xA9660AC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteValueKey [0xA9660D78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0xA961DE32] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateKey [0xA966092D] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwEnumerateValueKey [0xA9660798] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0xA99BEACA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0xA9619026] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0xA99BEEAC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0xA96194A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0xA961E228] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0xA961B7E4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0xA96262B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0xA96262F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0xA9626494] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenKey [0xA966010C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0xA962621E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0xA961D72A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0xA96263A8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0xA9626268] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0xA961DB16] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0xA962644E] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0xA99BEC4A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryKey [0xA9660613] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0xA961B5FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryValueKey [0xA9660465] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThread [0xA961B152] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwRenameKey [0xA99CD01A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwReplaceKey [0xA99CD9E6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwRestoreKey [0xA965F3F3] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0xA9619506] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0xA961956C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0xA961AB1A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0xA96190C0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0xA9619292] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetValueKey [0xA9660BC9] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0xA9619220] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0xA961AE6A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0xA961AFCC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0xA961931A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0xA961A958] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0xA961AAFA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0xA99BBC8A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0xA96195D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0xA9619F0E] ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!_abnormal_termination + 93 804E2D64 4 Bytes [F2, E9, 9B, A9] .text ntoskrnl.exe!_abnormal_termination + 123 804E2DF4 8 Bytes CALL AAF78F9C .text ntoskrnl.exe!_abnormal_termination + 19B 804E2E6C 4 Bytes JMP DA0DA99B .text ntoskrnl.exe!_abnormal_termination + 1D4 804E2EA5 3 Bytes [90, 61, A9] .text ntoskrnl.exe!_abnormal_termination + 39B 804E306C 12 Bytes [06, 95, 61, A9, 6C, 95, 61, ...] .text ... PAGE ntoskrnl.exe!ZwReplyWaitReceivePortEx + 3CC 8056A5DC 4 Bytes CALL A961BE5D \SystemRoot\system32\drivers\aswSnx.sys init C:\WINDOWS\system32\drivers\tifm21.sys entry point in "init" section [0xF64208BF] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[760] kernel32.dll!SetUnhandledExceptionFilter 7C810386 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] ntdll.dll!NtCreateFile 7C90D682 5 Bytes JMP 014EB983 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] ntdll.dll!NtFlushBuffersFile 7C90D9CA 5 Bytes JMP 014EB6C3 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] ntdll.dll!NtQueryFullAttributesFile 7C90DFB2 5 Bytes JMP 014EB7F8 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] ntdll.dll!NtReadFile 7C90E27C 5 Bytes JMP 014EB6FD C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] ntdll.dll!NtReadFileScatter 7C90E291 5 Bytes JMP 01872E91 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] ntdll.dll!NtWriteFile 7C90E9F3 5 Bytes JMP 014EBB27 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] ntdll.dll!NtWriteFileGather 7C90EA08 5 Bytes JMP 01872EE1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] ntdll.dll!RtlAllocateHeap + 270 7C910844 7 Bytes JMP 004149FE C:\Program Files\Mozilla Firefox\firefox.exe .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] ntdll.dll!LdrLoadDll 7C9161CA 5 Bytes JMP 0031A8A8 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] ntdll.dll!LdrUnloadDll 7C91718B 5 Bytes JMP 003003FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] KERNEL32.dll!lstrlenW + 43 7C809A7C 7 Bytes JMP 0185BFAC C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] KERNEL32.dll!MapViewOfFileEx + 6A 7C80B788 7 Bytes JMP 0185B5A5 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] KERNEL32.dll!lstrcpyn + 70 7C810381 7 Bytes JMP 015BAFF1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] USER32.dll!GetWindowInfo 77D3F122 5 Bytes JMP 0233AE81 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2496] GDI32.dll!SetWindowOrgEx + 15E 77F1960B 7 Bytes JMP 0185AF5D C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3672] kernel32.dll!SetUnhandledExceptionFilter 7C810386 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\system32\services.exe[1284] @ C:\WINDOWS\system32\services.exe [ADVAPI32.dll!CreateProcessAsUserW] 003C0002 IAT C:\WINDOWS\system32\services.exe[1284] @ C:\WINDOWS\system32\services.exe [KERNEL32.dll!CreateProcessW] 003C0000 ---- Devices - GMER 2.1 ---- Device \Driver\Tcpip \Device\Ip aswStmXP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass0 SynTP.sys AttachedDevice \Driver\Kbdclass \Device\KeyboardClass1 SynTP.sys Device \Driver\Tcpip \Device\Tcp aswStmXP.sys AttachedDevice \Driver\Tcpip \Device\Tcp aswRdr.sys Device \Driver\Tcpip \Device\Udp aswStmXP.sys Device \Driver\Tcpip \Device\RawIp aswStmXP.sys Device \Driver\Tcpip \Device\IPMULTICAST aswStmXP.sys ---- Files - GMER 2.1 ---- File C:\Documents and Settings\uzytkownik\Ustawienia lokalne\Dane aplikacji\Mozilla\Firefox\Profiles\nb9wt5h5.default\cache2\entries\86E671C3E58995E991D8CCD6BAA1F8FD53E7AB93 900 bytes ---- EOF - GMER 2.1 ----