GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-15 09:16:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 TOSHIBA_MK5056GSY rev.LH003D 465,76GB Running: cp62cv2s.exe; Driver: C:\Users\DELL\AppData\Local\Temp\aftciaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[548] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[596] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Windows\system32\services.exe[644] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[980] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[120] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\STacSV64.exe[320] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[1224] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Windows\system32\WLANExt.exe[1408] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Program Files\SUPERAntiSpyware\SASCORE64.EXE[1828] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_0057cbec48a2d7cf\AESTSr64.exe[1876] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Program Files\WIDCOMM\Bluetooth Software\btwdins.exe[1928] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\ProgramData\DatacardService\HWDeviceService64.exe[1964] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Windows\Explorer.EXE[1972] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\ProgramData\DatacardService\DCSHelper.exe[1984] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075daa2fd 1 byte [62] .text C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe[2172] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075daa2fd 1 byte [62] .text C:\Program Files (x86)\Microsoft SQL Server\MSSQL10_50.KNXETS4\MSSQL\Binn\sqlservr.exe[2200] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[2268] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Program Files\Dell\QuickSet\quickset.exe[2276] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2548] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075d88791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2548] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075daa2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076da1465 2 bytes [DA, 76] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2548] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076da14bb 2 bytes [DA, 76] .text ... * 2 .text C:\Windows\system32\DRIVERS\o2flash.exe[3032] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075daa2fd 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4320] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 0000000076f0ef8d 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[4840] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075daa2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4224] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075daa2fd 1 byte [62] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076da1465 2 bytes [DA, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[4224] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076da14bb 2 bytes [DA, 76] .text ... * 2 .text C:\Users\DELL\Desktop\dignostyka malaware\cp62cv2s.exe[4796] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000075daa2fd 1 byte [62] ---- User IAT/EAT - GMER 2.1 ---- IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[632] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamDWord] [7fef540741c] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[632] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSet] [7fef5405f10] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[632] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmEndSession] [7fef5405674] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[632] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartSession] [7fef5405e2c] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[632] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmStartUpload] [7fef5407f48] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[632] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppVersion] [7fef5406a38] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[632] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetMachineId] [7fef5406ee8] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[632] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmWriteSharedMachineId] [7fef5407b58] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[632] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmCreateNewId] [7fef5407ea0] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[632] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmReadSharedMachineId] [7fef54078b0] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[632] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmGetSession] [7fef5404fb4] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[632] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmSetAppId] [7fef5405d38] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll IAT c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[632] @ c:\Program Files\Common Files\Microsoft Shared\Windows Live\WLIDSVC.EXE[sqmapi.dll!SqmAddToStreamString] [7fef5407584] c:\Program Files\Common Files\Microsoft Shared\Windows Live\sqmapi.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\c44619fcd8a7 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\c44619fcd8a7 (not active ControlSet) ---- EOF - GMER 2.1 ----