GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-06-13 00:04:35 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9250315AS rev.0003SDM1 232,89GB Running: dsnv4zq3.exe; Driver: C:\Users\ABBA\AppData\Local\Temp\aftcqaog.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 00000000774a000c 1 byte [C3] .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007752f8ea 5 bytes JMP 00000000774dd5c1 .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000752c1401 2 bytes JMP 7576b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000752c1419 2 bytes JMP 7576b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000752c1431 2 bytes JMP 757e8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000752c144a 2 bytes CALL 757448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000752c14dd 2 bytes JMP 757e87a2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000752c14f5 2 bytes JMP 757e8978 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000752c150d 2 bytes JMP 757e8698 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000752c1525 2 bytes JMP 757e8a62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000752c153d 2 bytes JMP 7575fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000752c1555 2 bytes JMP 757668ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000752c156d 2 bytes JMP 757e8f61 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000752c1585 2 bytes JMP 757e8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000752c159d 2 bytes JMP 757e865c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000752c15b5 2 bytes JMP 7575fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000752c15cd 2 bytes JMP 7576b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000752c16b2 2 bytes JMP 757e8e24 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\regsvr32.exe[4444] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000752c16bd 2 bytes JMP 757e85f1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\explorer.exe[6284] C:\Windows\SYSTEM32\ntdll.dll!RtlCreateProcessParametersEx + 1 00000000772e92d1 23 bytes {MOV EAX, 0xffffffffcda7ea00; INC BYTE [RDI]; ADD [RAX], AL; JMP RAX} ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Program Files\Internet Explorer\iexplore.exe[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\USER32.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\GDI32.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\advapi32.DLL[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\shell32.DLL[USER32.dll!MessageBoxW] [7fef48b6a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\shell32.DLL[USER32.dll!DialogBoxParamW] [7fef48b64e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\shell32.DLL[USER32.dll!MessageBoxIndirectW] [7fef488d8e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\shell32.DLL[USER32.dll!EnableWindow] [7fef4872090] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!DialogBoxParamW] [7fef48b64e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!DialogBoxParamA] [7fef48b63e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!MessageBoxW] [7fef48b6a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\iertutil.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\version.DLL[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\IMM32.DLL[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\MSCTF.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\IEFRAME.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!EnableWindow] [7fef4872090] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!DialogBoxParamW] [7fef48b64e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!MessageBoxW] [7fef48b6a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\IEFRAME.dll[USER32.dll!MessageBoxIndirectW] [7fef488d8e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\ole32.dll[USER32.dll!EnableWindow] [7fef4872090] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\ole32.dll[USER32.dll!DialogBoxParamW] [7fef48b64e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\ole32.dll[USER32.dll!MessageBoxW] [7fef48b6a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\OLEAUT32.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\OLEAUT32.dll[USER32.dll!EnableWindow] [7fef4872090] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!EnableWindow] [7fef4872090] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[USER32.dll!DialogBoxIndirectParamW] [7fef48b6300] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\comctl32.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\comdlg32.dll[USER32.dll!EnableWindow] [7fef4872090] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\comdlg32.dll[USER32.dll!DialogBoxIndirectParamW] [7fef48b6300] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\comdlg32.dll[USER32.dll!MessageBoxW] [7fef48b6a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\comdlg32.dll[COMCTL32.dll!PropertySheetW] [7fef48b7160] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\comdlg32.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\uxtheme.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\urlmon.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\urlmon.dll[USER32.dll!EnableWindow] [7fef4872090] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\urlmon.dll[USER32.dll!DialogBoxParamW] [7fef48b64e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\WININET.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\dwmapi.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\Secur32.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\CLBCatQ.DLL[USER32.dll!DialogBoxParamW] [7fef48b64e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\CLBCatQ.DLL[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\System32\netprofm.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\System32\nlaapi.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\rsaenh.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Program Files\Internet Explorer\ieproxy.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\apphelp.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\IEUI.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\windowscodecs.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\oleacc.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\System32\fwpuclnt.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\PROPSYS.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\MLANG.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\SETUPAPI.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!DialogBoxParamW] [7fef48b64e0] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!EnableWindow] [7fef4872090] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\SETUPAPI.dll[USER32.dll!MessageBoxW] [7fef48b6a70] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\CFGMGR32.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\ntmarta.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\WLDAP32.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\dxgi.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\WINTRUST.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\LINKINFO.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\credssp.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\schannel.DLL[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\bcrypt.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll IAT C:\Program Files\Internet Explorer\iexplore.exe[5276] @ C:\Windows\system32\cryptnet.dll[KERNEL32.dll!GetProcAddress] [7fef4871800] C:\Program Files\Internet Explorer\IEShims.dll ---- Threads - GMER 2.2 ---- Thread System [4:5604] fffffa8007c6ccd8 Thread System [4:5608] fffffa8007c9aa1c Thread System [4:5788] fffffa8007ca3c84 Thread System [4:5792] fffffa8007ca2580 Thread System [4:5816] fffffa8007c9c1a4 Thread C:\Windows\System32\svchost.exe [4280:3064] 000007fee6bd9688 Thread C:\Windows\SysWOW64\regsvr32.exe [4444:3732] 00000000697dab02 Thread [2348:5708] 00000000774e2e65 Thread [2348:5860] 00000000774e3e85 Thread [2348:1224] 00000000774e3e85 Thread [2348:6148] 00000000774e3e85 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247ead38c0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247ead38c0 (not active ControlSet) ---- EOF - GMER 2.2 ----