GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-10-21 15:07:41 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: cpqsz5tt.exe; Driver: C:\Users\Merix\AppData\Local\Temp\kgryypoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[556] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\system32\services.exe[612] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\system32\winlogon.exe[668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\system32\lsass.exe[680] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[800] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[896] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\system32\atiesrxx.exe[944] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[1020] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\System32\svchost.exe[324] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_35a1fb3404aa1180\STacSV64.exe[476] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1076] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1212] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1368] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1480] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1508] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1700] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1748] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\armsvc.exe[1880] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_35a1fb3404aa1180\AESTSr64.exe[1900] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1932] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1976] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[1112] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Windows\system32\svchost.exe[1768] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[1168] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\system32\Dwm.exe[736] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\Explorer.EXE[3104] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[3360] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\Scheduler\STService.exe[3404] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe[3560] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Program Files\Dell\QuickSet\quickset.exe[3904] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3940] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE[4088] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[3328] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3312] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3348] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3520] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe[3240] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075c1d03c 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076a71401 2 bytes JMP 75c2eb26 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076a71419 2 bytes JMP 75c3b513 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076a71431 2 bytes JMP 75cb8609 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076a7144a 2 bytes CALL 75c11dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076a714dd 2 bytes JMP 75cb7efe C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076a714f5 2 bytes JMP 75cb80d8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076a7150d 2 bytes JMP 75cb7df4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076a71525 2 bytes JMP 75cb81c2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076a7153d 2 bytes JMP 75c2f088 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076a71555 2 bytes JMP 75c3b885 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076a7156d 2 bytes JMP 75cb86c1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076a71585 2 bytes JMP 75cb8222 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076a7159d 2 bytes JMP 75cb7db8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076a715b5 2 bytes JMP 75c2f121 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076a715cd 2 bytes JMP 75c3b29f C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076a716b2 2 bytes JMP 75cb8584 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\AVAST Software\Avast\avastui.exe[3268] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076a716bd 2 bytes JMP 75cb7d4d C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\SearchIndexer.exe[3852] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[4032] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[4236] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4608] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4800] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4788] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Windows\system32\svchost.exe[4580] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5844] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5844] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 35 00000000726811a8 2 bytes [68, 72] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5844] C:\Windows\SysWOW64\ksuser.dll!KsCreatePin + 248 000000007268127d 2 bytes CALL 75c114dd C:\Windows\syswow64\kernel32.dll .text ... * 6 .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5844] C:\Windows\SysWOW64\ksuser.dll!KsCreateAllocator + 21 00000000726813a8 2 bytes [68, 72] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5844] C:\Windows\SysWOW64\ksuser.dll!KsCreateClock + 21 0000000072681422 2 bytes [68, 72] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[5844] C:\Windows\SysWOW64\ksuser.dll!KsCreateTopologyNode + 19 0000000072681498 2 bytes [68, 72] .text C:\Users\Merix\Downloads\FRST64.exe[2968] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076d6f1bd 1 byte [62] .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 0000000076a71401 2 bytes JMP 75c2eb26 C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 0000000076a71419 2 bytes JMP 75c3b513 C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 0000000076a71431 2 bytes JMP 75cb8609 C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 0000000076a7144a 2 bytes CALL 75c11dfa C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 0000000076a714dd 2 bytes JMP 75cb7efe C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 0000000076a714f5 2 bytes JMP 75cb80d8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 0000000076a7150d 2 bytes JMP 75cb7df4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 0000000076a71525 2 bytes JMP 75cb81c2 C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 0000000076a7153d 2 bytes JMP 75c2f088 C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 0000000076a71555 2 bytes JMP 75c3b885 C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 0000000076a7156d 2 bytes JMP 75cb86c1 C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 0000000076a71585 2 bytes JMP 75cb8222 C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 0000000076a7159d 2 bytes JMP 75cb7db8 C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 0000000076a715b5 2 bytes JMP 75c2f121 C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 0000000076a715cd 2 bytes JMP 75c3b29f C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 0000000076a716b2 2 bytes JMP 75cb8584 C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\OTL.exe[5316] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 0000000076a716bd 2 bytes JMP 75cb7d4d C:\Windows\syswow64\kernel32.dll .text C:\Users\Merix\Downloads\cpqsz5tt.exe[5176] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075c3b0c5 1 byte [62] ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{9F499FE1-07BB-4571-B43B-BDAE5FA21096}\mpengine.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [4932] (Microsoft Malware Protection Engine/Microsoft Corporation)(2014-10-21 10:13:04) 000007feea220000 Library C:\ProgramData\Microsoft\Windows Defender\Definition Updates\{9F499FE1-07BB-4571-B43B-BDAE5FA21096}\offreg.dll (*** suspicious ***) @ C:\Windows\System32\svchost.exe [4932] (Offline registry DLL/Microsoft Corporation)(2014-10-21 11:17:27) 000007fef61e0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\5cac4ce1552c Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\5cac4ce1552c (not active ControlSet) ---- EOF - GMER 2.1 ----