GMER 2.0.18444 - http://www.gmer.net Rootkit scan 2013-01-27 16:57:59 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GN00 698,64GB Running: 4zqs8zzo.exe; Driver: C:\Users\Grzegorz\AppData\Local\Temp\pwdorkog.sys ---- User code sections - GMER 2.0 ---- .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077621401 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077621419 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077621431 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007762144a 2 bytes [62, 77] .text ... * 9 .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000776214dd 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000776214f5 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007762150d 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077621525 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007762153d 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077621555 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007762156d 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077621585 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007762159d 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000776215b5 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000776215cd 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000776216b2 2 bytes [62, 77] .text C:\Program Files (x86)\NTI\Acer Backup Manager\IScheduleSvc.exe[2060] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000776216bd 2 bytes [62, 77] .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 00000000733317fa 2 bytes [33, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000073331860 2 bytes [33, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000073331942 2 bytes [33, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[2212] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 000000007333194d 2 bytes [33, 73] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000077621401 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000077621419 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000077621431 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007762144a 2 bytes [62, 77] .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000776214dd 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000776214f5 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007762150d 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000077621525 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007762153d 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000077621555 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007762156d 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000077621585 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007762159d 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000776215b5 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000776215cd 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000776216b2 2 bytes [62, 77] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3232] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000776216bd 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExW + 17 0000000077621401 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!EnumProcessModules + 17 0000000077621419 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 17 0000000077621431 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 42 000000007762144a 2 bytes [62, 77] .text ... * 9 .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!EnumDeviceDrivers + 17 00000000776214dd 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameA + 17 00000000776214f5 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSetEx + 17 000000007762150d 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!GetDeviceDriverBaseNameW + 17 0000000077621525 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameW + 17 000000007762153d 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!EnumProcesses + 17 0000000077621555 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!GetProcessMemoryInfo + 17 000000007762156d 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!GetPerformanceInfo + 17 0000000077621585 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!QueryWorkingSet + 17 000000007762159d 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!GetModuleBaseNameA + 17 00000000776215b5 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!GetModuleFileNameExA + 17 00000000776215cd 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 20 00000000776216b2 2 bytes [62, 77] .text C:\Users\Grzegorz\Desktop\OTL.exe[7052] C:\Windows\syswow64\PSAPI.dll!GetProcessImageFileNameW + 31 00000000776216bd 2 bytes [62, 77] ---- User IAT/EAT - GMER 2.0 ---- IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef83f2750] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef83f2b98] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef83f7de0] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef83f8130] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef83f1908] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef83f1c00] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef83f81d8] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef83f2878] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef83f7a5c] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmIncrement] [7fef83f6c48] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef83f77bc] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef83f7064] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef83f6544] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[2812] @ C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef83f5e30] C:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Threads - GMER 2.0 ---- Thread C:\Windows\SysWOW64\ntdll.dll [2876:2880] 0000000065c0dea0 Thread C:\Windows\SysWOW64\ntdll.dll [2876:2412] 0000000066f31f1f Thread C:\Windows\SysWOW64\ntdll.dll [2876:2124] 0000000066f31f1f Thread C:\Windows\SysWOW64\ntdll.dll [2876:2144] 0000000066f31f1f Thread C:\Windows\SysWOW64\ntdll.dll [2876:3096] 0000000066f31f1f Thread C:\Windows\SysWOW64\ntdll.dll [2876:3100] 0000000066f31f1f Thread C:\Windows\SysWOW64\ntdll.dll [2876:3104] 0000000066f31f1f Thread C:\Windows\SysWOW64\ntdll.dll [2876:3416] 00000000713d52c9 Thread C:\Windows\SysWOW64\ntdll.dll [2876:3424] 00000000713d52c9 Thread C:\Windows\SysWOW64\ntdll.dll [2876:3524] 0000000066f31f1f Thread C:\Windows\SysWOW64\ntdll.dll [2876:3540] 0000000066f31f1f Thread C:\Windows\SysWOW64\ntdll.dll [2876:3548] 0000000066f31f1f Thread C:\Windows\SysWOW64\ntdll.dll [2876:3552] 0000000066f31f1f Thread C:\Windows\SysWOW64\ntdll.dll [2876:3560] 0000000066f31f1f Thread C:\Windows\SysWOW64\ntdll.dll [2876:3568] 0000000066a653b7 Thread C:\Windows\SysWOW64\ntdll.dll [2876:3572] 0000000066a653b7 Thread C:\Windows\SysWOW64\ntdll.dll [2876:4024] 0000000066f31f1f Thread C:\Windows\SysWOW64\ntdll.dll [2876:6900] 0000000072f662ee ---- Processes - GMER 2.0 ---- Library ? (*** suspicious ***) @ C:\Windows\SysWOW64\ntdll.dll [2876] 0000000070fc0000 ---- Registry - GMER 2.0 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ccaf78f7f2f1 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ccaf78f7f2f1@7005140cd538 0x22 0xCA 0x93 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\ccaf78f7f2f1@58c38bb9c3fb 0x25 0xE1 0xCC 0x59 ... Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 8862 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ccaf78f7f2f1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ccaf78f7f2f1@7005140cd538 0x22 0xCA 0x93 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\ccaf78f7f2f1@58c38bb9c3fb 0x25 0xE1 0xCC 0x59 ... ---- EOF - GMER 2.0 ----