GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-01 13:16:51 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.D005 465.76GB Running: m57g1hli.exe; Driver: C:\Users\Kamil\AppData\Local\Temp\awrdykob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\USBPORT.SYS!DllUnload fffff88004828d64 12 bytes {MOV RAX, 0xfffffa800ac7f2a0; JMP RAX} ---- User code sections - GMER 2.1 ---- ? C:\Windows\system32\mssprxy.dll [2552] entry point in ".rdata" section 000000006c5e71e6 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\mfevtps.exe[2964] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13fd1b9f0] C:\Windows\system32\mfevtps.exe ---- Devices - GMER 2.1 ---- Device \Driver\a5sl84nj \Device\Scsi\a5sl84nj1Port1Path0Target0Lun0 fffffa800af662c0 Device \Driver\a5sl84nj \Device\Scsi\a5sl84nj1 fffffa800af662c0 Device \FileSystem\Ntfs \Ntfs fffffa8007cb52c0 Device \FileSystem\fastfat \Fat fffffa800c4152c0 Device \Driver\usbehci \Device\USBPDO-1 fffffa800ac7d2c0 Device \Driver\cdrom \Device\CdRom0 fffffa800aad02c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{49105622-E8F9-469B-8328-C121070F0F6C} fffffa800abb62c0 Device \Driver\cdrom \Device\CdRom1 fffffa800aad02c0 Device \Driver\usbehci \Device\USBFDO-0 fffffa800ac7d2c0 Device \Driver\dtsoftbus01 \Device\DTSoftBusCtl fffffa800afac2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{B88A5B4D-272A-46A8-98A2-02069F2F7640} fffffa800abb62c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{976DFCA7-FB17-415B-BD69-43147D97A48C} fffffa800abb62c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{15582C87-1A85-4BDC-97BD-61270E0D4861} fffffa800abb62c0 Device \Driver\usbehci \Device\USBFDO-1 fffffa800ac7d2c0 Device \Driver\NetBT \Device\NetBT_Tcpip_{4B187065-1DBA-4722-B9A1-112AF8F89A94} fffffa800abb62c0 Device \Driver\NetBT \Device\NetBt_Wins_Export fffffa800abb62c0 Device \Driver\usbehci \Device\USBPDO-0 fffffa800ac7d2c0 Device \Driver\a5sl84nj \Device\ScsiPort1 fffffa800af662c0 ---- Modules - GMER 2.1 ---- Module \SystemRoot\System32\Drivers\a5sl84nj.SYS fffff8800479b000-fffff880047ec000 (331776 bytes) ---- Threads - GMER 2.1 ---- Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3732:3880] 000000006ba9f1dc Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3732:4020] 000000006ba9f1dc Thread C:\Program Files (x86)\Microsoft Application Virtualization Client\sftlist.exe [3732:4024] 000000006ba955d3 Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [4608:2128] 0000000069de473d Thread C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE [4608:4508] 0000000069df5ced ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{59985BA5-46F0-42F9-B50C-1FA4AA4E833D}\Connection@Name isatap.{4B187065-1DBA-4722-B9A1-112AF8F89A94} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{8CF86112-CD9A-4804-AFAC-C72F9549DA36}?\Device\{96C0106B-8A75-4B00-9089-578633911299}?\Device\{BBDE861C-EF5A-47CF-B44D-9AB65C8DE2B3}?\Device\{59985BA5-46F0-42F9-B50C-1FA4AA4E833D}?\Device\{3BD5DDC5-5D34-4A6D-94E2-1860D24CECAB}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{8CF86112-CD9A-4804-AFAC-C72F9549DA36}"?"{96C0106B-8A75-4B00-9089-578633911299}"?"{BBDE861C-EF5A-47CF-B44D-9AB65C8DE2B3}"?"{59985BA5-46F0-42F9-B50C-1FA4AA4E833D}"?"{3BD5DDC5-5D34-4A6D-94E2-1860D24CECAB}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{8CF86112-CD9A-4804-AFAC-C72F9549DA36}?\Device\TCPIP6TUNNEL_{96C0106B-8A75-4B00-9089-578633911299}?\Device\TCPIP6TUNNEL_{BBDE861C-EF5A-47CF-B44D-9AB65C8DE2B3}?\Device\TCPIP6TUNNEL_{59985BA5-46F0-42F9-B50C-1FA4AA4E833D}?\Device\TCPIP6TUNNEL_{3BD5DDC5-5D34-4A6D-94E2-1860D24CECAB}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00025b00a5a5 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\685d435cd419 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\685d435cd419@0cdfa4174af5 0xDD 0xAD 0xDC 0x7F ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{59985BA5-46F0-42F9-B50C-1FA4AA4E833D}@InterfaceName isatap.{4B187065-1DBA-4722-B9A1-112AF8F89A94} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{59985BA5-46F0-42F9-B50C-1FA4AA4E833D}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00025b00a5a5 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\685d435cd419 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\685d435cd419@0cdfa4174af5 0xDD 0xAD 0xDC 0x7F ... ---- EOF - GMER 2.1 ----