GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-04-06 15:52:41 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: o0lyeu6m.exe; Driver: C:\Users\Monika\AppData\Local\Temp\awrdrpog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 681 fffff800033f6099 9 bytes [83, FA, 20, 4C, 8B, 9C, 24, ...] INITKDBG C:\Windows\system32\ntoskrnl.exe!ExDeleteNPagedLookasideList + 692 fffff800033f60a4 37 bytes {JBE 0xfffffffffffffa0c; MOV ECX, 0xffffffffc00000ff; CALL 0xfffffffffff6a740} ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\services.exe[704] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\lsass.exe[724] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\winlogon.exe[812] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[876] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[968] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[384] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\System32\svchost.exe[528] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[620] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[476] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\IDT\WDM\STacSV64.exe[472] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\atieclxx.exe[1280] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\Dell\DW WLAN Card\WLTRYSVC.EXE[1324] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1332] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\conhost.exe[1340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\Dell\DW WLAN Card\bcmwltry.exe[1368] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\System32\spoolsv.exe[1820] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\Explorer.EXE[1076] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[2364] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files (x86)\Dell DataSafe Local Backup\Components\DSUpdate\DSUpd.exe[2736] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\conhost.exe[2748] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[3028] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eca2ba 1 byte [62] .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[3028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075621465 2 bytes [62, 75] .text C:\Program Files (x86)\Dell DataSafe Local Backup\sftservice.EXE[3028] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756214bb 2 bytes [62, 75] .text ... * 2 .text C:\Program Files (x86)\Dell DataSafe Local Backup\Toaster.exe[2520] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075eca2ba 1 byte [62] .text C:\Program Files\Dell\QuickSet\quickset.exe[2968] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\IDT\WDM\sttray64.exe[3024] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[552] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\Dell\DW WLAN Card\WLTRAY.EXE[2328] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\WINDOWS\WindowsMobile\wmdcBase.exe[2300] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe[3156] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075eca2ba 1 byte [62] .text C:\Program Files (x86)\Dell Webcam\Dell Webcam Central\WebcamDell2.exe[3200] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eca2ba 1 byte [62] .text C:\Program Files (x86)\Roxio\Roxio Burn\RoxioBurnLauncher.exe[3228] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eca2ba 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[3308] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eca2ba 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPHelper.exe[3340] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe[3456] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Users\Monika\AppData\Local\Temp\TasksWatch.exe[3300] C:\Windows\SysWOW64\ntdll.dll!DbgBreakPoint 0000000077b6000c 1 byte [C3] .text C:\Users\Monika\AppData\Local\Temp\TasksWatch.exe[3300] C:\Windows\SysWOW64\ntdll.dll!DbgUiRemoteBreakin 0000000077bef8ea 5 bytes JMP 0000000177b9d5c1 .text C:\Users\Monika\AppData\Local\Temp\TasksWatch.exe[3300] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eca2ba 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[4828] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[4180] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\svchost.exe[5784] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BtStackServer.exe[5956] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\BluetoothHeadsetProxy.exe[5892] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eca2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[4276] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000075eca2ba 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[3832] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eca2ba 1 byte [62] .text C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE[6764] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Windows\system32\AUDIODG.EXE[4548] C:\Windows\System32\kernel32.dll!GetBinaryTypeW + 189 00000000777aeecd 1 byte [62] .text C:\Users\Monika\Downloads\o0lyeu6m.exe[7104] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075eca2ba 1 byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe[2940] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13f15ba40] C:\Program Files\Common Files\McAfee\SystemCore\mfevtps.exe ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [3784:5004] 000007fef4a19688 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{CC3467D5-75BA-475B-92D2-027B26401361}\Connection@Name isatap.{98F50493-8AD7-4F5E-88F6-ACA182746399} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{B11257ED-1B66-42E7-8A92-A75FCDBF7307}?\Device\{F3A34F6C-9F57-4698-B307-975E481C61BA}?\Device\{572653EE-0C43-4359-B309-C5F5FA61B54D}?\Device\{CC3467D5-75BA-475B-92D2-027B26401361}?\Device\{7C730166-B60C-470F-A78E-37D18BCDABE0}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{B11257ED-1B66-42E7-8A92-A75FCDBF7307}"?"{F3A34F6C-9F57-4698-B307-975E481C61BA}"?"{572653EE-0C43-4359-B309-C5F5FA61B54D}"?"{CC3467D5-75BA-475B-92D2-027B26401361}"?"{7C730166-B60C-470F-A78E-37D18BCDABE0}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{B11257ED-1B66-42E7-8A92-A75FCDBF7307}?\Device\TCPIP6TUNNEL_{F3A34F6C-9F57-4698-B307-975E481C61BA}?\Device\TCPIP6TUNNEL_{572653EE-0C43-4359-B309-C5F5FA61B54D}?\Device\TCPIP6TUNNEL_{CC3467D5-75BA-475B-92D2-027B26401361}?\Device\TCPIP6TUNNEL_{7C730166-B60C-470F-A78E-37D18BCDABE0}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\5cac4cf03eda Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\5cac4cf03eda@90c1150a0213 0xA7 0x3F 0x0E 0x41 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{CC3467D5-75BA-475B-92D2-027B26401361}@InterfaceName isatap.{98F50493-8AD7-4F5E-88F6-ACA182746399} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{CC3467D5-75BA-475B-92D2-027B26401361}@ReusableType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 2406 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\5cac4cf03eda (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\5cac4cf03eda@90c1150a0213 0xA7 0x3F 0x0E 0x41 ... ---- EOF - GMER 2.1 ----