GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-10 04:29:33 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS722016K9A300 rev.DCDOC54P 149,05GB Running: 2vs9kk15.exe; Driver: C:\Users\Weronika\AppData\Local\Temp\kfdyrkod.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x888B2AC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x8896E0BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x888B35A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x888BF63C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x888BF688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x888BF822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x888BF5AA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x8896E494] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x888BF5F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x8896E724] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x8896E80E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x888BF7DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x888B4390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x888B2B2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x888B7B86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x888B2716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x8896E574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x888B2B90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x888B7F7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x888B4E78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x888BF666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x888BF6AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x888BF846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x888BF5D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x888B747E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x888BF75A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x888BF61A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x888B786A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x888BF800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x8896E312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x888B4CEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x888B49FA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x888B2BF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x888B2C5C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x8896E670] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x888B27B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x888B2982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x888B2910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x888B455A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x888B46BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x888B2A0A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x8896E3E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x888B41EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x888B2CC2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x8896E244] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 82C8DA15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CC7212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 82CCE460 4 Bytes [C4, 2A, 8B, 88] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82CCE488 4 Bytes [BA, E0, 96, 88] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82CCE4E8 4 Bytes [A2, 35, 8B, 88] .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 82CCE53C 8 Bytes [3C, F6, 8B, 88, 88, F6, 8B, ...] {CMP AL, 0xf6; MOV ECX, [EAX-0x77740978]} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 82CCE548 4 Bytes JMP 8BF82282 .text ... ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastSvc.exe[1408] kernel32.dll!SetUnhandledExceptionFilter 7552F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\AVAST Software\Avast\afwServ.exe[1812] kernel32.dll!SetUnhandledExceptionFilter 7552F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] ntdll.dll!NtCreateFile 77065608 5 Bytes JMP 59399870 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] ntdll.dll!NtFlushBuffersFile 77065998 5 Bytes JMP 5908D335 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] ntdll.dll!NtQueryFullAttributesFile 77066028 5 Bytes JMP 5908D5B0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] ntdll.dll!NtReadFile 770662F8 5 Bytes JMP 5908D390 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] ntdll.dll!NtReadFileScatter 77066308 5 Bytes JMP 59CF8330 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] ntdll.dll!NtWriteFile 77066AA8 5 Bytes JMP 5939A7F0 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] ntdll.dll!NtWriteFileGather 77066AB8 5 Bytes JMP 59CF82DF C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] ntdll.dll!LdrUnloadDll 7707C8DE 5 Bytes JMP 000703FC .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] ntdll.dll!LdrLoadDll 770822AE 5 Bytes JMP 5EAB1F42 C:\Program Files\Mozilla Firefox\mozglue.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 755294E6 7 Bytes JMP 59C39960 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] KERNEL32.dll!QueryPerformanceCounter + 13 7552C4E5 7 Bytes JMP 59C39983 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] KERNEL32.dll!LoadAppInitDlls + 355 7552F5A6 7 Bytes JMP 59396164 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] user32.dll!GetWindowInfo 76F66A82 5 Bytes JMP 59B3B65E C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2968] GDI32.dll!GetViewportOrgEx + 26C 7716884B 7 Bytes JMP 59C398E1 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3384] kernel32.dll!SetUnhandledExceptionFilter 7552F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3648] USER32.dll!CharToOemA + 3A 76F5B1DE 7 Bytes JMP 1003B000 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3648] USER32.dll!PostMessageW + 2CE 76F664F3 7 Bytes JMP 1003AC50 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3648] USER32.dll!SetDlgItemTextA + 25 76F78FF6 7 Bytes JMP 1003ABC0 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3648] USER32.dll!MessageBoxIndirectA + F5 76FAE9BE 7 Bytes JMP 1003AF50 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3648] USER32.dll!MessageBoxIndirectW + 61 76FAEA24 7 Bytes JMP 1003ADF0 C:\Program Files\Sony\Sony PC Companion\NewUI.dll .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3648] USER32.dll!MessageBoxExA + 1F 76FAEA48 7 Bytes JMP 1003AF00 C:\Program Files\Sony\Sony PC Companion\NewUI.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{DB32E5AA-513D-48BA-85E5-7E445085F8CA}\Connection@Name isatap.{244C914E-9CF4-4DDF-813E-C069AEBC3AA3} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Bind \Device\{EB2267BE-78FB-4BC2-8427-B1A8C534CDF1}?\Device\{DB32E5AA-513D-48BA-85E5-7E445085F8CA}?\Device\{B6B3E507-BB5A-47CC-8337-78CB4C7302AE}?\Device\{E6825380-DB47-483B-80AB-77B61CF50F88}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Route "{EB2267BE-78FB-4BC2-8427-B1A8C534CDF1}"?"{DB32E5AA-513D-48BA-85E5-7E445085F8CA}"?"{B6B3E507-BB5A-47CC-8337-78CB4C7302AE}"?"{E6825380-DB47-483B-80AB-77B61CF50F88}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{6B683E0E-1505-488C-8053-3C1301924246}\Linkage@Export \Device\TCPIP6TUNNEL_{EB2267BE-78FB-4BC2-8427-B1A8C534CDF1}?\Device\TCPIP6TUNNEL_{DB32E5AA-513D-48BA-85E5-7E445085F8CA}?\Device\TCPIP6TUNNEL_{B6B3E507-BB5A-47CC-8337-78CB4C7302AE}?\Device\TCPIP6TUNNEL_{E6825380-DB47-483B-80AB-77B61CF50F88}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001dd9f420b0 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001dd9f420b0@ac932f7de895 0x23 0xE4 0xEA 0x3F ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001dd9f420b0@44d4e0a7cb17 0x9E 0xE1 0x33 0x64 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{DB32E5AA-513D-48BA-85E5-7E445085F8CA}@InterfaceName isatap.{244C914E-9CF4-4DDF-813E-C069AEBC3AA3} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{DB32E5AA-513D-48BA-85E5-7E445085F8CA}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001dd9f420b0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001dd9f420b0@ac932f7de895 0x23 0xE4 0xEA 0x3F ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001dd9f420b0@44d4e0a7cb17 0x9E 0xE1 0x33 0x64 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@70809F06 664 ---- EOF - GMER 2.1 ----