GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-25 19:49:00 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: crqflztg.exe; Driver: C:\Users\kuba\AppData\Local\Temp\fwtcaaog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[6460] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076328769 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\mfevtps.exe[2308] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13f80c0c0] C:\Windows\system32\mfevtps.exe ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [1588:1540] 00000000727533b4 Thread C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [1588:1532] 00000000727bf600 Thread C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [1588:3528] 000000007267bbbb Thread C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [1588:3536] 0000000072713256 Thread C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [1588:3584] 00000000727bf600 Thread C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [1588:3620] 00000000727bf600 Thread C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [1588:3624] 00000000727bf600 Thread C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [1588:3736] 00000000727bf600 Thread C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe [1588:3860] 00000000727bf600 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3016:3320] 000000006bff68d8 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3016:3444] 000000006bff68d8 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3016:3448] 000000006bfece79 Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3016:4992] 000000006bff68d8 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [4056:4944] 00000000775fd854 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6036:2132] 0000000077c4f470 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6036:2148] 000007fefddaa808 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6036:2100] 0000000077c4a810 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6036:5840] 0000000077c4f470 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6036:6352] 000007feff990168 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6036:6448] 000007fefbec2ae8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6036:6456] 000007feebba5648 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6036:6528] 000007feff556e60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6036:6532] 000007feff556e60 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6036:6656] 0000000077c4f470 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6036:7064] 0000000077c4f470 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6036:6824] 000007fef8a55124 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6036:8064] 000007feff990168 Thread [3552:6240] 000000006111aadf Thread [3552:4540] 00000000611064c2 Thread [3552:3748] 0000000077e627c1 Thread [3552:6976] 0000000077e4c557 Thread [3552:6980] 00000000611064c2 Thread [3552:6624] 00000000611064c2 Thread [3552:1800] 00000000611064c2 Thread [2468:5040] 0000000077e4c557 Thread [2468:2868] 0000000077e627c1 Thread [2468:4988] 0000000077397587 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:336] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:6128] 00000000775fd854 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:5980] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:4692] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:5484] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:6028] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:3872] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:4336] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:5456] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:4276] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:6500] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:4472] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:748] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:1472] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:6860] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [2032:6268] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:2000] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:3516] 00000000775fd854 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:6744] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:4968] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:7108] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:2340] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:6604] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:1504] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:2800] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:5188] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:2216] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:7052] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:4152] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:5332] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:5668] 0000000058a24a70 Thread C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE [6116:924] 0000000058a24a70 ---- Processes - GMER 2.1 ---- Process C:\Users\kuba\Desktop\crqflztg.exe (*** suspicious ***) @ C:\Users\kuba\Desktop\crqflztg.exe [5068](2015-08-25 17:28:41) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\3859f9f9524f Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\3859f9f9524f@08edb9d90648 0xB5 0xB3 0xF2 0xE0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\3859f9f9524f (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\3859f9f9524f@08edb9d90648 0xB5 0xB3 0xF2 0xE0 ... ---- EOF - GMER 2.1 ----