GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-18 21:51:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950042 rev.D005 465,76GB Running: kkfqrnp5.exe; Driver: C:\Users\Part\AppData\Local\Temp\kxlirpow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076d61401 2 bytes JMP 76dfb20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076d61419 2 bytes JMP 76dfb336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076d61431 2 bytes JMP 76e78f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000076d6144a 2 bytes CALL 76dd4885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000076d614dd 2 bytes JMP 76e78832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076d614f5 2 bytes JMP 76e78a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000076d6150d 2 bytes JMP 76e78728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076d61525 2 bytes JMP 76e78af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000076d6153d 2 bytes JMP 76defc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076d61555 2 bytes JMP 76df68df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000076d6156d 2 bytes JMP 76e78ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076d61585 2 bytes JMP 76e78b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000076d6159d 2 bytes JMP 76e786ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000076d615b5 2 bytes JMP 76defd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000076d615cd 2 bytes JMP 76dfb2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000076d616b2 2 bytes JMP 76e78eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe[2372] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000076d616bd 2 bytes JMP 76e78681 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2480] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 00000000778c000c 1 byte [C3] .text C:\Program Files (x86)\Samsung\Kies\External\FirmwareUpdate\KiesPDLR.exe[2480] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 000000007794fbaa 5 bytes JMP 0000000177909c63 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3260] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076dd8769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1488:2528] 000007fef52abd70 Thread C:\Windows\system32\svchost.exe [1488:4616] 000007fef6c75170 Thread C:\Windows\system32\svchost.exe [1488:576] 000007fef70e5124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4232:4104] 000007fefb7b2ae8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4232:4560] 000007feed3c5648 Thread C:\Windows\System32\svchost.exe [2696:5948] 000007feec759688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c44619e3c4bd Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c44619e3c4bd@0012d2d063a7 0x7D 0xCF 0x7E 0x13 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c44619e3c4bd@001b59487a19 0xEE 0xF6 0x3C 0x34 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c44619e3c4bd@8400d26e75ad 0xD5 0x41 0x1B 0x30 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c44619e3c4bd@08fc889e3493 0x5A 0x8F 0x50 0x88 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c44619e3c4bd@1c66aac4c727 0xAA 0x4C 0xAE 0x55 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD5 0x72 0xB8 0x5A ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x21 0x01 0x61 0xF7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x23 0x62 0x9D 0x9D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c44619e3c4bd (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c44619e3c4bd@0012d2d063a7 0x7D 0xCF 0x7E 0x13 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c44619e3c4bd@001b59487a19 0xEE 0xF6 0x3C 0x34 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c44619e3c4bd@8400d26e75ad 0xD5 0x41 0x1B 0x30 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c44619e3c4bd@08fc889e3493 0x5A 0x8F 0x50 0x88 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c44619e3c4bd@1c66aac4c727 0xAA 0x4C 0xAE 0x55 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 52\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xD5 0x72 0xB8 0x5A ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x21 0x01 0x61 0xF7 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0x23 0x62 0x9D 0x9D ... ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----