GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-08 22:29:45 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST932032 rev.0003 298,09GB Running: 23bg20cd.exe; Driver: C:\Users\Ania\AppData\Local\Temp\aftcqaog.sys ---- System - GMER 2.1 ---- SSDT 8EC64B56 ZwCreateSection SSDT 8EC64B60 ZwRequestWaitReplyPort SSDT 8EC64B5B ZwSetContextThread SSDT 8EC64B65 ZwSetSecurityObject SSDT 8EC64B6A ZwSystemDebugControl SSDT 8EC64AF7 ZwTerminateProcess ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83488A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 834C2212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 834C958C 4 Bytes [56, 4B, C6, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1553 834C98E8 4 Bytes [60, 4B, C6, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1597 834C992C 4 Bytes [5B, 4B, C6, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1613 834C99A8 4 Bytes [65, 4B, C6, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 834C99FC 4 Bytes [6A, 4B, C6, 8E] .text ... .sptd1 C:\windows\System32\Drivers\sptd.sys entry point in ".sptd1" section [0x893BC346] ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[1884] C:\windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[1884] ntdll.dll!NtProtectVirtualMemory 77465F58 5 Bytes JMP 698F1986 C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[1884] C:\windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[1884] user32.dll!NotifyWinEvent + 6AE 7704D66C 4 Bytes [F0, 28, 8F, 69] .text C:\Program Files\Mozilla Firefox\firefox.exe[2128] kernel32.dll!K32GetDeviceDriverBaseNameW + 5D 76B294E6 7 Bytes JMP 645A84D6 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2128] kernel32.dll!QueryPerformanceCounter + 13 76B2C4E5 7 Bytes JMP 645A84F9 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2128] kernel32.dll!LoadAppInitDlls + 355 76B2F5A6 7 Bytes JMP 63C23A32 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2128] GDI32.dll!GetViewportOrgEx + 26C 76F0884B 7 Bytes JMP 645A8457 C:\Program Files\Mozilla Firefox\xul.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2128] GDI32.dll!D3DKMTQueryAdapterInfo 76F0CB76 5 Bytes JMP 735219D0 C:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrap.dll .text C:\Program Files\Mozilla Firefox\firefox.exe[2128] GDI32.dll!D3DKMTGetDisplayModeList 76F0F338 5 Bytes JMP 73521950 C:\Program Files\NVIDIA Corporation\CoProcManager\nvd3d9wrap.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[3760] C:\windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[3760] ntdll.dll!NtProtectVirtualMemory 77465F58 5 Bytes JMP 698F1986 C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[3760] C:\windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[3760] user32.dll!NotifyWinEvent + 6AE 7704D66C 4 Bytes [F0, 28, 8F, 69] ---- Devices - GMER 2.1 ---- Device \FileSystem\Ntfs \Ntfs 862FE1F8 Device \FileSystem\fastfat \FatCdrom 871761F8 AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys Device \Driver\NetBT \Device\NetBT_Tcpip_{E95378FF-3EE0-4906-86CD-5502B304ECA3} 86EDE1F8 Device \Driver\usbuhci \Device\USBPDO-0 870721F8 Device \Driver\usbuhci \Device\USBPDO-1 870721F8 Device \Driver\usbuhci \Device\USBPDO-2 870721F8 Device \Driver\usbuhci \Device\USBPDO-3 870721F8 Device \Driver\usbehci \Device\USBPDO-4 87097430 Device \Driver\iaStor \Device\Ide\iaStor0 [89657360] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\iaStor \Device\Ide\IAAStorageDevice-0 [89657360] \SystemRoot\system32\DRIVERS\iaStor.sys[unknown section] {MOV EDX, [ESP+0x8]; LEA ECX, [ESP+0x4]; PUSH EAX; MOV EAX, ESP; PUSH EAX} Device \Driver\NetBT \Device\NetBt_Wins_Export 86EDE1F8 Device \Driver\usbuhci \Device\USBFDO-0 870721F8 Device \Driver\usbuhci \Device\USBFDO-1 870721F8 Device \Driver\usbuhci \Device\USBFDO-2 870721F8 Device \Driver\usbuhci \Device\USBFDO-3 870721F8 Device \Driver\NetBT \Device\NetBT_Tcpip_{D6A98296-B886-4F99-9C9B-8301488177B0} 86EDE1F8 Device \Driver\usbehci \Device\USBFDO-4 87097430 Device \FileSystem\fastfat \Fat 871761F8 AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c4bd612d43b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dc7ea17 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x59 0x57 0xED 0xFB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c4bd612d43b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dc7ea17 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x59 0x57 0xED 0xFB ... Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{D18F2437-4BAC-11E0-91BA-806E6F6E6963} 10812299360 Reg HKLM\SOFTWARE\Microsoft\Windows Search\UsnNotifier\Windows\Catalogs\SystemIndex@{D18F2438-4BAC-11E0-91BA-806E6F6E6963} 3570200 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1 ---- EOF - GMER 2.1 ----