GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-23 16:02:43 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 SAMSUNG_ rev.2AJ1 298,09GB Running: gmer.exe; Driver: C:\Users\adam\AppData\Local\Temp\aftcqaow.sys ---- User code sections - GMER 2.1 ---- ? C:\Windows\system32\mssprxy.dll [2056] entry point in ".rdata" section 00000000735971e6 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c21465 2 bytes [C2, 76] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[2820] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c214bb 2 bytes [C2, 76] .text ... * 2 .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c21465 2 bytes [C2, 76] .text C:\Program Files (x86)\AskPartnerNetwork\Toolbar\Updater\TBNotifier.exe[3128] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c214bb 2 bytes [C2, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076b38b9a 5 bytes JMP 00000001728d8177 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000076b52a3e 5 bytes JMP 0000000172a01fe8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000076b52a62 5 bytes JMP 00000001727f4b97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000076b7cc1a 5 bytes JMP 0000000172a01f85 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000076b7cf72 5 bytes JMP 0000000172a0204b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000076b8fd61 5 bytes JMP 0000000172a01f1a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000076b8fe2d 5 bytes JMP 0000000172a01eaf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b8fe66 5 bytes JMP 0000000172a01e4d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b8fe8a 5 bytes JMP 0000000172a01deb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076c99404 5 bytes JMP 0000000172a02b5c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c21465 2 bytes [C2, 76] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c214bb 2 bytes [C2, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll!PropertySheetW 00000000741f7c30 5 bytes JMP 0000000172a0351a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll!PropertySheet 0000000074297bb2 5 bytes JMP 0000000172a035bb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[5052] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000769f9a4c 5 bytes JMP 0000000172a02c8e ? C:\Windows\system32\mssprxy.dll [5052] entry point in ".rdata" section 00000000735971e6 ? C:\Windows\System32\NLSData0000.dll [5052] entry point in ".rdata" section 000000006e59c541 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076b38b9a 5 bytes JMP 00000001728d8177 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b506b3 5 bytes JMP 000000017288464b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000076b52a3e 5 bytes JMP 0000000172a01fe8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000076b52a62 5 bytes JMP 00000001727f4b97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076b5f006 5 bytes JMP 00000001728c9d5c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076b60efc 5 bytes JMP 00000001728e83a2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000076b7cc1a 5 bytes JMP 0000000172a01f85 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000076b7cf72 5 bytes JMP 0000000172a0204b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000076b8fd61 5 bytes JMP 0000000172a01f1a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000076b8fe2d 5 bytes JMP 0000000172a01eaf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b8fe66 5 bytes JMP 0000000172a01e4d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b8fe8a 5 bytes JMP 0000000172a01deb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076e25bf6 5 bytes JMP 0000000172a02346 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076e7590c 5 bytes JMP 00000001728d8c65 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076c33e59 5 bytes JMP 0000000172a023ae .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076c33eae 5 bytes JMP 0000000172a02f28 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076c34731 5 bytes JMP 0000000172a02e8e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076c35dee 5 bytes JMP 0000000172a02ed9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076c99404 5 bytes JMP 0000000172a02b5c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c21465 2 bytes [C2, 76] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c214bb 2 bytes [C2, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll!PropertySheetW 00000000741f7c30 5 bytes JMP 0000000172a0351a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll!PropertySheet 0000000074297bb2 5 bytes JMP 0000000172a035bb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[1456] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000769f9a4c 5 bytes JMP 0000000172a02c8e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\USER32.dll!CreateWindowExW 0000000076b38b9a 5 bytes JMP 00000001728d8177 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\USER32.dll!SetWindowsHookExW 0000000076b506b3 5 bytes JMP 000000017288464b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamW 0000000076b52a3e 5 bytes JMP 0000000172a01fe8 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\USER32.dll!DialogBoxParamW 0000000076b52a62 5 bytes JMP 00000001727f4b97 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\USER32.dll!CallNextHookEx 0000000076b5f006 5 bytes JMP 00000001728c9d5c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\USER32.dll!UnhookWindowsHookEx 0000000076b60efc 5 bytes JMP 00000001728e83a2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\USER32.dll!DialogBoxParamA 0000000076b7cc1a 5 bytes JMP 0000000172a01f85 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\USER32.dll!DialogBoxIndirectParamA 0000000076b7cf72 5 bytes JMP 0000000172a0204b .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectA 0000000076b8fd61 5 bytes JMP 0000000172a01f1a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\USER32.dll!MessageBoxIndirectW 0000000076b8fe2d 5 bytes JMP 0000000172a01eaf .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\USER32.dll!MessageBoxExA 0000000076b8fe66 5 bytes JMP 0000000172a01e4d .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\USER32.dll!MessageBoxExW 0000000076b8fe8a 5 bytes JMP 0000000172a01deb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000076e25bf6 5 bytes JMP 0000000172a02346 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\ole32.dll!CoCreateInstance 0000000076e7590c 5 bytes JMP 00000001728d8c65 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 0000000076c33e59 5 bytes JMP 0000000172a023ae .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 0000000076c33eae 5 bytes JMP 0000000172a02f28 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 0000000076c34731 5 bytes JMP 0000000172a02e8e .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 0000000076c35dee 5 bytes JMP 0000000172a02ed9 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\OLEAUT32.dll!OleCreatePropertyFrameIndirect 0000000076c99404 5 bytes JMP 0000000172a02b5c .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076c21465 2 bytes [C2, 76] .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076c214bb 2 bytes [C2, 76] .text ... * 2 .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll!PropertySheetW 00000000741f7c30 5 bytes JMP 0000000172a0351a .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\WinSxS\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7600.16661_none_420fe3fa2b8113bd\comctl32.dll!PropertySheet 0000000074297bb2 5 bytes JMP 0000000172a035bb .text C:\Program Files (x86)\Internet Explorer\iexplore.exe[3836] C:\Windows\syswow64\comdlg32.dll!PageSetupDlgW 00000000769f9a4c 5 bytes JMP 0000000172a02c8e ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ??????????X?????????????????? ???????????????????n???????? ????? ???????????????????????????????? ??????????????????????????? ????????????????????????????$????????f????1.9??.???????b????????????????????????????????6???????????h?????????????????????????????????????????????????????? ???????n???????????n?4??????