GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-05 21:13:27 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD3200BEKT-60F3T1 rev.12.01A12 298,09GB Running: gmer.exe; Driver: C:\Users\Viola\AppData\Local\Temp\fwddikob.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83292A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 832CC212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x9143D000, 0x2D5378, 0xE8000020] .text C:\Windows\system32\DRIVERS\atksgt.sys section is writeable [0x9DCB5000, 0xBB22, 0xE8000020] .text C:\Windows\system32\DRIVERS\lirsgt.sys section is writeable [0x9DCC9300, 0x1BEE, 0xE8000020] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [7439249F] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74375652] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [74375710] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7439251A] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [7438857E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74384D32] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [743850D9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [743851AE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [743866DB] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [743882D5] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74388824] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74389085] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7438E228] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll IAT C:\Windows\Explorer.EXE[300] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74384C64] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18455_none_72d576ad8665e853\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \Driver\BTHUSB \Device\00000097 bthport.sys Device \Driver\BTHUSB \Device\00000099 bthport.sys ---- Threads - GMER 2.1 ---- Thread System [4:340] 9431FD50 Thread System [4:352] 94324320 Thread System [4:372] 94324320 Thread System [4:376] 94324320 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027132c6ec9 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027132c6ec9@38ece4be11a4 0x28 0xB7 0x80 0xB5 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027132c6ec9@183f477845dc 0x50 0x1D 0xC6 0xC8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027132c6ec9@c065994346b2 0x18 0x5C 0x56 0x19 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027132c6ec9@6477914b3abe 0x08 0x5A 0xF9 0x81 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0027132c6ec9@ac7289d73c04 0x64 0x7B 0xBF 0x82 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027132c6ec9 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027132c6ec9@38ece4be11a4 0x28 0xB7 0x80 0xB5 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027132c6ec9@183f477845dc 0x50 0x1D 0xC6 0xC8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027132c6ec9@c065994346b2 0x18 0x5C 0x56 0x19 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027132c6ec9@6477914b3abe 0x08 0x5A 0xF9 0x81 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0027132c6ec9@ac7289d73c04 0x64 0x7B 0xBF 0x82 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Plain\{E92A6E58-44AD-4360-97F5-7566D77FE9DD} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E92A6E58-44AD-4360-97F5-7566D77FE9DD} Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E92A6E58-44AD-4360-97F5-7566D77FE9DD}@Path \Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E92A6E58-44AD-4360-97F5-7566D77FE9DD}@Hash 0x3D 0xA8 0xA0 0x0D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E92A6E58-44AD-4360-97F5-7566D77FE9DD}@Triggers 0x15 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks\{E92A6E58-44AD-4360-97F5-7566D77FE9DD}@DynamicInfo 0x03 0x00 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree\Microsoft\Microsoft Antimalware\Microsoft Antimalware Scheduled Scan@Id {E92A6E58-44AD-4360-97F5-7566D77FE9DD} ---- EOF - GMER 2.1 ----