GMER 2.1.19355 - http://www.gmer.net Rootkit scan 2014-01-27 05:11:55 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.JF3O 465,76GB Running: df5d38k3.exe; Driver: C:\Users\KASIAT~1\AppData\Local\Temp\ugtdqpod.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031eb000 45 bytes [5F, 2C, 00, 00, 00, 00, 00, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 575 fffff800031eb02f 16 bytes [00, 25, 73, 11, 00, 00, 00, ...] ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000772d1465 2 bytes [2D, 77] .text C:\Program Files (x86)\Malwarebytes' Anti-Malware\mbamservice.exe[2412] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772d14bb 2 bytes [2D, 77] .text ... * 2 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000772d1465 2 bytes [2D, 77] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4060] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772d14bb 2 bytes [2D, 77] .text ... * 2 .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[1764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000772d1465 2 bytes [2D, 77] .text C:\Program Files (x86)\Nero\Nero 10\Nero BackItUp\NBAgent.exe[1764] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772d14bb 2 bytes [2D, 77] .text ... * 2 .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000772d1465 2 bytes [2D, 77] .text C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe[1656] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772d14bb 2 bytes [2D, 77] .text ... * 2 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000772d1465 2 bytes [2D, 77] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000772d14bb 2 bytes [2D, 77] .text ... * 2 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHOpenSocket2 + 33 0000000074671435 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHOpenSocket2 + 59 000000007467144f 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHOpenSocket2 + 425 00000000746715bd 2 bytes [67, 74] .text ... * 5 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHGetWildcardSockaddr + 136 000000007467169b 2 bytes [67, 74] .text ... * 4 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHSetSocketInformation + 165 0000000074671813 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHSetSocketInformation + 428 000000007467191a 2 bytes [67, 74] .text ... * 2 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHGetWinsockMapping + 24 000000007467197f 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHGetWinsockMapping + 35 000000007467198a 2 bytes [67, 74] .text ... * 3 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHNotify + 18 00000000746719d9 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHNotify + 36 00000000746719eb 2 bytes [67, 74] .text ... * 2 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHJoinLeaf + 11 0000000074671a16 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHGetWSAProtocolInfo + 30 0000000074671ae5 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHGetWSAProtocolInfo + 51 0000000074671afa 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHGetProviderGuid + 22 0000000074671b31 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHGetProviderGuid + 43 0000000074671b46 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHEnumProtocols + 190 0000000074671ca0 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHEnumProtocols + 245 0000000074671cd7 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHOpenSocket + 46 0000000074671d85 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wship6.dll!WSHOpenSocket + 52 0000000074671d8b 2 bytes [67, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHOpenSocket2 + 33 00000000746c1405 2 bytes [6C, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHOpenSocket2 + 59 00000000746c141f 2 bytes [6C, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHOpenSocket2 + 329 00000000746c152d 2 bytes [6C, 74] .text ... * 5 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHSetSocketInformation + 78 00000000746c1607 2 bytes [6C, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHSetSocketInformation + 287 00000000746c16d8 2 bytes [6C, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHSetSocketInformation + 457 00000000746c1782 2 bytes [6C, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHGetWinsockMapping + 24 00000000746c1902 2 bytes [6C, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHGetWinsockMapping + 35 00000000746c190d 2 bytes [6C, 74] .text ... * 3 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHNotify + 18 00000000746c195c 2 bytes [6C, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHNotify + 36 00000000746c196e 2 bytes [6C, 74] .text ... * 2 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHGetWSAProtocolInfo + 30 00000000746c1a49 2 bytes [6C, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHGetWSAProtocolInfo + 51 00000000746c1a5e 2 bytes [6C, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHGetProviderGuid + 22 00000000746c1a95 2 bytes [6C, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHGetProviderGuid + 43 00000000746c1aaa 2 bytes [6C, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHEnumProtocols + 190 00000000746c1c04 2 bytes [6C, 74] .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe[680] C:\Windows\SysWOW64\wshtcpip.dll!WSHEnumProtocols + 245 00000000746c1c3b 2 bytes [6C, 74] ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{220323B5-737B-4C45-B674-A7A063FCFF14}\mpengine.dll (*** suspicious ***) @ C:\Program Files\Microsoft Security Client\MsMpEng.exe [360] (Microsoft Malware Protection Engine/Microsoft Corporation(2014-01-26 17:35:08) 000007fefa1d0000 Library C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{220323B5-737B-4C45-B674-A7A063FCFF14}\offreg.dll (*** suspicious ***) @ C:\Program Files\Microsoft Security Client\MsMpEng.exe [360] (Offline registry DLL/Microsoft Corporation SIGNED)(2014-01-26 22:51:01) 000007fefabd0000 Library C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{44957F1E-B050-4777-B0B2-262777699616}\GapaEngine.dll (*** suspicious ***) @ C:\Program Files\Microsoft Security Client\NisSrv.exe [900] (Dynamic GAPA Engine/Microsoft Corporation SIGNED)(2014-01-26 17:35:14) 000007feeafe0000 Library C:\ProgramData\Kaspersky Lab\AVP9\Bases\pdm.kdl (*** suspicious ***) @ C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe [2824] 00000000706f0000 Library C:\ProgramData\Kaspersky Lab\AVP9\Bases\webav.kdl (*** suspicious ***) @ C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe [2824] 0000000003cf0000 Library C:\ProgramData\Kaspersky Lab\AVP9\Bases\kavbase1390773612.kdl (*** suspicious ***) @ C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe [2824] 0000000004bd0000 Library C:\ProgramData\Kaspersky Lab\AVP9\Bases\klavemu1390773612.kdl (*** suspicious ***) @ C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe [2824] 0000000067c40000 Library C:\ProgramData\Kaspersky Lab\AVP9\Bases\kjim1390773612.kdl (*** suspicious ***) @ C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe [2824] 000000006aad0000 Library C:\ProgramData\Kaspersky Lab\AVP9\Bases\mark1390773612.kdl (*** suspicious ***) @ C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe [2824] 0000000004a30000 Library C:\ProgramData\Kaspersky Lab\AVP9\Bases\vlns1390773612.kdl (*** suspicious ***) @ C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe [2824] 0000000001d50000 Library C:\ProgramData\Kaspersky Lab\AVP9\Bases\qscan1390773612.kdl (*** suspicious ***) @ C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe [2824] 000000006c710000 Library C:\ProgramData\Kaspersky Lab\AVP9\Bases\arkmon1390773612.kdl (*** suspicious ***) @ C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe [2824] 000000006fb10000 Library C:\ProgramData\Kaspersky Lab\AVP9\Bases\kavsys1390773612.kdl (*** suspicious ***) @ C:\Program Files (x86)\Kaspersky Lab\Kaspersky Small Office Security\avp.exe [2824] 0000000007630000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{81887F6E-3E9E-4129-B5D0-F72AF8774F56}\Connection@Name isatap.{C1FDF7E4-3E58-4F32-9E3D-7E51A5F03707} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{26BF1173-30F3-47BD-A5A9-7487C8D2429A}?\Device\{AE01C7C6-C9B5-403D-9E75-051070F3D796}?\Device\{81887F6E-3E9E-4129-B5D0-F72AF8774F56}?\Device\{25890D11-DAC5-4584-9858-10EE1D6683FA}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{26BF1173-30F3-47BD-A5A9-7487C8D2429A}"?"{AE01C7C6-C9B5-403D-9E75-051070F3D796}"?"{81887F6E-3E9E-4129-B5D0-F72AF8774F56}"?"{25890D11-DAC5-4584-9858-10EE1D6683FA}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{26BF1173-30F3-47BD-A5A9-7487C8D2429A}?\Device\TCPIP6TUNNEL_{AE01C7C6-C9B5-403D-9E75-051070F3D796}?\Device\TCPIP6TUNNEL_{81887F6E-3E9E-4129-B5D0-F72AF8774F56}?\Device\TCPIP6TUNNEL_{25890D11-DAC5-4584-9858-10EE1D6683FA}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\bc7737e659cd Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{81887F6E-3E9E-4129-B5D0-F72AF8774F56}@InterfaceName isatap.{C1FDF7E4-3E58-4F32-9E3D-7E51A5F03707} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{81887F6E-3E9E-4129-B5D0-F72AF8774F56}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\bc7737e659cd (not active ControlSet) ---- EOF - GMER 2.1 ----