GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-07-31 18:27:56 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006e ST932032 rev.0003 298,09GB Running: 63wtzbw7.exe; Driver: C:\Users\Maja\AppData\Local\Temp\kftciaog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 560 fffff800033b0000 45 bytes [01, 10, 9C, 15, A0, F8, FF, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 607 fffff800033b002f 16 bytes [00, 00, 30, 3C, 05, A0, F8, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1904] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076e387b1 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1904] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076721465 2 bytes [72, 76] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1904] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000767214bb 2 bytes [72, 76] .text ... * 2 .text C:\Windows\AsScrPro.exe[3180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076721465 2 bytes [72, 76] .text C:\Windows\AsScrPro.exe[3180] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767214bb 2 bytes [72, 76] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076721465 2 bytes [72, 76] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[4504] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767214bb 2 bytes [72, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076721465 2 bytes [72, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1300] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767214bb 2 bytes [72, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007734f991 7 bytes {MOV EDX, 0xcd8a28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007734fbd5 7 bytes {MOV EDX, 0xcd8a68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007734fc05 7 bytes {MOV EDX, 0xcd89a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007734fc1d 7 bytes {MOV EDX, 0xcd8928; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007734fc35 7 bytes {MOV EDX, 0xcd8b28; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007734fc65 7 bytes {MOV EDX, 0xcd8b68; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007734fce5 7 bytes {MOV EDX, 0xcd8ae8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007734fcfd 7 bytes {MOV EDX, 0xcd8aa8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007734fd49 7 bytes {MOV EDX, 0xcd8868; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007734fe41 7 bytes {MOV EDX, 0xcd88a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077350099 7 bytes {MOV EDX, 0xcd8828; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773510a5 7 bytes {MOV EDX, 0xcd89e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007735111d 7 bytes {MOV EDX, 0xcd8968; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077351321 7 bytes {MOV EDX, 0xcd88e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076721465 2 bytes [72, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3836] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767214bb 2 bytes [72, 76] .text ... * 2 .text C:\Users\Maja\Desktop\OTL.exe[4624] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000076721465 2 bytes [72, 76] .text C:\Users\Maja\Desktop\OTL.exe[4624] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 00000000767214bb 2 bytes [72, 76] .text ... * 2 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007734f991 7 bytes {MOV EDX, 0x1e5628; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007734fbd5 7 bytes {MOV EDX, 0x1e5668; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007734fc05 7 bytes {MOV EDX, 0x1e55a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007734fc1d 7 bytes {MOV EDX, 0x1e5528; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007734fc35 7 bytes {MOV EDX, 0x1e5728; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007734fc65 7 bytes {MOV EDX, 0x1e5768; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007734fce5 7 bytes {MOV EDX, 0x1e56e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007734fcfd 7 bytes {MOV EDX, 0x1e56a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007734fd49 7 bytes {MOV EDX, 0x1e5468; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007734fe41 7 bytes {MOV EDX, 0x1e54a8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 0000000077350099 7 bytes {MOV EDX, 0x1e5428; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000773510a5 7 bytes {MOV EDX, 0x1e55e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007735111d 7 bytes {MOV EDX, 0x1e5568; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077351321 7 bytes {MOV EDX, 0x1e54e8; JMP RDX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076721465 2 bytes [72, 76] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5140] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000767214bb 2 bytes [72, 76] .text ... * 2 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\spoolsv.exe [1440:2540] 000007fef81a10c8 Thread C:\Windows\System32\spoolsv.exe [1440:2552] 000007fef8176144 Thread C:\Windows\System32\spoolsv.exe [1440:2556] 000007fef7f65fd0 Thread C:\Windows\System32\spoolsv.exe [1440:2560] 000007fef7f53438 Thread C:\Windows\System32\spoolsv.exe [1440:2564] 000007fef7f663ec Thread C:\Windows\System32\spoolsv.exe [1440:2572] 000007fef8c25e5c Thread C:\Windows\System32\spoolsv.exe [1440:2576] 000007fef8ce5074 Thread C:\Windows\Explorer.EXE [2196:1588] 000007fefbca6204 Thread C:\Windows\Explorer.EXE [2196:3588] 000007fef2552118 Thread C:\Windows\Explorer.EXE [2196:4120] 000007fef2872154 Thread C:\Windows\Explorer.EXE [2196:4864] 000007fef295a3f8 Thread C:\Windows\Explorer.EXE [2196:2444] 000007fef9642f9c Thread C:\Windows\Explorer.EXE [2196:212] 000007fef9642f9c Thread C:\Windows\Explorer.EXE [2196:4124] 000007fef9642f9c Thread C:\Windows\Explorer.EXE [2196:4340] 000007feede4f5bc Thread C:\Windows\Explorer.EXE [2196:3044] 000007fef8e91010 Thread C:\Windows\Explorer.EXE [2196:5776] 000007fee91b0b38 Thread C:\Windows\System32\svchost.exe [188:5920] 000007fef3639688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5500:5968] 000007fefb252a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5500:5976] 000007fee547d618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [5500:3888] 000007fef82d5124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a03d0a Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a03d0a@0017d540785d 0xC9 0x1F 0x3C 0x84 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a03d0a@30392675319a 0xB4 0xEE 0x6A 0xD8 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a03d0a@0017003adabf 0x20 0xC9 0xF8 0xC2 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a03d0a (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a03d0a@0017d540785d 0xC9 0x1F 0x3C 0x84 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a03d0a@30392675319a 0xB4 0xEE 0x6A 0xD8 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a03d0a@0017003adabf 0x20 0xC9 0xF8 0xC2 ...