GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-29 11:49:33 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 596,17GB Running: d0oow127.exe; Driver: C:\Users\LUCAS\AppData\Local\Temp\kgtiapow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[2808] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000725c17fa 2 bytes CALL 767711a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2808] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 00000000725c1860 2 bytes CALL 767711a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2808] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 00000000725c1942 2 bytes JMP 76117089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2808] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 00000000725c194d 2 bytes JMP 7611cba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey 000000007720dad0 5 bytes [48, B8, 90, 2A, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKey + 8 000000007720dad8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey 000000007720db80 5 bytes [48, B8, C8, 2A, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKey + 8 000000007720db88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 000000007720dce0 5 bytes [48, B8, A4, 25, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 000000007720dce8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 000000007720dd20 5 bytes [48, B8, 18, 23, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection + 8 000000007720dd28 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 000000007720dd80 5 bytes [48, B8, A4, 27, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 000000007720dd88 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 000000007720ddb0 5 bytes [48, B8, 68, 1C, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent + 8 000000007720ddb8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 000000007720de30 5 bytes [48, B8, 44, 1B, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 8 000000007720de38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 000000007720de50 5 bytes [48, B8, D4, 21, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection + 8 000000007720de58 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 000000007720de90 5 bytes [48, B8, 54, 2C, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread + 8 000000007720de98 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 000000007720df00 5 bytes [48, B8, 40, 23, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 000000007720df08 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject 000000007720df30 5 bytes [48, B8, 1C, 1B, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenDirectoryObject + 8 000000007720df38 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 000000007720e320 5 bytes [48, B8, 74, 29, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 8 000000007720e328 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent 000000007720e360 5 bytes [48, B8, 90, 1C, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateKeyedEvent + 8 000000007720e368 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 000000007720e380 5 bytes [48, B8, D4, 1D, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant + 8 000000007720e388 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile 000000007720e390 5 bytes [48, B8, 04, 24, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateNamedPipeFile + 8 000000007720e398 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 000000007720e410 5 bytes [48, B8, 44, 1F, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore + 8 000000007720e418 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 000000007720e440 5 bytes [48, B8, 90, 20, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer + 8 000000007720e448 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile 000000007720e500 5 bytes [48, B8, E8, 26, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteFile + 8 000000007720e508 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 000000007720e8e0 5 bytes [48, B8, 90, 2A, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion + 8 000000007720e8e8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx 000000007720e900 5 bytes [48, B8, 20, 2C, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyEx + 8 000000007720e908 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent 000000007720e930 5 bytes [48, B8, AC, 1D, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenKeyedEvent + 8 000000007720e938 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 000000007720e940 5 bytes [48, B8, 1C, 1F, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant + 8 000000007720e948 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 000000007720e990 5 bytes [48, B8, 68, 20, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore + 8 000000007720e998 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject 000000007720e9b0 5 bytes [48, B8, F8, 1A, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSymbolicLinkObject + 8 000000007720e9b8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 000000007720e9d0 5 bytes [48, B8, AC, 21, 21] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer + 8 000000007720e9d8 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 000000007720eb10 6 bytes [48, B8, 8C, 28, 21, 00] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 000000007720eb18 4 bytes {ADD [RAX], AL; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\system32\kernel32.dll!CompareStringA 0000000076fb0820 5 bytes JMP 0000000176f90d96 .text C:\Windows\system32\conhost.exe[8172] C:\Windows\system32\kernel32.dll!CreateThread 0000000076fb5aa0 5 bytes JMP 0000000176f90d57 .text C:\Windows\system32\conhost.exe[8172] C:\Windows\system32\kernel32.dll!CreateProcessInternalW 0000000076fbdb10 12 bytes {MOV RAX, 0x212d74; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\system32\kernel32.dll!CreateProcessW + 1 0000000076fc0671 8 bytes [B8, 08, 2D, 21, 00, 00, 00, ...] .text C:\Windows\system32\conhost.exe[8172] C:\Windows\system32\kernel32.dll!CreateProcessW + 10 0000000076fc067a 2 bytes {JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefecf74a0 5 bytes JMP 000007fffecc0fd9 .text C:\Windows\system32\conhost.exe[8172] C:\Windows\system32\SSPICLI.DLL!FreeCredentialsHandle 000007fefcd81d90 12 bytes {MOV RAX, 0x212e94; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\system32\SSPICLI.DLL!AcquireCredentialsHandleA 000007fefcd95444 12 bytes {MOV RAX, 0x212df4; JMP RAX} .text C:\Windows\system32\conhost.exe[8172] C:\Windows\system32\winmm.dll!PlaySoundW 000007fefaf82144 5 bytes JMP 000007fffaf70f93 .text C:\Windows\system32\conhost.exe[8172] C:\Windows\system32\winmm.dll!waveOutOpen 000007fefaf838d0 5 bytes JMP 000007fffaf70f53 .text C:\Windows\system32\conhost.exe[8172] C:\Windows\system32\winmm.dll!PlaySound 000007fefafa2f10 5 bytes JMP 000007fffaf70fd9 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3548] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7feeffe741c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3548] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7feeffe5f10] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3548] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7feeffe5674] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3548] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7feeffe5e2c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3548] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7feeffe7f48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3548] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7feeffe6a38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3548] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7feeffe6ee8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3548] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7feeffe7b58] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3548] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7feeffe7ea0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3548] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7feeffe78b0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3548] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7feeffe4fb4] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3548] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7feeffe5d38] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[3548] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7feeffe7584] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1284:1436] 000007fefa698274 Thread C:\Windows\system32\svchost.exe [1284:2512] 000007fefa698274 Thread C:\Windows\System32\spoolsv.exe [1688:2364] 000007fef7e010c8 Thread C:\Windows\System32\spoolsv.exe [1688:2372] 000007fef7dc6144 Thread C:\Windows\System32\spoolsv.exe [1688:2376] 000007fef7bb5fd0 Thread C:\Windows\System32\spoolsv.exe [1688:2380] 000007fef7ba3438 Thread C:\Windows\System32\spoolsv.exe [1688:2384] 000007fef7bb63ec Thread C:\Windows\System32\spoolsv.exe [1688:2392] 000007fef7e85e5c Thread C:\Windows\System32\spoolsv.exe [1688:2396] 000007fef7f15074 Thread C:\Windows\system32\svchost.exe [1836:1892] 000007fefc981a70 Thread C:\Windows\system32\svchost.exe [1836:1900] 000007fefc981a70 Thread C:\Windows\system32\svchost.exe [1836:1916] 000007fefc981a70 Thread C:\Windows\system32\svchost.exe [1836:1924] 000007fef9282c70 Thread C:\Windows\system32\svchost.exe [1836:1960] 000007fef928fb40 Thread C:\Windows\system32\svchost.exe [1836:1988] 000007fef92a1d20 Thread C:\Windows\system32\svchost.exe [1836:1992] 000007fef928f6f0 Thread C:\Windows\system32\svchost.exe [1836:2024] 000007fef89935c0 Thread C:\Windows\system32\svchost.exe [1836:3612] 000007fef8995600 Thread C:\Windows\system32\svchost.exe [1836:3436] 000007feedb82940 Thread C:\Windows\system32\svchost.exe [1836:3376] 000007feedb32888 Thread C:\Windows\system32\taskhost.exe [2516:2564] 000007fef7a52740 Thread C:\Windows\system32\taskhost.exe [2516:2576] 000007fefaf81010 Thread C:\Windows\system32\taskhost.exe [2516:2664] 000007fef7821f38 Thread C:\Windows\system32\taskhost.exe [2516:2976] 000007fef7105170 Thread C:\Windows\Explorer.EXE [2652:2932] 0000000002719840 Thread C:\Windows\Explorer.EXE [2652:2936] 0000000002719840 Thread C:\Windows\Explorer.EXE [2652:2940] 0000000002719840 Thread C:\Windows\Explorer.EXE [2652:2944] 0000000002719840 Thread C:\Windows\Explorer.EXE [2652:2948] 0000000002719840 Thread C:\Windows\Explorer.EXE [2652:2952] 0000000002719840 Thread C:\Windows\Explorer.EXE [2652:2956] 0000000002719840 Thread C:\Windows\Explorer.EXE [2652:4936] 0000000002719840 Thread C:\Windows\System32\svchost.exe [1676:6084] 000007feee2a9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3140:5004] 000007fefb4f2ae8 Thread C:\Windows\system32\conhost.exe [8172:8184] 0000000000216ba0 Thread C:\Windows\system32\conhost.exe [8172:8188] 00000000000a0238 Thread C:\Windows\system32\conhost.exe [8172:4968] 00000000000a33ec Thread C:\Windows\system32\dllhost.exe [7012:6448] 00000000002a1420 Thread C:\Windows\system32\dllhost.exe [7012:5416] 000000000004ee78 Thread C:\Windows\system32\dllhost.exe [7012:7828] 000000000005202c Thread C:\Windows\system32\cmd.exe [8068:8040] 0000000001c7ee00 Thread C:\Windows\system32\cmd.exe [8068:7964] 000000000008f3f8 Thread C:\Windows\system32\cmd.exe [8068:8160] 00000000000925ac Thread C:\Windows\system32\PresentationHost.exe [8148:7988] 0000000000be7520 Thread C:\Windows\system32\PresentationHost.exe [8148:7984] 00000000000bf9f8 Thread C:\Windows\system32\PresentationHost.exe [8148:7484] 00000000000c2bac ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\GlobalLogger@FileName C:\ProgramData\Intel\SUR\WILLAMETTE\IntelData\temp\2015_11_29__03_31_19_boot.etl Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395f9fb22 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395f9fb22 (not active ControlSet) ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- Files - GMER 2.1 ---- File C:\Users\LUCAS\AppData\Local\Microsoft\Windows\WebCache\V01001E0.log 524288 bytes File C:\Users\LUCAS\AppData\Local\Microsoft\Windows\WebCache\V01001E1.log 524288 bytes ---- EOF - GMER 2.1 ----