GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-10-05 17:09:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS725050A9A364 rev.PC4OC72E 465,76GB Running: 2urimw2f.exe; Driver: C:\Users\Patryk\AppData\Local\Temp\kwrdipog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1704] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076291465 2 bytes [29, 76] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[1704] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000762914bb 2 bytes [29, 76] .text ... * 2 .text D:\Steam\Steam.exe[2116] C:\Windows\syswow64\KERNELBASE.dll!HeapCreate 0000000075b0549c 5 bytes JMP 0000000100330800 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076291465 2 bytes [29, 76] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2212] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762914bb 2 bytes [29, 76] .text ... * 2 .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[2264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076291465 2 bytes [29, 76] .text C:\Program Files (x86)\Windows Sidebar\sidebar.exe[2264] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762914bb 2 bytes [29, 76] .text ... * 2 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077adfaa8 5 bytes JMP 0000000174b219b0 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[2384] C:\Windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077ae0038 5 bytes JMP 0000000174b22066 .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072721a22 2 bytes [72, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072721ad0 2 bytes [72, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072721b08 2 bytes [72, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072721bba 2 bytes [72, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072721bda 2 bytes [72, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076291465 2 bytes [29, 76] .text C:\Windows\SysWOW64\PnkBstrA.exe[2328] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000762914bb 2 bytes [29, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\Windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff88003313d18] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{3D252D65-641F-4E66-A8F2-B9318D0FE213}\Connection@Name isatap.{2276F6C2-83A6-4F6A-AD38-DD475AA67E03} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{91CCBFBF-82AD-4E0E-93EF-399D574B714E}?\Device\{3D252D65-641F-4E66-A8F2-B9318D0FE213}?\Device\{784EB651-9BCA-4C8C-ABCF-5102D4A1B93E}?\Device\{DB0F3634-CD4D-477A-AC77-A8E47C2049EA}?\Device\{A2520E55-F471-4FB6-B88E-B58D5E607735}?\Device\{9ADF0D52-88C5-4A10-8B3F-1B0B0AEB7DB9}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{91CCBFBF-82AD-4E0E-93EF-399D574B714E}"?"{3D252D65-641F-4E66-A8F2-B9318D0FE213}"?"{784EB651-9BCA-4C8C-ABCF-5102D4A1B93E}"?"{DB0F3634-CD4D-477A-AC77-A8E47C2049EA}"?"{A2520E55-F471-4FB6-B88E-B58D5E607735}"?"{9ADF0D52-88C5-4A10-8B3F-1B0B0AEB7DB9}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{91CCBFBF-82AD-4E0E-93EF-399D574B714E}?\Device\TCPIP6TUNNEL_{3D252D65-641F-4E66-A8F2-B9318D0FE213}?\Device\TCPIP6TUNNEL_{784EB651-9BCA-4C8C-ABCF-5102D4A1B93E}?\Device\TCPIP6TUNNEL_{DB0F3634-CD4D-477A-AC77-A8E47C2049EA}?\Device\TCPIP6TUNNEL_{A2520E55-F471-4FB6-B88E-B58D5E607735}?\Device\TCPIP6TUNNEL_{9ADF0D52-88C5-4A10-8B3F-1B0B0AEB7DB9}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027139b23b0 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027139b23b0@bcb1f37bfb89 0xB0 0x57 0x39 0x0E ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{3D252D65-641F-4E66-A8F2-B9318D0FE213}@InterfaceName isatap.{2276F6C2-83A6-4F6A-AD38-DD475AA67E03} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{3D252D65-641F-4E66-A8F2-B9318D0FE213}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7D 0x44 0xE0 0xFE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027139b23b0 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027139b23b0@bcb1f37bfb89 0xB0 0x57 0x39 0x0E ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@u0 0x00 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\14919EA49A8F3B4AA3CF1058D9A64CEC@hdf12 0x7D 0x44 0xE0 0xFE ... ---- EOF - GMER 2.1 ----