GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-28 20:18:32 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9500325AS rev.0011LVM1 465,76GB Running: gmer.exe; Driver: C:\Users\Admin\AppData\Local\Temp\kwtoypoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800027ee000 45 bytes [00, 00, 15, 02, 46, 69, 6C, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800027ee02f 18 bytes [00, 00, 00, 00, 00, 00, 00, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960000d3f00 7 bytes [80, 9D, F3, FF, 01, A9, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960000d3f08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 00000000770913e1 7 bytes JMP 0000000174441e90 .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 00000000770ab1d3 5 bytes JMP 0000000174441da0 .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000771288b4 7 bytes JMP 0000000174441d90 .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 0000000077128939 5 bytes JMP 0000000174441e80 .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 0000000077128c8f 5 bytes JMP 0000000174441e10 .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077021d1b 5 bytes JMP 0000000174442450 .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077021dc9 5 bytes JMP 00000001744424b0 .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077022aa4 5 bytes JMP 0000000174442520 .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077022d0a 5 bytes JMP 0000000174442620 .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 00000000759be96b 5 bytes JMP 0000000174441a00 .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 00000000759beba5 5 bytes JMP 0000000174441a90 .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 0000000075af5ea5 5 bytes JMP 0000000174441ce0 .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000075b29d0b 5 bytes JMP 0000000174441c70 .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 00000000758c1465 2 bytes [8C, 75] .text C:\Program Files (x86)\Steam\Steam.exe[2792] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000758c14bb 2 bytes [8C, 75] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000758c1465 2 bytes [8C, 75] .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[3000] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758c14bb 2 bytes [8C, 75] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000758c1465 2 bytes [8C, 75] .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758c14bb 2 bytes [8C, 75] .text ... * 2 .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000758c1465 2 bytes [8C, 75] .text C:\Program Files (x86)\Steam\bin\steamwebhelper.exe[2476] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000758c14bb 2 bytes [8C, 75] .text ... * 2 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\c01885a86ad9 (not active ControlSet) Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c01885a86ad9 Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\c01885a86ad9 (not active ControlSet) Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.cda\UserChoice@Progid WMP11.AssocFile.CDA Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.shtml\UserChoice@Progid ChromeHTML Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmd\UserChoice@Progid WMP11.AssocFile.WMD Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wms\UserChoice@Progid WMP11.AssocFile.WMS Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.wmz\UserChoice@Progid WMP11.AssocFile.WMZ Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xht\UserChoice@Progid ChromeHTML Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.xhtml\UserChoice@Progid ChromeHTML ---- EOF - GMER 2.1 ----