GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-06-11 07:03:39 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 ST932032 rev.0003 298,09GB Running: 23bg20cd.exe; Driver: C:\Users\Ania\AppData\Local\Temp\aftcqaog.sys ---- System - GMER 2.1 ---- SSDT 8E888CBE ZwCreateSection SSDT 8E888CC8 ZwRequestWaitReplyPort SSDT 8E888CC3 ZwSetContextThread SSDT 8E888CCD ZwSetSecurityObject SSDT 8E888CD2 ZwSystemDebugControl SSDT 8E888C5F ZwTerminateProcess ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwRollbackEnlistment + 142D 83478A15 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 834B2212 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 11F7 834B958C 4 Bytes [BE, 8C, 88, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1553 834B98E8 4 Bytes [C8, 8C, 88, 8E] {ENTER 0x888c, 0x8e} .text ntkrnlpa.exe!KeRemoveQueueEx + 1597 834B992C 4 Bytes [C3, 8C, 88, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1613 834B99A8 4 Bytes [CD, 8C, 88, 8E] .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 834B99FC 4 Bytes [D2, 8C, 88, 8E] .text ... ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[1884] C:\windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[1884] ntdll.dll!NtProtectVirtualMemory 77975F58 5 Bytes JMP 698F1986 C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[1884] C:\windows\system32\kernel32.dll time/date stamp mismatch; unknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Security Scan 2.0\kss.exe[1884] user32.dll!NotifyWinEvent + 6AE 75FBD66C 4 Bytes [F0, 28, 8F, 69] ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\kbdclass \Device\KeyboardClass0 Wdf01000.sys AttachedDevice \Driver\kbdclass \Device\KeyboardClass1 Wdf01000.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys ---- Threads - GMER 2.1 ---- Thread System [4:552] BC848F2E ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c4bd612d43b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\74f06dc7ea17 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x59 0x57 0xED 0xFB ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c4bd612d43b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\74f06dc7ea17 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x59 0x57 0xED 0xFB ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Intel\xae Matrix Storage Manager\Intel\xae Matrix Storage Console.lnk 1 ---- EOF - GMER 2.1 ----