GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-28 17:09:20 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD32 rev.01.0 298,09GB Running: 8dcij93w.exe; Driver: C:\Users\User\AppData\Local\Temp\aftcaaob.sys ---- System - GMER 2.1 ---- SSDT 8838EB80 ZwCreateKey SSDT 88392AE0 ZwCreateMutant SSDT 8838D680 ZwCreateProcess SSDT 8838D980 ZwCreateProcessEx SSDT 88392EA0 ZwCreateSymbolicLinkObject SSDT 88392420 ZwCreateThread SSDT 88392600 ZwCreateThreadEx SSDT 8838DC80 ZwCreateUserProcess SSDT 8838F180 ZwDeleteKey SSDT 8838FA80 ZwDeleteValueKey SSDT 88393080 ZwDuplicateObject SSDT 883927E0 ZwLoadDriver SSDT 8838DF80 ZwOpenProcess SSDT 8838FFC0 ZwOpenSection SSDT 8838E280 ZwOpenThread SSDT 8838F480 ZwRenameKey SSDT 8838F780 ZwRestoreKey SSDT 88392CC0 ZwSetSystemInformation SSDT 8838EE80 ZwSetValueKey SSDT 8838E580 ZwTerminateProcess SSDT 8838E880 ZwTerminateThread SSDT 88392240 ZwWriteVirtualMemory ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRequestWaitReplyPort + 1499 820859F5 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 820BF992 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11BF 820C6CA4 4 Bytes [80, EB, 38, 88] .text ntkrnlpa.exe!KeRemoveQueueEx + 11CF 820C6CB4 4 Bytes [E0, 2A, 39, 88] .text ntkrnlpa.exe!KeRemoveQueueEx + 11E3 820C6CC8 8 Bytes [80, D6, 38, 88, 80, D9, 38, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 11FF 820C6CE4 12 Bytes [A0, 2E, 39, 88, 20, 24, 39, ...] .text ntkrnlpa.exe!KeRemoveQueueEx + 121B 820C6D00 4 Bytes [80, DC, 38, 88] .text ... ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs eamon.sys AttachedDevice \Driver\tdx \Device\Tcp epfwtdir.sys AttachedDevice \Driver\tdx \Device\Tcp tmtdi.sys AttachedDevice \Driver\tdx \Device\Udp tmtdi.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\fastfat \Fat eamon.sys ---- Threads - GMER 2.1 ---- Thread System [4:964] A8710F2E ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 1910 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{8D2A50E5-D19C-4D8B-A562-52647AE1C944}@LeaseObtainedTime 1430231696 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{8D2A50E5-D19C-4D8B-A562-52647AE1C944}@T1 1430274896 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{8D2A50E5-D19C-4D8B-A562-52647AE1C944}@T2 1430307296 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{8D2A50E5-D19C-4D8B-A562-52647AE1C944}@LeaseTerminatesTime 1430318096 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\ExpressGateUtil\VAWinService.exe 0x99 0x4F 0x53 0x82 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x6D 0x68 0xCB 0x83 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\User\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\VVU13524\FRST.exe 0x11 0x1D 0xDD 0x2D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\explorer.exe 0x83 0xB4 0x00 0xF9 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0x86 0xBB 0x03 0xB0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0xAE 0x0E 0x7F 0xBF ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x3C 0xED 0x5D 0x78 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\rundll32.exe 0x71 0x59 0x9C 0xF5 ... Reg HKLM\SOFTWARE\Microsoft\Windows Search\Gather\Windows\SystemIndex@NewClientID 33 ---- EOF - GMER 2.1 ----