GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-05-30 15:28:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST964042 rev.0001 596,17GB Running: xyc2o4tp.exe; Driver: C:\Users\Asus\AppData\Local\Temp\kftcqaoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff80003206000 45 bytes [00, 00, 0C, 02, 45, 74, 77, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff8000320602f 16 bytes [00, F0, 78, EB, 0B, 80, FA, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1776] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075d487b1 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1776] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1776] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Windows\AsScrPro.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Windows\AsScrPro.exe[3560] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Program Files (x86)\blueconnect\blueconnect.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Program Files (x86)\blueconnect\blueconnect.exe[4228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[1276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[1276] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 ? C:\Windows\system32\mssprxy.dll [1276] entry point in ".rdata" section 00000000741671e6 .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000774af991 7 bytes {MOV EDX, 0x897e28; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000774afbd5 7 bytes {MOV EDX, 0x897e68; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000774afc05 7 bytes {MOV EDX, 0x897da8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000774afc1d 7 bytes {MOV EDX, 0x897d28; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000774afc35 7 bytes {MOV EDX, 0x897f28; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000774afc65 7 bytes {MOV EDX, 0x897f68; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000774afce5 7 bytes {MOV EDX, 0x897ee8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000774afcfd 7 bytes {MOV EDX, 0x897ea8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000774afd49 7 bytes {MOV EDX, 0x897c68; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000774afe41 7 bytes {MOV EDX, 0x897ca8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000774b0099 7 bytes {MOV EDX, 0x897c28; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000774b10a5 7 bytes {MOV EDX, 0x897de8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000774b111d 7 bytes {MOV EDX, 0x897d68; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000774b1321 7 bytes {MOV EDX, 0x897ce8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[184] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000774af991 7 bytes {MOV EDX, 0xe1d628; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000774afbd5 7 bytes {MOV EDX, 0xe1d668; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000774afc05 7 bytes {MOV EDX, 0xe1d5a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000774afc1d 7 bytes {MOV EDX, 0xe1d528; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000774afc35 7 bytes {MOV EDX, 0xe1d728; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000774afc65 7 bytes {MOV EDX, 0xe1d768; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000774afce5 7 bytes {MOV EDX, 0xe1d6e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000774afcfd 7 bytes {MOV EDX, 0xe1d6a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000774afd49 7 bytes {MOV EDX, 0xe1d468; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000774afe41 7 bytes {MOV EDX, 0xe1d4a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000774b0099 7 bytes {MOV EDX, 0xe1d428; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000774b10a5 7 bytes {MOV EDX, 0xe1d5e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000774b111d 7 bytes {MOV EDX, 0xe1d568; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000774b1321 7 bytes {MOV EDX, 0xe1d4e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[2324] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 00000000774af991 7 bytes {MOV EDX, 0xdc5628; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 00000000774afbd5 7 bytes {MOV EDX, 0xdc5668; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 00000000774afc05 7 bytes {MOV EDX, 0xdc55a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 00000000774afc1d 7 bytes {MOV EDX, 0xdc5528; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 00000000774afc35 7 bytes {MOV EDX, 0xdc5728; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 00000000774afc65 7 bytes {MOV EDX, 0xdc5768; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 00000000774afce5 7 bytes {MOV EDX, 0xdc56e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 00000000774afcfd 7 bytes {MOV EDX, 0xdc56a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 00000000774afd49 7 bytes {MOV EDX, 0xdc5468; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 00000000774afe41 7 bytes {MOV EDX, 0xdc54a8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000774b0099 7 bytes {MOV EDX, 0xdc5428; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000774b10a5 7 bytes {MOV EDX, 0xdc55e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 00000000774b111d 7 bytes {MOV EDX, 0xdc5568; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 00000000774b1321 7 bytes {MOV EDX, 0xdc54e8; JMP RDX} .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076ed1465 2 bytes [ED, 76] .text C:\Users\Asus\AppData\Local\Google\Chrome\Application\chrome.exe[4892] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076ed14bb 2 bytes [ED, 76] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[msvcrt.dll!free] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[msvcrt.dll!malloc] [1005] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[msvcrt.dll!_unlock] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[msvcrt.dll!__dllonexit] [100b] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[msvcrt.dll!??3@YAXPEAX@Z] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[msvcrt.dll!_amsg_exit] [100a] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[msvcrt.dll!??_V@YAXPEAX@Z] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[msvcrt.dll!_purecall] [1006] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[msvcrt.dll!memset] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[msvcrt.dll!memcpy] [1007] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[msvcrt.dll!_lock] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[msvcrt.dll!_onexit] [1040] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[ntdll.dll!RtlLookupFunctionEntry] [1048] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[ntdll.dll!RtlSubAuthoritySid] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[ntdll.dll!RtlInitializeSid] [1047] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[ntdll.dll!RtlInitUnicodeString] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[ntdll.dll!RtlMapGenericMask] [1008] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!DisableThreadLibraryCalls] [1fff] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetLastError] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!LocalFree] [101e] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetProcAddress] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!LoadLibraryExA] [101f] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!Sleep] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!QueryPerformanceCounter] [100c] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetCurrentThreadId] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetCurrentProcessId] [4010] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!TerminateProcess] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetCurrentProcess] [4011] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!CompareStringW] [4002] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!CreateFileW] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!ExpandEnvironmentStringsW] [4012] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!lstrcmpiW] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetComputerNameW] [4003] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!ReadFile] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!GetFileSize] [4013] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!SystemTimeToFileTime] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!FileTimeToSystemTime] [4016] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!SystemTimeToTzSpecificLocalTime] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!ResetEvent] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!CreateEventW] [4005] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!RegOpenKeyExW] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!RegCloseKey] [400b] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!RegQueryInfoKeyW] [0] IAT C:\Windows\Explorer.EXE[2872] @ C:\Windows\System32\shacct.dll[KERNEL32.dll!RegEnumValueW] [400e] ---- Threads - GMER 2.1 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4624:1344] 000007fefb4c2a7c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\485d60f44796 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 5158 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 4590 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\485d60f44796 (not active ControlSet) ---- EOF - GMER 2.1 ----