GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-09 16:57:28 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0003 465,76GB Running: 9cbcebwh.exe; Driver: C:\Users\DOMOWY\AppData\Local\Temp\axdiikoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074ca1401 2 bytes JMP 765cb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074ca1419 2 bytes JMP 765cb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074ca1431 2 bytes JMP 76648ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074ca144a 2 bytes CALL 765a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074ca14dd 2 bytes JMP 766487a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074ca14f5 2 bytes JMP 76648978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074ca150d 2 bytes JMP 76648698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074ca1525 2 bytes JMP 76648a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074ca153d 2 bytes JMP 765bfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074ca1555 2 bytes JMP 765c68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074ca156d 2 bytes JMP 76648f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074ca1585 2 bytes JMP 76648ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074ca159d 2 bytes JMP 7664865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074ca15b5 2 bytes JMP 765bfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074ca15cd 2 bytes JMP 765cb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074ca16b2 2 bytes JMP 76648e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2076] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074ca16bd 2 bytes JMP 766485f1 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5208:6048] 000007fefb302bf8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{EFE816F8-B806-476E-B431-3F8B49537B0F}\Connection@Name isatap.{CDEB7645-9454-4F62-8FD1-CCA2639CA311} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{20798A86-078D-4BD0-ADB0-A48E8D5ECA90}?\Device\{EFE816F8-B806-476E-B431-3F8B49537B0F}?\Device\{A2175604-1EA0-4CF3-86E5-ADE249CB5654}?\Device\{130B4FF9-6FCF-4B5C-B7DD-DAF35B6D2705}?\Device\{FFA5BD9F-263B-4A87-A2D7-B8925F2B8B22}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{20798A86-078D-4BD0-ADB0-A48E8D5ECA90}"?"{EFE816F8-B806-476E-B431-3F8B49537B0F}"?"{A2175604-1EA0-4CF3-86E5-ADE249CB5654}"?"{130B4FF9-6FCF-4B5C-B7DD-DAF35B6D2705}"?"{FFA5BD9F-263B-4A87-A2D7-B8925F2B8B22}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{20798A86-078D-4BD0-ADB0-A48E8D5ECA90}?\Device\TCPIP6TUNNEL_{EFE816F8-B806-476E-B431-3F8B49537B0F}?\Device\TCPIP6TUNNEL_{A2175604-1EA0-4CF3-86E5-ADE249CB5654}?\Device\TCPIP6TUNNEL_{130B4FF9-6FCF-4B5C-B7DD-DAF35B6D2705}?\Device\TCPIP6TUNNEL_{FFA5BD9F-263B-4A87-A2D7-B8925F2B8B22}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a0f7fe Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a0f7fe@6c5f1c06c2a6 0xF7 0xA4 0x5E 0xB8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a0f7fe@d487d807ed7a 0x58 0xE4 0x82 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{EFE816F8-B806-476E-B431-3F8B49537B0F}@InterfaceName isatap.{CDEB7645-9454-4F62-8FD1-CCA2639CA311} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{EFE816F8-B806-476E-B431-3F8B49537B0F}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a0f7fe (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a0f7fe@6c5f1c06c2a6 0xF7 0xA4 0x5E 0xB8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a0f7fe@d487d807ed7a 0x58 0xE4 0x82 0xD0 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0EEFB371-14B9-323E-29F9-F1469DE2890E} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0EEFB371-14B9-323E-29F9-F1469DE2890E}@hambogkljabkoihi 0x6B 0x61 0x63 0x69 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0EEFB371-14B9-323E-29F9-F1469DE2890E}@iagcffmglaoendgbhn 0x6B 0x61 0x63 0x69 ... ---- EOF - GMER 2.1 ----