GMER 1.0.15.15641 - http://www.gmer.net Rootkit scan 2011-11-03 15:19:20 Windows 6.0.6002 Service Pack 2 Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 TOSHIBA_ rev.DK02 Running: gmer.exe; Driver: C:\Users\Emiko\AppData\Local\Temp\fwdoapoc.sys ---- System - GMER 1.0.15 ---- Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateProcessEx [0x8EB3450A] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwCreateSection [0x8EB3432E] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ZwLoadDriver [0x8EB34468] Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) NtCreateSection Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObInsertObject Code \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) ObMakeTemporaryObject ---- Kernel code sections - GMER 1.0.15 ---- PAGE ntkrnlpa.exe!ZwLoadDriver 82987DEE 7 Bytes JMP 8EB3446C \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ObMakeTemporaryObject 829F362F 5 Bytes JMP 8EB304AA \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ObInsertObject 82A4C543 5 Bytes JMP 8EB3197E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!NtCreateSection 82A4DDE5 7 Bytes JMP 8EB34332 \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) PAGE ntkrnlpa.exe!ZwCreateProcessEx 82AADDCA 7 Bytes JMP 8EB3450E \SystemRoot\System32\Drivers\aswSP.SYS (avast! self protection module/ALWIL Software) .text C:\Windows\system32\DRIVERS\tos_sps32.sys section is writeable [0x8895B000, 0x4036D, 0xE8000020] .dsrt C:\Windows\system32\DRIVERS\tos_sps32.sys unknown last section [0x889A4000, 0x510, 0x40000040] ---- User code sections - GMER 1.0.15 ---- .text C:\Program Files\Internet Explorer\iexplore.exe[4284] kernel32.dll!CreateThread 7681CB2E 5 Bytes JMP 6901723B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!CreateDialogParamW 75A172A2 5 Bytes JMP 691A63C8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!GetAsyncKeyState 75A1863C 5 Bytes JMP 68FFDCCD C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!SetWindowsHookExW 75A187AD 5 Bytes JMP 690520C4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!CallNextHookEx 75A18E3B 5 Bytes JMP 69077ACF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!UnhookWindowsHookEx 75A198DB 5 Bytes JMP 6909EA88 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!EnableWindow 75A1CD8B 5 Bytes JMP 69059934 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!DefWindowProcA 75A1DB88 7 Bytes JMP 69019465 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!CreateWindowExA 75A1DC2A 5 Bytes JMP 69023293 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!CreateWindowExW 75A21305 5 Bytes JMP 6907FEAF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!GetKeyState 75A28CB1 5 Bytes JMP 68FFDBA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!DefWindowProcW 75A303B4 7 Bytes JMP 69077B32 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!IsDialogMessageW 75A30745 5 Bytes JMP 691A6B23 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!CreateDialogParamA 75A317AA 5 Bytes JMP 691A6390 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!IsDialogMessage 75A31847 5 Bytes JMP 691A6AFB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!CreateDialogIndirectParamA 75A326F1 5 Bytes JMP 691A6400 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!CreateDialogIndirectParamW 75A39A62 5 Bytes JMP 691A6438 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!SetKeyboardState 75A40987 5 Bytes JMP 691A73E9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!DialogBoxParamW 75A410B0 5 Bytes JMP 68FB160B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!DialogBoxIndirectParamW 75A42EF5 5 Bytes JMP 691A605E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!SendInput 75A42F75 5 Bytes JMP 691A7391 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!EndDialog 75A4326E 5 Bytes JMP 691A6DCF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!SetCursorPos 75A56FB2 5 Bytes JMP 691A746A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!DialogBoxParamA 75A58152 5 Bytes JMP 691A5FF9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!DialogBoxIndirectParamA 75A5847D 5 Bytes JMP 691A60C3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!MessageBoxIndirectA 75A6D4D9 5 Bytes JMP 691A5F80 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!MessageBoxIndirectW 75A6D5D3 5 Bytes JMP 691A5F07 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!MessageBoxExA 75A6D639 5 Bytes JMP 691A5EA3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!MessageBoxExW 75A6D65D 5 Bytes JMP 691A5E3F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] USER32.dll!keybd_event 75A6D972 5 Bytes JMP 691A734E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[4284] SHELL32.dll!SHRestricted + D95 75CE89A8 4 Bytes [CF, 01, 75, 6B] {IRET ; ADD [EBP+0x6b], ESI} .text C:\Program Files\Internet Explorer\iexplore.exe[4284] SHELL32.dll!SHRestricted + D9D 75CE89B0 8 Bytes [E0, 61, 74, 6B, 79, F7, 74, ...] {LOOPNZ 0x63; JZ 0x6f; JNS 0xfffffffffffffffd; JZ 0x73} .text C:\Program Files\Internet Explorer\iexplore.exe[4284] ole32.dll!OleLoadFromStream 76931E80 5 Bytes JMP 691A682D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5404] USER32.dll!EnableWindow 75A1CD8B 5 Bytes JMP 69059934 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5404] USER32.dll!DialogBoxParamW 75A410B0 5 Bytes JMP 68FB160B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5404] USER32.dll!DialogBoxIndirectParamW 75A42EF5 5 Bytes JMP 691A605E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5404] USER32.dll!DialogBoxParamA 75A58152 5 Bytes JMP 691A5FF9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5404] USER32.dll!DialogBoxIndirectParamA 75A5847D 5 Bytes JMP 691A60C3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5404] USER32.dll!MessageBoxIndirectA 75A6D4D9 5 Bytes JMP 691A5F80 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5404] USER32.dll!MessageBoxIndirectW 75A6D5D3 5 Bytes JMP 691A5F07 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5404] USER32.dll!MessageBoxExA 75A6D639 5 Bytes JMP 691A5EA3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5404] USER32.dll!MessageBoxExW 75A6D65D 5 Bytes JMP 691A5E3F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] kernel32.dll!CreateThread 7681CB2E 5 Bytes JMP 6901723B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!CreateDialogParamW 75A172A2 5 Bytes JMP 691A63C8 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!GetAsyncKeyState 75A1863C 5 Bytes JMP 68FFDCCD C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!SetWindowsHookExW 75A187AD 5 Bytes JMP 690520C4 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!CallNextHookEx 75A18E3B 5 Bytes JMP 69077ACF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!UnhookWindowsHookEx 75A198DB 5 Bytes JMP 6909EA88 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!EnableWindow 75A1CD8B 5 Bytes JMP 69059934 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!DefWindowProcA 75A1DB88 7 Bytes JMP 69019465 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!CreateWindowExA 75A1DC2A 5 Bytes JMP 69023293 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!CreateWindowExW 75A21305 5 Bytes JMP 6907FEAF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!GetKeyState 75A28CB1 5 Bytes JMP 68FFDBA7 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!DefWindowProcW 75A303B4 7 Bytes JMP 69077B32 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!IsDialogMessageW 75A30745 5 Bytes JMP 691A6B23 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!CreateDialogParamA 75A317AA 5 Bytes JMP 691A6390 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!IsDialogMessage 75A31847 5 Bytes JMP 691A6AFB C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!CreateDialogIndirectParamA 75A326F1 5 Bytes JMP 691A6400 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!CreateDialogIndirectParamW 75A39A62 5 Bytes JMP 691A6438 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!SetKeyboardState 75A40987 5 Bytes JMP 691A73E9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!DialogBoxParamW 75A410B0 5 Bytes JMP 68FB160B C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!DialogBoxIndirectParamW 75A42EF5 5 Bytes JMP 691A605E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!SendInput 75A42F75 5 Bytes JMP 691A7391 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!EndDialog 75A4326E 5 Bytes JMP 691A6DCF C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!SetCursorPos 75A56FB2 5 Bytes JMP 691A746A C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!DialogBoxParamA 75A58152 5 Bytes JMP 691A5FF9 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!DialogBoxIndirectParamA 75A5847D 5 Bytes JMP 691A60C3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!MessageBoxIndirectA 75A6D4D9 5 Bytes JMP 691A5F80 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!MessageBoxIndirectW 75A6D5D3 5 Bytes JMP 691A5F07 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!MessageBoxExA 75A6D639 5 Bytes JMP 691A5EA3 C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!MessageBoxExW 75A6D65D 5 Bytes JMP 691A5E3F C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] USER32.dll!keybd_event 75A6D972 5 Bytes JMP 691A734E C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) .text C:\Program Files\Internet Explorer\iexplore.exe[5456] SHELL32.dll!SHRestricted + D95 75CE89A8 4 Bytes [CF, 01, 75, 6B] {IRET ; ADD [EBP+0x6b], ESI} .text C:\Program Files\Internet Explorer\iexplore.exe[5456] SHELL32.dll!SHRestricted + D9D 75CE89B0 8 Bytes [E0, 61, 74, 6B, 79, F7, 74, ...] {LOOPNZ 0x63; JZ 0x6f; JNS 0xfffffffffffffffd; JZ 0x73} .text C:\Program Files\Internet Explorer\iexplore.exe[5456] ole32.dll!OleLoadFromStream 76931E80 5 Bytes JMP 691A682D C:\Windows\system32\IEFRAME.dll (Internet Browser/Microsoft Corporation) ---- Devices - GMER 1.0.15 ---- Device \FileSystem\Ntfs \Ntfs aswSP.SYS (avast! self protection module/ALWIL Software) Device \FileSystem\fastfat \FatCdrom aswSP.SYS (avast! self protection module/ALWIL Software) AttachedDevice \Driver\tdx \Device\Tcp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) AttachedDevice \Driver\tdx \Device\Udp aswTdi.SYS (avast! TDI Filter Driver/ALWIL Software) Device \FileSystem\fastfat \Fat aswSP.SYS (avast! self protection module/ALWIL Software) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Microsoft Filesystem Filter Manager/Microsoft Corporation) ---- EOF - GMER 1.0.15 ----