GMER 2.1.19355 - http://www.gmer.net Rootkit scan 2014-01-25 16:12:18 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: uw5xilhh.exe; Driver: C:\Users\Kinga\AppData\Local\Temp\kxtiiaob.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800047fe000 45 bytes [00, 00, 10, 02, 4E, 74, 66, ...] INITKDBG C:\windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800047fe02f 29 bytes [00, 01, 00, 06, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1672] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Program Files (x86)\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1672] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2012\avp.exe[1716] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077da0038 5 bytes JMP 000000016ac91765 .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3432] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Program Files (x86)\Plus Internet\Plus Internet.exe[3432] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 .text C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[3852] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Program Files (x86)\SAMSUNG\EasySpeedUpManager\EasySpeedUpManager.exe[3852] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!wctomb] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!iswctype] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!wcstombs] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!realloc] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!__badioinfo] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_read] [1] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_fileno] [18f4d40] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_isatty] [ffffffff] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!ungetc] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_iob] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!localeconv] [fa0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!isxdigit] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!isleadbyte] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!__mb_cur_max] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!mbtowc] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!isdigit] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!calloc] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_CxxThrowException] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!memset] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!memcpy] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!??1type_info@@UEAA@XZ] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_onexit] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_lock] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!__dllonexit] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_unlock] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!?terminate@@YAXXZ] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_amsg_exit] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_initterm] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_XcptFilter] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_resetstkoflw] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!?_set_se_translator@@YAP6AXIPEAU_EXCEPTION_POINTERS@@@ZP6AXI0@Z@Z] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_errno] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!__CxxFrameHandler] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_purecall] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_vsnwprintf] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!malloc] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!free] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!__pioinfo] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!_wfopen] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!fread] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!ftell] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!fseek] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!fclose] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!wcschr] [4a7160] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!strncmp] [54fb10] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[msvcrt.dll!memmove] [4c5320] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!FlushFileBuffers] [7feeae1a638] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!WriteFile] [7feeae1a6c0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!SetFilePointer] [7feeae1a6cc] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [7feeae1a6d8] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!UnhandledExceptionFilter] [7feeae1a6e4] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!GetCurrentProcess] [7feeae1a6f0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!TerminateProcess] [7feeae1a6fc] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [7feeae1a708] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!GetCurrentProcessId] [7feeae1a714] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!GetTickCount] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!QueryPerformanceCounter] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!RtlCaptureContext] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!RtlLookupFunctionEntry] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!RtlVirtualUnwind] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!OutputDebugStringA] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!GetModuleFileNameW] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!GetCurrentThreadId] [19d3bd0dbf40] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!GetLocalTime] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!FormatMessageW] [4ad2c0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!Sleep] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!VirtualProtect] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!DelayLoadFailureHook] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!LoadLibraryExA] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!LocalFree] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!CloseHandle] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!LockResource] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!CreateFileMappingW] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!DisableThreadLibraryCalls] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!GetProcAddress] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!SetLastError] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!GetLastError] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!CreateFileW] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!SizeofResource] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!InitializeCriticalSectionAndSpinCount] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!LoadLibraryW] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!LoadResource] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!FreeLibrary] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!FindResourceW] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!UnmapViewOfFile] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!MapViewOfFile] [0] IAT C:\windows\system32\SearchIndexer.exe[2812] @ C:\windows\System32\NLSData0003.dll[KERNEL32.dll!GetFileSize] [0] ---- Threads - GMER 2.1 ---- Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [424:2692] 0000000075cc7587 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [424:1500] 0000000071b47712 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [424:2976] 0000000077dd2e65 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [424:928] 0000000077dd3e85 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [424:2788] 0000000077dd3e85 Thread C:\windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [424:5000] 0000000077dd3e85 ---- Processes - GMER 2.1 ---- Library C:\Users\Kinga\AppData\Roaming\GG\ggdrive\ggdrive-menu.dll (*** suspicious ***) @ C:\windows\Explorer.EXE [2716] 000000005ff80000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\4cedde049834 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet001\services\BTHPORT\Parameters\Keys\4cedde049834@1814569234d9 0xEF 0x38 0x09 0xEB ... Reg HKLM\SYSTEM\ControlSet001\services\LanmanServer\Linkage@Bind ???8??????|?????????????e????$??8????????????????z????????p????8???8??Universal Serial Bus controllers?ll,-3025???%systemroot%\system32\setupapi.dll,-20??????.NT??????8??????????????????????????}\???8??usb.inf?????@%SystemRoot%\System32\SysClass.Dll,-3025????????(??????????????????????????????????? ???8??????????????6-2 Reg HKLM\SYSTEM\ControlSet001\services\LanmanServer\Linkage@Route ????????\SystemRoot\system32\drivers\hidusb.sys?????????????????????????????????????????? ??iv????????????????????????????????????>???????????????p????????g????@%SystemRoot%\system32\clfs.sys,-101????? ???????~????????????L??????????????????????_?????sCI??????????????????????????????????????????????????????????? z???????????????????N????????????????n??????4???????????h??????????????\??nd??????????{8ed9d8e3-885a-5802-98e4-4c19cc18eb23}????????????????????????????8??????????????????????6??????? ??????????????????????????????????$???????????????????????????????????????????????????????????????????? ??????????????? ??????????????????????????????????$???????????????????????????????????????????????????????????????????????????????????? ????????????????????????H?????????$??????????????????????????????????????n????@%SystemRoot%\system32\powrprof.dll,-119,Sleep transition settings??????????????????????????@%SystemRoot%\system32\powrprof.dll,-120,Sleep transition settings?????????????????????n????????????????? ????????? Reg HKLM\SYSTEM\ControlSet001\services\LanmanServer\Linkage@Export ???h????? ???`?????????p6"??????????????????????? ???v?????????7????Network??????????????,??????c0??? ???(??????????????{00000000-0000-0000-ffff-ffffffffffff}??????? ?????????????????????????????????_I??\Driver\ACPI_HAL?????$???g????????????????????????????X??h??? ??????? &??Y???E?????owA???????K??????????????????????????????{4d36e96b-e325-11ce-bfc1-08002be10318}??? ???????????-???e??? ???????????g??????*????????????????n?????????????-??a0??????88???? ??????u???????????1??????????{36fc9e60-c465-11cf-8056-444553540000}???????????????????????????????a??.i??????0????3?????A???????????????????????g??????????????????????p????????g????@%systemroot%\system32\drivers\afd.sys,-1000????????????????????????????????????1?? Reg HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage@Route ????s?????(??????i??????.NTAMD64?????????????^?^ns??? ????????????????????????????????????????8???????????h???????`????????????e?????????????? ??8??????p???????????192.168.1.1??????????????????????n???????z???3??????????????????????ISO9660/Joliet File System Reader for CD/DVDs. (Core) (All pieces)??????????????Sterownik Microsoft klasy HID????????????0???????????????3???3??system32\DRIVERS\btwavdt.sys???????????????????????????????????m??? ????????????????????????????????????????????????$??????3???3???????????0???????????????????????????z????????????? Reg HKLM\SYSTEM\ControlSet001\services\LanmanWorkstation\Linkage@Export ????????? ???????e????????????????????????????X??????????????????????s??t????r?r?s?r?????t???????????z??????BTHMODEM????@%SystemRoot%\system32\powrprof.dll,-12,System performance is more important than longer battery life.??????@%SystemRoot%\system32\powrprof.dll,-13,High Performance????????????????????????????????????????????????? ????????????????????????????????????2????????????????????n????@%SystemRoot%\system32\powrprof.dll,-14,Windows automatically balances power savings and system performance, offering full performance on demand, and saving power when idle.???????????????????????????@%SystemRoot%\system32\powrprof.dll,-15,Automatic (recommended)?????????????????????????????????????????0???1???2???????? ????????????????????????H?????????????????????????? ??????????????????????????????????$???????????????????????????????????????????????????????????????? ??????????????????????????????????$????????????????????????????????????????????????????????????????????????????????????????????????????????????h???????e? Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\4cedde049834 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\services\BTHPORT\Parameters\Keys\4cedde049834@1814569234d9 0xEF 0x38 0x09 0xEB ... Reg HKLM\SYSTEM\ControlSet003\services\LanmanServer\Linkage@Bind ????????????????????? ?????????????????????z????????\???&???????????????????????? ??????????????????????????????????$?????????????????????`?????????????????????????????????????????????????????????????????????? ?????????????????????z??L??????????????4??? ?????????????????????z????????D???&????????????????????3??? D??????-??????eE??Teredo Tunneling Pseudo-Interface????????????6??????06??????????? ?????????????????????z????????????????????????????????????????? ??????????????????????????????V????????V??????????????t?????????????????????????????????????????????????R???????????h?????\SystemRoot\system32\DRIVERS\IPMIDrv.sys??????????????????V??????????????d??ipmidrv.inf_amd64_neutral_183d6cac9a33faff??????? ??????????????????????????????