GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-18 16:52:53 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BPVT-24JJ5T0 rev.01.01A01 298,09GB Running: w3ztvgq4.exe; Driver: C:\Users\koala\AppData\Local\Temp\kwrdapod.sys ---- System - GMER 2.0 ---- SSDT 8700C390 ZwAlertResumeThread SSDT 8700B348 ZwAlertThread SSDT 87003358 ZwAllocateVirtualMemory SSDT 867435D0 ZwAlpcConnectPort SSDT 87013330 ZwAssignProcessToJobObject SSDT 8700E320 ZwCreateMutant SSDT 870163A0 ZwCreateSymbolicLinkObject SSDT 86FFF348 ZwCreateThread SSDT 87015370 ZwCreateThreadEx SSDT 870133F0 ZwDebugActiveProcess SSDT 870023E0 ZwDuplicateObject SSDT 870053A0 ZwFreeVirtualMemory SSDT 8700E3F0 ZwImpersonateAnonymousToken SSDT 8700D3B0 ZwImpersonateThread SSDT 86753760 ZwLoadDriver SSDT 870063D0 ZwMapViewOfSection SSDT 8700F368 ZwOpenEvent SSDT 87000358 ZwOpenProcess SSDT 87002320 ZwOpenProcessToken SSDT 870113F0 ZwOpenSection SSDT 870013A0 ZwOpenThread SSDT 87014358 ZwProtectVirtualMemory SSDT 8700A310 ZwResumeThread SSDT 87008368 ZwSetContextThread SSDT 87007338 ZwSetInformationProcess SSDT 870123B0 ZwSetSystemInformation SSDT 870103B0 ZwSuspendProcess SSDT 8700A3F0 ZwSuspendThread SSDT 86FFE308 ZwTerminateProcess SSDT 870093B0 ZwTerminateThread SSDT 87006310 ZwUnmapViewOfSection SSDT 87004358 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.0 ---- .text ntkrnlpa.exe!ZwSaveKey + 13C1 82C85339 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82CBED52 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 10DB 82CC5DD0 8 Bytes [90, C3, 00, 87, 48, B3, 00, ...] {NOP ; RET ; ADD [EDI-0x78ff4cb8], AL} .text ntkrnlpa.exe!KeRemoveQueueEx + 10F3 82CC5DE8 4 Bytes [58, 33, 00, 87] .text ntkrnlpa.exe!KeRemoveQueueEx + 10FF 82CC5DF4 4 Bytes [D0, 35, 74, 86] .text ntkrnlpa.exe!KeRemoveQueueEx + 1153 82CC5E48 4 Bytes [30, 33, 01, 87] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 82CC5EC4 4 Bytes [20, E3, 00, 87] .text ... ---- User code sections - GMER 2.0 ---- .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1560] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0002004C .text C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe[1560] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 00220930 .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1596] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0002004C .text C:\Program Files\Lenovo\Bluetooth Software\btwdins.exe[1596] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 002F0930 .text C:\ProgramData\DatacardService\DCService.exe[1628] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0002004C .text C:\ProgramData\DatacardService\DCService.exe[1628] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 002F0930 .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1744] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0002004C .text C:\ProgramData\Skype\Toolbars\Skype C2C Service\c2c_service.exe[1744] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 00170930 .text C:\Users\lucyna\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2228] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0002004C .text C:\Users\lucyna\AppData\Local\GG\Application\ggdrive\ggdrive.exe[2228] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 00340930 .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[2820] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 001B004C .text C:\Program Files\Lenovo\Bluetooth Software\BtStackServer.exe[2820] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 00340930 .text C:\ProgramData\DatacardService\DCSHelper.exe[2868] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0002004C .text C:\ProgramData\DatacardService\DCSHelper.exe[2868] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 001F0930 .text C:\Windows\System32\hkcmd.exe[2940] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 001E004C .text C:\Windows\System32\hkcmd.exe[2940] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 00200930 .text C:\Windows\System32\igfxpers.exe[2960] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 001E004C .text C:\Windows\System32\igfxpers.exe[2960] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 00200930 .text C:\Program Files\Mozilla Firefox\firefox.exe[3020] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0002004C .text C:\Program Files\Mozilla Firefox\firefox.exe[3020] ntdll.dll!LdrGetProcedureAddress + 26 772A22B3 7 Bytes JMP 67E34470 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3020] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 769F8996 7 Bytes JMP 68080459 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3020] kernel32.dll!GetEnvironmentStringsA + 11 76A02FB1 7 Bytes JMP 6808047C C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3020] kernel32.dll!BaseThreadInitThunk + C9 76A03CFC 7 Bytes JMP 67E3F972 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\firefox.exe[3020] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 000F0048 .text C:\Program Files\Mozilla Firefox\firefox.exe[3020] GDI32.dll!GetViewportOrgEx + 26C 75C5884B 7 Bytes JMP 680803DA C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0008004C .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] USER32.dll!RegisterMessagePumpHook + 2F1 75778B9E 7 Bytes JMP 10053940 C:\Program Files\Sony\Sony PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] USER32.dll!PostMessageW + 43A 757848B5 7 Bytes JMP 100537F0 C:\Program Files\Sony\Sony PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] USER32.dll!SetDlgItemTextA + 25 7579709F 7 Bytes JMP 10053920 C:\Program Files\Sony\Sony PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 00210AF4 .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] USER32.dll!MessageBoxIndirectA + F5 757CE95E 7 Bytes JMP 10053990 C:\Program Files\Sony\Sony PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] USER32.dll!MessageBoxIndirectW + 61 757CE9C4 7 Bytes JMP 10053A60 C:\Program Files\Sony\Sony PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Program Files\Sony\Sony PC Companion\PCCompanion.exe[3208] USER32.dll!MessageBoxExA + 1F 757CE9E8 7 Bytes JMP 10053A10 C:\Program Files\Sony\Sony PC Companion\NewUI.dll (New UI/Avanquest Software) .text C:\Users\lucyna\AppData\Local\GG\Application\gghub.exe[3264] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0002004C .text C:\Users\lucyna\AppData\Local\GG\Application\gghub.exe[3264] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 000F0930 .text C:\Users\lucyna\Downloads\utorrent.exe[3272] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0002004C .text C:\Users\lucyna\Downloads\utorrent.exe[3272] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 003D0930 .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3284] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0027004C .text C:\Program Files\Lenovo\Bluetooth Software\BTTray.exe[3284] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 00390930 .text C:\Program Files\Sony\Sony PC Companion\PCCompanionInfo.exe[3376] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 000F004C .text C:\Program Files\Sony\Sony PC Companion\PCCompanionInfo.exe[3376] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 00110AF4 .text C:\Users\lucyna\AppData\Local\GG\Application\ggapp.exe[3504] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0002004C .text C:\Users\lucyna\AppData\Local\GG\Application\ggapp.exe[3504] ntdll.dll!LdrLoadDll 772A22B8 5 Bytes JMP 6BB6C859 C:\Users\lucyna\AppData\Local\GG\Application\xulrunner\xul.dll (GG application/GG Network S.A.) .text C:\Users\lucyna\AppData\Local\GG\Application\ggapp.exe[3504] kernel32.dll!MapViewOfFile 769F899B 5 Bytes JMP 6C35ED8E C:\Users\lucyna\AppData\Local\GG\Application\xulrunner\xul.dll (GG application/GG Network S.A.) .text C:\Users\lucyna\AppData\Local\GG\Application\ggapp.exe[3504] kernel32.dll!VirtualAlloc 76A02FB6 5 Bytes JMP 6C35ED48 C:\Users\lucyna\AppData\Local\GG\Application\xulrunner\xul.dll (GG application/GG Network S.A.) .text C:\Users\lucyna\AppData\Local\GG\Application\ggapp.exe[3504] USER32.dll!SetWindowLongA 75778BA3 5 Bytes JMP 6C1E51AA C:\Users\lucyna\AppData\Local\GG\Application\xulrunner\xul.dll (GG application/GG Network S.A.) .text C:\Users\lucyna\AppData\Local\GG\Application\ggapp.exe[3504] USER32.dll!SetWindowLongW 75784449 5 Bytes JMP 6C1E520A C:\Users\lucyna\AppData\Local\GG\Application\xulrunner\xul.dll (GG application/GG Network S.A.) .text C:\Users\lucyna\AppData\Local\GG\Application\ggapp.exe[3504] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 000F0048 .text C:\Users\lucyna\AppData\Local\GG\Application\ggapp.exe[3504] GDI32.dll!CreateDIBSection 75C58850 5 Bytes JMP 6C35EDB5 C:\Users\lucyna\AppData\Local\GG\Application\xulrunner\xul.dll (GG application/GG Network S.A.) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4692] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0002004C .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4692] USER32.dll!GetWindowInfo 75784B5E 5 Bytes JMP 67F9A8A3 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4692] USER32.dll!ToUnicodeEx + 71 75792223 7 Bytes JMP 67F9AED5 C:\Program Files\Mozilla Firefox\xul.dll (Mozilla Foundation) .text C:\Program Files\Mozilla Firefox\plugin-container.exe[4692] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 000E0930 .text C:\Users\lucyna\Downloads\w3ztvgq4.exe[5756] ntdll.dll!NtTerminateThread 772868D8 5 Bytes JMP 0002004C .text C:\Users\lucyna\Downloads\w3ztvgq4.exe[5756] USER32.dll!RecordShutdownReason + 372 757C06C2 7 Bytes JMP 002F0930 ---- Threads - GMER 2.0 ---- Thread System [4:688] 9AF33F2E ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ccaf78e9b6b3 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ccaf78e9b6b3@6ca780910e79 0x9A 0x2B 0x92 0x75 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ccaf78e9b6b3 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ccaf78e9b6b3@6ca780910e79 0x9A 0x2B 0x92 0x75 ... ---- EOF - GMER 2.0 ----