GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-03-09 16:47:20 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: gmer.exe; Driver: C:\Users\Daryjka\AppData\Local\Temp\kfliqpob.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x8F0AA48C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x8F03A860] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x8F0AAF6A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x8F0B7568] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x8F0B75B4] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x8F0B774E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x8F0B74D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSection [0x8F0B75F8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x8F0B751E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThread [0x8F0AB4A0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateThreadEx [0x8F0AB6BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x8F0B7708] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x8F0ABD58] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x8F0AA4F2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x8F0AEEF4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwFreeVirtualMemory [0x8F03A938] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x8F0AA0DE] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8F03AD1A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x8F0AA558] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x8F0AF2EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x8F0AC8C6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x8F0B7592] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x8F0B75D6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x8F0B7772] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x8F0B74FC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x8F0AE7CC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x8F0B7686] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x8F0B7546] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x8F0AEBC2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x8F0B772C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8F03AAB8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x8F0AC6DE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x8F0AC3C2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x8F0AA5BE] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x8F0AA624] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetContextThread [0x8F0ABBD2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x8F0AA178] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x8F0AA34A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x8F0AA2D8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x8F0ABF22] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x8F0AC084] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x8F0AA3D2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateProcess [0x8F0ABA10] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x8F0ABBB2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwUnloadDriver [0x8F037AF8] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x8F0AA68A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwWriteVirtualMemory [0x8F0AAFC6] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83091A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830CB212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 830D2460 4 Bytes [8C, A4, 0A, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 830D2488 4 Bytes [60, A8, 03, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 830D24E8 4 Bytes [6A, AF, 0A, 8F] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 830D253C 8 Bytes [68, 75, 0B, 8F, B4, 75, 0B, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 830D2548 4 Bytes [4E, 77, 0B, 8F] .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 8328D4EF 4 Bytes CALL 8F0ACF31 \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 832A7357 4 Bytes CALL 8F0ACF47 \SystemRoot\system32\drivers\aswSnx.sys .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x98222000, 0x188C06, 0xE8000020] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Google\Chrome\Application\chrome.exe[1068] ntdll.dll!NtMapViewOfSection + 6 770B5C6E 4 Bytes [18, F0, A0, 62] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1068] ntdll.dll!NtMapViewOfSection + B 770B5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1068] ntdll.dll!LdrUnloadDll 770CC8DE 5 Bytes JMP 4FBE03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1068] ntdll.dll!LdrLoadDll 770D22AE 5 Bytes JMP 4FBE01F8 .text C:\Program Files\CCleaner\CCleaner.exe[1088] USER32.dll!SetScrollRange 771C8EC5 5 Bytes JMP 01347D76 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1088] USER32.dll!GetScrollInfo 771D2DA3 5 Bytes JMP 01347CFD C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1088] USER32.dll!SetScrollInfo 771D48DA 5 Bytes JMP 01347DB3 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1088] USER32.dll!GetScrollRange 771F045A 5 Bytes JMP 01347C94 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1088] USER32.dll!SetScrollPos 771F04BE 5 Bytes JMP 01347C69 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1088] USER32.dll!GetScrollPos 771F0E43 5 Bytes JMP 01347CD2 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1088] USER32.dll!EnableScrollBar 771F19CE 5 Bytes JMP 01347DED C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[1088] USER32.dll!ShowScrollBar 771F3C89 5 Bytes JMP 01347D36 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtCreateFile + 6 770B560E 4 Bytes [28, 70, 4E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtCreateFile + B 770B5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtMapViewOfSection + 6 770B5C6E 4 Bytes [28, 73, 4E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtMapViewOfSection + B 770B5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtOpenFile + 6 770B5D1E 4 Bytes [68, 70, 4E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtOpenFile + B 770B5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtOpenProcess + 6 770B5DCE 4 Bytes [A8, 71, 4E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtOpenProcess + B 770B5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtOpenProcessToken + B 770B5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtOpenProcessTokenEx + 6 770B5DEE 4 Bytes [A8, 72, 4E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtOpenProcessTokenEx + B 770B5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtOpenThread + 6 770B5E4E 4 Bytes [68, 71, 4E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtOpenThread + B 770B5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtOpenThreadToken + 6 770B5E5E 4 Bytes [68, 72, 4E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtOpenThreadToken + B 770B5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtOpenThreadTokenEx + B 770B5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtQueryAttributesFile + 6 770B5F7E 4 Bytes [A8, 70, 4E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtQueryAttributesFile + B 770B5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtQueryFullAttributesFile + B 770B6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtSetInformationFile + 6 770B667E 4 Bytes [28, 71, 4E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtSetInformationFile + B 770B6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtSetInformationThread + 6 770B66DE 4 Bytes [28, 72, 4E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtSetInformationThread + B 770B66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtUnmapViewOfSection + 6 770B69FE 4 Bytes [68, 73, 4E, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!NtUnmapViewOfSection + B 770B6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!LdrUnloadDll 770CC8DE 5 Bytes JMP 526303FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[1324] ntdll.dll!LdrLoadDll 770D22AE 5 Bytes JMP 526301F8 .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1988] kernel32.dll!SetUnhandledExceptionFilter 7657F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\avastui.exe[2468] kernel32.dll!SetUnhandledExceptionFilter 7657F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtCreateFile + 6 770B560E 4 Bytes [28, D4, 0C, 00] {SUB AH, DL; OR AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtCreateFile + B 770B5613 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtMapViewOfSection + 6 770B5C6E 4 Bytes [28, D7, 0C, 00] {SUB BH, DL; OR AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtMapViewOfSection + B 770B5C73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtOpenFile + 6 770B5D1E 4 Bytes [68, D4, 0C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtOpenFile + B 770B5D23 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtOpenProcess + 6 770B5DCE 4 Bytes [A8, D5, 0C, 00] {TEST AL, 0xd5; OR AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtOpenProcess + B 770B5DD3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtOpenProcessToken + B 770B5DE3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtOpenProcessTokenEx + 6 770B5DEE 4 Bytes [A8, D6, 0C, 00] {TEST AL, 0xd6; OR AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtOpenProcessTokenEx + B 770B5DF3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtOpenThread + 6 770B5E4E 4 Bytes [68, D5, 0C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtOpenThread + B 770B5E53 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtOpenThreadToken + 6 770B5E5E 4 Bytes [68, D6, 0C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtOpenThreadToken + B 770B5E63 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtOpenThreadTokenEx + B 770B5E73 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtQueryAttributesFile + 6 770B5F7E 4 Bytes [A8, D4, 0C, 00] {TEST AL, 0xd4; OR AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtQueryAttributesFile + B 770B5F83 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtQueryFullAttributesFile + B 770B6033 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtSetInformationFile + 6 770B667E 4 Bytes [28, D5, 0C, 00] {SUB CH, DL; OR AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtSetInformationFile + B 770B6683 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtSetInformationThread + 6 770B66DE 4 Bytes [28, D6, 0C, 00] {SUB DH, DL; OR AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtSetInformationThread + B 770B66E3 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtUnmapViewOfSection + 6 770B69FE 4 Bytes [68, D7, 0C, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!NtUnmapViewOfSection + B 770B6A03 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!LdrUnloadDll 770CC8DE 5 Bytes JMP 610E03FC .text C:\Program Files\Google\Chrome\Application\chrome.exe[3008] ntdll.dll!LdrLoadDll 770D22AE 5 Bytes JMP 610E01F8 ---- Devices - GMER 2.1 ---- Device \Driver\BTHUSB \Device\00000089 bthport.sys Device \Driver\BTHUSB \Device\0000008b bthport.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\d05349e64cea Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\d05349e64cea (not active ControlSet) ---- EOF - GMER 2.1 ----