GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-02-08 10:01:19 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006b ST932032 rev.0003 298,09GB Running: 0gb4ww3u.exe; Driver: C:\Users\Karas1\AppData\Local\Temp\kwrdapoc.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 528 fffff800031ef000 47 bytes [88, 00, 00, 00, 00, B8, 01, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 576 fffff800031ef030 15 bytes [83, C4, 28, C3, CC, CC, CC, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000133e00 7 bytes [00, 96, F3, FF, 01, A1, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000133e08 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtWaitForSingleObject 00000000770ff8bc 5 bytes JMP 00000001767c0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtReadFile 00000000770ff8f0 5 bytes JMP 0000000176bf0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtWriteFile 00000000770ff928 5 bytes JMP 0000000176c10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtClose 00000000770ff9e0 5 bytes JMP 0000000176b70000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtQueryObject 00000000770ff9f8 5 bytes JMP 00000001764c0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationFile 00000000770ffa10 5 bytes JMP 0000000176b90000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtOpenKey 00000000770ffa28 5 bytes JMP 0000000176640000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateValueKey 00000000770ffa40 5 bytes JMP 00000001766e0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtQueryKey 00000000770ffa90 5 bytes JMP 0000000176600000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtQueryValueKey 00000000770ffaa8 5 bytes JMP 00000001765c0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 00000000770ffad8 5 bytes JMP 0000000176440000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateKey 00000000770ffb40 5 bytes JMP 0000000176760000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile 00000000770ffc38 5 bytes JMP 0000000176bb0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 00000000770ffc50 5 bytes JMP 0000000176ab0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection 00000000770ffc80 5 bytes JMP 0000000176a70000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtEnumerateKey 00000000770ffd4c 5 bytes JMP 0000000176700000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile 00000000770ffd64 5 bytes JMP 00000001770d0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtQueryDirectoryFile 00000000770ffd98 5 bytes JMP 0000000176880000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtOpenSection 00000000770ffdc8 5 bytes JMP 0000000176b30000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtFsControlFile 00000000770ffdf8 5 bytes JMP 0000000176800000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtDuplicateObject 00000000770ffe44 5 bytes JMP 0000000176a50000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile 00000000770ffe5c 5 bytes JMP 0000000176af0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile 00000000770fff8c 2 bytes JMP 0000000176a10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtQueryVolumeInformationFile + 3 00000000770fff8f 2 bytes [91, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection 00000000770fffa4 2 bytes JMP 0000000176b50000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateSection + 3 00000000770fffa7 2 bytes [A5, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile 00000000770fffbc 2 bytes JMP 0000000176820000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtFlushBuffersFile + 3 00000000770fffbf 2 bytes [72, FF] .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtQuerySection 0000000077100050 5 bytes JMP 0000000176a90000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile 00000000771000b4 5 bytes JMP 00000001770b0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtWaitForMultipleObjects 0000000077100148 5 bytes JMP 00000001767a0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtSetValueKey 00000000771001c4 5 bytes JMP 0000000176520000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtAccessCheck 0000000077100228 5 bytes JMP 0000000176400000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtDeleteFile 00000000771009e4 5 bytes JMP 0000000176bd0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtDeleteKey 00000000771009fc 5 bytes JMP 0000000176740000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtDeleteValueKey 0000000077100a44 5 bytes JMP 0000000176720000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtExtendSection 0000000077100b1c 5 bytes JMP 0000000176780000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtFlushKey 0000000077100b80 5 bytes JMP 00000001766c0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtFlushVirtualMemory 0000000077100bb4 5 bytes JMP 0000000176b10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey 0000000077100e0c 5 bytes JMP 00000001766a0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtLoadKey2 0000000077100e24 5 bytes JMP 0000000176680000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtLockFile 0000000077100e54 5 bytes JMP 0000000176860000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeDirectoryFile 0000000077100f58 5 bytes JMP 00000001767e0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtNotifyChangeKey 0000000077100f70 5 bytes JMP 0000000176660000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtOpenKeyEx 0000000077101018 5 bytes JMP 0000000176620000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile 000000007710133c 5 bytes JMP 0000000176a30000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtQueryMultipleValueKey 000000007710147c 5 bytes JMP 00000001765e0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtQuerySecurityObject 0000000077101528 5 bytes JMP 0000000176420000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtRenameKey 0000000077101718 5 bytes JMP 00000001764e0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtReplaceKey 0000000077101748 5 bytes JMP 00000001765a0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtRestoreKey 00000000771017e0 5 bytes JMP 0000000176580000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtSaveKey 0000000077101874 5 bytes JMP 0000000176560000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationKey 0000000077101a58 5 bytes JMP 0000000176540000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtSetSecurityObject 0000000077101b9c 5 bytes JMP 0000000176ad0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtSetVolumeInformationFile 0000000077101c9c 5 bytes JMP 00000001769f0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtUnloadKey 0000000077101e70 5 bytes JMP 0000000176500000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!NtUnlockFile 0000000077101eb8 5 bytes JMP 0000000176840000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!RtlQueryInformationActivationContext 000000007711ba2c 5 bytes JMP 00000001764a0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007711c4dd 5 bytes JMP 0000000176480000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 0000000077121287 5 bytes JMP 0000000176460000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\syswow64\kernel32.dll!CreateProcessW 0000000074f9103d 5 bytes JMP 0000000174dd0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\syswow64\kernel32.dll!CreateProcessA 0000000074f91072 5 bytes JMP 0000000174df0000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\syswow64\kernel32.dll!CreateActCtxW 0000000074f991e7 5 bytes JMP 0000000174e10000 .text C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe[3092] C:\Windows\syswow64\kernel32.dll!WinExec 0000000075012c51 5 bytes JMP 0000000174db0000 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [4700:1792] 000007feed379688 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3092:4176] 00000000008bca30 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3092:1624] 00000000008bc3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3092:3280] 00000000008bc3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3092:1948] 00000000008bc3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3092:1536] 00000000008bc3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3092:5764] 00000000008bc3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3092:268] 00000000008bc3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3092:2884] 00000000008bc3c0 Thread C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3092:5572] 00000000008bc3c0 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\GG\ggdrive\ggdrive-overlay.dll (*** suspicious ***) @ C:\Windows\Explorer.EXE [1756] (GG drive overlay/GG Network S.A.)(2013-08-15 08:03:45) 000000005c080000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2288] 000000006fbc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2288](2013-07-29 10:21:36) 000000006e940000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2288](2 000000006a1c0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2288](2013-07-29 10:21:36) 000000006ff00000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2288](2013-07-29 10:21:37) 000000006efc0000 Library C:\ProgramData\PLAY ONLINE\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\PLAY ONLINE\OnlineUpdate\ouc.exe [2288](201 000000006ed40000 Process C:\ProgramData\{$1284-9213-2940-1289$}\comhost.exe (*** suspicious ***) @ C:\ProgramData\{$1284-9213-2940-1289$}\comhost.exe [3756](2014-02-06 18:58:36) 0000000001190000 Library C:\ProgramData\{$1284-9213-2940-1289$}\comhost.exe (*** suspicious ***) @ C:\ProgramData\{$1284-9213-2940-1289$}\comhost.exe [3756](2014-02-06 18:58:36) 0000000000400000 Library :\{9019ACD6-BC11-4308-8C49-92E0601DF38D}\temp\3092\bxsdk32.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3092] 0000000010000000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\libcurl-4.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3092] 0000000070800000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\zlib1.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3092] 0000000062e80000 Library C:\Windows\Microsoft.NET\Framework\v2.0.50727\pthreadGC2.dll (*** suspicious ***) @ C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe [3092] 0000000062480000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ?????i??????????????????BTHENUM\{0000111f-0000-1000-8000-00805f9b34fb}_VID&0001000f_PID&0000?BTHENUM\{0000111f-0000-1000-8000-00805f9b34fb}_LOCALMFG&0045???????Urz?dzenie nadawczo-odbiorcze podczerwieni eHome (USBCIR)???Terminal wyj?cia wideo?gra??Terminal transportu no?nika wej?cia wideo???Terminal transportu no?nika wyj?cia wideo???Konwerter wsp??czynnika pr?bkowania?os??Zwi?zany z urz?dzeniem?.dl??Obs?uga interfejsu IAMExtDevice strumienia WDM?ht\??Obs?uga interfejsu IAMTimecodeReader strumienia WDM?Fi??Strona w?a?ciwo?ci DVcrControl?.1.??Obs?uga interfejsu zestawu w?a?ciwo?ci VPE strumienia WDM???Obs?uga interfejsu zestawu w?a?ciwo?ci VPE VBI strumienia WDM???G?o?nik do efekt?w o niskiej cz?stotliwo?ci?\a??Telefon g?o?no m?wi?cy z t?umieniem echa????Telefon g?o?no m?wi?cy z eliminacj? echa?????cie?ka d?wi?kowa cyfrowego wideo 1394???????r?d?o zak??ce? kalibracji poziomu??????????????????????????{00000000-0000-0000-FFFF-FFFFFFFFFFFF}???????????????????????e??er???????????s???????????????4??a4????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f8dcd8 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f8dcd8@700514b59a75 0x92 0xC8 0xF0 0x1D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f8dcd8@8c541d6e6539 0xA2 0xD1 0x9F 0xEE ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f8dcd8@00aa704efded 0x17 0x75 0xA5 0xD7 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68f8dcd8@98d6f76c8b2e 0xC5 0x7C 0x89 0x0C ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f8dcd8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f8dcd8@700514b59a75 0x92 0xC8 0xF0 0x1D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f8dcd8@8c541d6e6539 0xA2 0xD1 0x9F 0xEE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f8dcd8@00aa704efded 0x17 0x75 0xA5 0xD7 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68f8dcd8@98d6f76c8b2e 0xC5 0x7C 0x89 0x0C ... ---- EOF - GMER 2.1 ----