GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-20 12:05:08 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000LPVT-22G33T0 rev.01.01A01 465,76GB Running: vh46gqit.exe; Driver: C:\Users\Kuba\AppData\Local\Temp\aftcaaog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAddBootEntry [0x9502AAC4] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwAllocateVirtualMemory [0x950E60BA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwAssignProcessToJobObject [0x9502B5A2] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEvent [0x9503763C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateEventPair [0x95037688] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateIoCompletion [0x95037822] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateMutant [0x950375AA] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateSection [0x950E6494] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateSemaphore [0x950375F2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThread [0x950E6724] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwCreateThreadEx [0x950E680E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwCreateTimer [0x950377DC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDebugActiveProcess [0x9502C390] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDeleteBootEntry [0x9502AB2A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwDuplicateObject [0x9502FB86] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwLoadDriver [0x9502A716] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwMapViewOfSection [0x950E6574] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwModifyBootEntry [0x9502AB90] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeKey [0x9502FF7C] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwNotifyChangeMultipleKeys [0x9502CE78] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEvent [0x95037666] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenEventPair [0x950376AA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenIoCompletion [0x95037846] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenMutant [0x950375D0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenProcess [0x9502F47E] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSection [0x9503775A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenSemaphore [0x9503761A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenThread [0x9502F86A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwOpenTimer [0x95037800] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwProtectVirtualMemory [0x950E6312] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueryObject [0x9502CCEC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwQueueApcThreadEx [0x9502C9FA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootEntryOrder [0x9502ABF6] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetBootOptions [0x9502AC5C] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwSetContextThread [0x950E6670] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemInformation [0x9502A7B0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSetSystemPowerState [0x9502A982] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwShutdownSystem [0x9502A910] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendProcess [0x9502C55A] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSuspendThread [0x9502C6BC] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwSystemDebugControl [0x9502AA0A] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwTerminateProcess [0x950E63E0] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwTerminateThread [0x9502C1EA] SSDT \SystemRoot\system32\drivers\aswSnx.sys ZwVdmControl [0x9502ACC2] SSDT \SystemRoot\system32\drivers\aswSP.sys ZwWriteVirtualMemory [0x950E6244] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 1499 836889F5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 836C2992 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10CB 836C9BB0 4 Bytes [C4, AA, 02, 95] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 836C9BD8 4 Bytes [BA, 60, 0E, 95] .text ntkrnlpa.exe!KeRemoveQueueEx + 1154 836C9C39 3 Bytes [B5, 02, 95] {MOV CH, 0x2; XCHG EBP, EAX} .text ntkrnlpa.exe!KeRemoveQueueEx + 11A7 836C9C8C 8 Bytes [3C, 76, 03, 95, 88, 76, 03, ...] {CMP AL, 0x76; ADD EDX, [EBP-0x6afc8978]} .text ntkrnlpa.exe!KeRemoveQueueEx + 11B3 836C9C98 4 Bytes [22, 78, 03, 95] {AND BH, [EAX+0x3]; XCHG EBP, EAX} .text ... PAGE ntkrnlpa.exe!ZwReplyWaitReceivePortEx + 108 838856AF 4 Bytes CALL 9502D55F \SystemRoot\system32\drivers\aswSnx.sys PAGE ntkrnlpa.exe!ZwAlpcSendWaitReceivePort + 122 8389F53B 4 Bytes CALL 9502D575 \SystemRoot\system32\drivers\aswSnx.sys ---- User code sections - GMER 2.1 ---- .text D:\Program Files\AVAST Software\Avast\avastui.exe[108] kernel32.dll!SetUnhandledExceptionFilter 76E4F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text d:\Program Files\AVAST Software\Avast\AvastSvc.exe[1640] kernel32.dll!SetUnhandledExceptionFilter 76E4F5AB 8 Bytes [31, C0, C2, 04, 00, 90, 90, ...] {XOR EAX, EAX; RET 0x4; NOP ; NOP ; NOP } .text D:\Program Files\CCleaner\CCleaner.exe[2540] USER32.dll!SetScrollRange 75F3AE3C 5 Bytes JMP 00997DE4 D:\Program Files\CCleaner\CCleaner.exe .text D:\Program Files\CCleaner\CCleaner.exe[2540] USER32.dll!GetScrollInfo 75F45151 5 Bytes JMP 00997D77 D:\Program Files\CCleaner\CCleaner.exe .text D:\Program Files\CCleaner\CCleaner.exe[2540] USER32.dll!SetScrollInfo 75F46632 5 Bytes JMP 00997E1B D:\Program Files\CCleaner\CCleaner.exe .text D:\Program Files\CCleaner\CCleaner.exe[2540] USER32.dll!GetScrollRange 75F61B6C 5 Bytes JMP 00997D1A D:\Program Files\CCleaner\CCleaner.exe .text D:\Program Files\CCleaner\CCleaner.exe[2540] USER32.dll!SetScrollPos 75F61BD0 5 Bytes JMP 00997CF5 D:\Program Files\CCleaner\CCleaner.exe .text D:\Program Files\CCleaner\CCleaner.exe[2540] USER32.dll!GetScrollPos 75F6252B 5 Bytes JMP 00997D52 D:\Program Files\CCleaner\CCleaner.exe .text D:\Program Files\CCleaner\CCleaner.exe[2540] USER32.dll!EnableScrollBar 75F6386D 5 Bytes JMP 00997E4F D:\Program Files\CCleaner\CCleaner.exe .text D:\Program Files\CCleaner\CCleaner.exe[2540] USER32.dll!ShowScrollBar 75F65785 5 Bytes JMP 00997DAA D:\Program Files\CCleaner\CCleaner.exe .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] ntdll.dll!NtCreateFile 778955B8 5 Bytes JMP 597AF912 D:\Program Files\Mozilla Firefox\xul.dll .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] ntdll.dll!NtFlushBuffersFile 77895948 5 Bytes JMP 597AF652 D:\Program Files\Mozilla Firefox\xul.dll .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] ntdll.dll!NtQueryFullAttributesFile 77895FD8 5 Bytes JMP 597AF78A D:\Program Files\Mozilla Firefox\xul.dll .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] ntdll.dll!NtReadFile 778962A8 5 Bytes JMP 597AF68C D:\Program Files\Mozilla Firefox\xul.dll .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] ntdll.dll!NtReadFileScatter 778962B8 5 Bytes JMP 59D543A6 D:\Program Files\Mozilla Firefox\xul.dll .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] ntdll.dll!NtWriteFile 77896A58 5 Bytes JMP 597AFAB6 D:\Program Files\Mozilla Firefox\xul.dll .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] ntdll.dll!NtWriteFileGather 77896A68 5 Bytes JMP 59D543F6 D:\Program Files\Mozilla Firefox\xul.dll .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] ntdll.dll!LdrUnloadDll 778ACAC6 5 Bytes JMP 001703FC .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] ntdll.dll!LdrLoadDll 778B245E 5 Bytes JMP 601C908C D:\Program Files\Mozilla Firefox\mozglue.dll .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] KERNEL32.dll!K32GetDeviceDriverBaseNameW + 5D 76E494E6 7 Bytes JMP 59D3DDA1 D:\Program Files\Mozilla Firefox\xul.dll .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] KERNEL32.dll!QueryPerformanceCounter + 13 76E4C4E5 7 Bytes JMP 59D3FD1D D:\Program Files\Mozilla Firefox\xul.dll .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] KERNEL32.dll!LoadAppInitDlls + 355 76E4F5A6 7 Bytes JMP 59AE1FD5 D:\Program Files\Mozilla Firefox\xul.dll .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] user32.dll!GetWindowInfo 75F46A82 5 Bytes JMP 5A72BF0A D:\Program Files\Mozilla Firefox\xul.dll .text D:\Program Files\Mozilla Firefox\firefox.exe[4512] GDI32.dll!GetViewportOrgEx + 26C 76DB884B 7 Bytes JMP 59D3C315 D:\Program Files\Mozilla Firefox\xul.dll ---- Devices - GMER 2.1 ---- Device \Driver\BTHUSB \Device\00000088 bthport.sys Device \Driver\BTHUSB \Device\0000008a bthport.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243d3d7e3 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243d3d7e3@48c1ac7b0404 0x2C 0x02 0x45 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002243d3d7e3@847a88fed2e7 0x41 0x21 0xA4 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243d3d7e3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243d3d7e3@48c1ac7b0404 0x2C 0x02 0x45 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002243d3d7e3@847a88fed2e7 0x41 0x21 0xA4 0xD8 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xFC 0xC7 0x46 0x5D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Windows Live\Mail\wlmail.exe 0xB0 0x03 0xAF 0xE8 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0xDC 0xC5 0x41 0x72 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0xD8 0x32 0x5F 0x75 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\mcupdate.exe 0xC4 0x91 0xE2 0xA6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\ehrec.exe 0xAD 0xA5 0x35 0xB4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\ehome\mcGlidHost.exe 0xCA 0xB7 0x70 0xB8 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xF6 0xA6 0x0D 0x5D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0x78 0x64 0x2D 0xDE ... ---- EOF - GMER 2.1 ----