GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-17 16:15:46 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BPVT-24JJ5T0 rev.01.01A01 298,09GB Running: w3ztvgq4.exe; Driver: C:\Users\koala\AppData\Local\Temp\kwrdapod.sys ---- System - GMER 2.0 ---- SSDT 86A90688 ZwAlertResumeThread SSDT 86AF3350 ZwAlertThread SSDT 86AE7218 ZwAllocateVirtualMemory SSDT 86BB2960 ZwAlpcConnectPort SSDT 87403510 ZwAssignProcessToJobObject SSDT 86AE6458 ZwCreateMutant SSDT 87402608 ZwCreateSymbolicLinkObject SSDT 86ACF2F8 ZwCreateThread SSDT 874026D8 ZwCreateThreadEx SSDT 874035F0 ZwDebugActiveProcess SSDT 86AE8050 ZwDuplicateObject SSDT 86AAA180 ZwFreeVirtualMemory SSDT 86AE6548 ZwImpersonateAnonymousToken SSDT 86A905A8 ZwImpersonateThread SSDT 86BB90A8 ZwLoadDriver SSDT 8710FCB0 ZwMapViewOfSection SSDT 86AD5918 ZwOpenEvent SSDT 86ACFB20 ZwOpenProcess SSDT 86AE8160 ZwOpenProcessToken SSDT 86AD5778 ZwOpenSection SSDT 86A9F588 ZwOpenThread SSDT 874027B8 ZwProtectVirtualMemory SSDT 8742C348 ZwResumeThread SSDT 873924D0 ZwSetContextThread SSDT 86C1AE08 ZwSetInformationProcess SSDT 874036D0 ZwSetSystemInformation SSDT 86AD5858 ZwSuspendProcess SSDT 86AF4190 ZwSuspendThread SSDT 86AEB9C0 ZwTerminateProcess SSDT 873921D8 ZwTerminateThread SSDT 8710FC78 ZwUnmapViewOfSection SSDT 86C15DB8 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.0 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 82C41339 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82C7AD52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 82C81DD0 8 Bytes [88, 06, A9, 86, 50, 33, AF, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82C81DE8 4 Bytes [18, 72, AE, 86] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82C81DF4 4 Bytes [60, 29, BB, 86] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82C81E48 4 Bytes [10, 35, 40, 87] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82C81EC4 4 Bytes [58, 64, AE, 86] .text ... .text ataport.SYS!AtaPortGetScatterGatherList + B44 839D644E 1 Byte [CC] {INT 3 } ---- User code sections - GMER 2.0 ---- .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[444] ntdll.dll!NtTerminateThread 771868D8 5 Bytes JMP 005A004C .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[444] USER32.dll!RecordShutdownReason + 372 763106C2 7 Bytes JMP 006C0930 .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[640] ntdll.dll!NtTerminateThread 771868D8 5 Bytes JMP 003A004C .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[640] USER32.dll!RegisterMessagePumpHook + 2F1 762C8B9E 7 Bytes JMP 10053940 C:\Program Files\Sony\Sony PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[640] USER32.dll!PostMessageW + 43A 762D48B5 7 Bytes JMP 100537F0 C:\Program Files\Sony\Sony PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[640] USER32.dll!SetDlgItemTextA + 25 762E709F 7 Bytes JMP 10053920 C:\Program Files\Sony\Sony PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[640] USER32.dll!RecordShutdownReason + 372 763106C2 7 Bytes JMP 003C0AF4 .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[640] USER32.dll!MessageBoxIndirectA + F5 7631E95E 7 Bytes JMP 10053990 C:\Program Files\Sony\Sony PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[640] USER32.dll!MessageBoxIndirectW + 61 7631E9C4 7 Bytes JMP 10053A60 C:\Program Files\Sony\Sony PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[640] USER32.dll!MessageBoxExA + 1F 7631E9E8 7 Bytes JMP 10053A10 C:\Program Files\Sony\Sony PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[1260] ntdll.dll!NtTerminateThread 771868D8 5 Bytes JMP 001F004C .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[1260] USER32.dll!RecordShutdownReason + 372 763106C2 7 Bytes JMP 00340930 .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] ntdll.dll!NtTerminateThread 771868D8 5 Bytes JMP 0002004C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1620] USER32.dll!RecordShutdownReason + 372 763106C2 7 Bytes JMP 00200930 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1660] ntdll.dll!NtTerminateThread 771868D8 5 Bytes JMP 0002004C .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1660] USER32.dll!RecordShutdownReason + 372 763106C2 7 Bytes JMP 001F0930 .text C:\ProgramData\DatacardService\DCService.exe[1692] ntdll.dll!NtTerminateThread 771868D8 5 Bytes JMP 0002004C .text C:\ProgramData\DatacardService\DCService.exe[1692] USER32.dll!RecordShutdownReason + 372 763106C2 7 Bytes JMP 001F0930 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1844] ntdll.dll!NtTerminateThread 771868D8 5 Bytes JMP 0002004C .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1844] USER32.dll!RecordShutdownReason + 372 763106C2 7 Bytes JMP 000E0930 .text C:\Windows\System32\igfxpers.exe[3052] ntdll.dll!NtTerminateThread 771868D8 5 Bytes JMP 001E004C .text C:\Windows\System32\igfxpers.exe[3052] USER32.dll!RecordShutdownReason + 372 763106C2 7 Bytes JMP 00200930 .text C:\Program Files\Mozilla Firefox\firefox.exe[3228] ntdll.dll!NtTerminateThread 771868D8 5 Bytes JMP 0002004C .text C:\Program Files\Mozilla Firefox\firefox.exe[3228] ntdll.dll!LdrGetProcedureAddress + 26 771A22B3 7 Bytes JMP 5FCC4470 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3228] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 75708996 7 Bytes JMP 5FF10459 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3228] kernel32.dll!GetEnvironmentStringsA + 11 75712FB1 7 Bytes JMP 5FF1047C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3228] kernel32.dll!BaseThreadInitThunk + C9 75713CFC 7 Bytes JMP 5FCCF972 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3228] USER32.dll!RecordShutdownReason + 372 763106C2 7 Bytes JMP 00130048 .text C:\Program Files\Mozilla Firefox\firefox.exe[3228] GDI32.dll!GetViewportOrgEx + 26C 7585884B 7 Bytes JMP 5FF103DA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Users\lucyna\Downloads\utorrent.exe[3588] ntdll.dll!NtTerminateThread 771868D8 5 Bytes JMP 003C004C .text C:\Users\lucyna\Downloads\utorrent.exe[3588] USER32.dll!RecordShutdownReason + 372 763106C2 7 Bytes JMP 003E0930 .text C:\Program Files\Sony\Sony PC Companion\PCCompanionInfo.exe[3612] ntdll.dll!NtTerminateThread 771868D8 5 Bytes JMP 0022004C .text C:\Program Files\Sony\Sony PC Companion\PCCompanionInfo.exe[3612] USER32.dll!RecordShutdownReason + 372 763106C2 7 Bytes JMP 00240AF4 .text C:\Windows\System32\hkcmd.exe[3704] ntdll.dll!NtTerminateThread 771868D8 5 Bytes JMP 002E004C .text C:\Windows\System32\hkcmd.exe[3704] USER32.dll!RecordShutdownReason + 372 763106C2 7 Bytes JMP 00300930 .text C:\Users\lucyna\Downloads\w3ztvgq4.exe[5160] ntdll.dll!NtTerminateThread 771868D8 5 Bytes JMP 0002004C .text C:\Users\lucyna\Downloads\w3ztvgq4.exe[5160] USER32.dll!RecordShutdownReason + 372 763106C2 7 Bytes JMP 001F0930 ---- Threads - GMER 2.0 ---- Thread System [4:328] 86B0139F Thread System [4:392] 874A80F4 Thread System [4:3408] AEF12F2E ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ccaf78e9b6b3 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ccaf78e9b6b3@6ca780910e79 0x9A 0x2B 0x92 0x75 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ccaf78e9b6b3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ccaf78e9b6b3@6ca780910e79 0x9A 0x2B 0x92 0x75 ... ---- EOF - GMER 2.0 ----