GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-09-08 00:29:43 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9320325AS rev.0003SDM1 298,09GB Running: gmer.exe; Driver: C:\Users\SZEF\AppData\Local\Temp\aftcraob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Opera\Opera.exe[4936] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007674a322 1 byte [62] .text C:\Program Files (x86)\Ralink Corporation\Ralink Bluetooth Stack\BtTray.exe[2064] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007674a322 1 byte [62] .text C:\Program Files (x86)\WebSpades\bin\utilWebSpades.exe[4484] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007674a322 1 byte [62] .text C:\Program Files (x86)\WebSpades\updateWebSpades.exe[4488] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 000000007674a322 1 byte [62] .text C:\ProgramData\IePluginServices\PluginService.exe[1848] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007674a322 1 byte [62] .text F:\gmer.exe[1524] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 000000007674a322 1 byte [62] .text C:\Program Files\Windows Media Player\wmpnetwk.exe[4784] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\Explorer.EXE[1616] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[3436] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\services.exe[632] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\System32\svchost.exe[108] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[1288] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[2088] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\System32\svchost.exe[344] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\svchost.exe[512] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[2264] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Windows\system32\taskhost.exe[5412] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 00000000771ceecd 1 byte [62] .text C:\Program Files (x86)\Opera\Opera.exe[4936] C:\Windows\SysWOW64\ntdll.dll!LdrLoadDll 00000000775ac43a 5 bytes JMP 00000001000301f8 .text C:\Program Files (x86)\Opera\Opera.exe[4936] C:\Windows\SysWOW64\ntdll.dll!LdrUnloadDll 00000000775b11d7 5 bytes JMP 00000001000303fc ---- Processes - GMER 2.1 ---- Process C:\Users\SZEF\AppData\Roaming\VOPackage\VOsrv.exe (*** suspicious ***) @ C:\Users\SZEF\AppData\Roaming\VOPackage\VOsrv.exe [2780](2 00000000010b0000 Process C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe (*** suspicious ***) @ C:\ProgramData\WindowsMangerProtect\ProtectWindowsManager.exe [1912] (WindowsProtectManger Service/Fuyu LIMITED)(2014-08-26 00:37:45) 0000000001100000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e006e69d63bc (not active ControlSet) Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e006e69d63bc ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [1064:4460] 000007fee790b1b0 Thread C:\Windows\system32\svchost.exe [4396:5652] 000007fee88c5ec0 Thread C:\Windows\System32\spoolsv.exe [1872:972] 000007fee92e6144 Thread C:\Windows\System32\spoolsv.exe [1872:1252] 000007fee93210c8 Thread C:\Windows\System32\spoolsv.exe [1872:980] 000007fee93b5e5c Thread C:\Windows\System32\spoolsv.exe [1872:2364] 000007fee9405090 Thread C:\Windows\system32\svchost.exe [4396:3152] 000007feebcd4734 Thread C:\Windows\system32\svchost.exe [4396:5996] 000007feebcd4734 Thread C:\Windows\system32\svchost.exe [4396:5052] 000007feebcdf130 Thread C:\Windows\System32\svchost.exe [344:5072] 000007feebeb8a4c Thread C:\Windows\system32\svchost.exe [1064:1304] 000007feeeb8d3c8 Thread C:\Windows\system32\svchost.exe [1064:4836] 000007feeeb8d3c8 Thread C:\Windows\system32\svchost.exe [1064:792] 000007feeeb8d3c8 Thread C:\Windows\system32\svchost.exe [1064:892] 000007feeeb8d3c8 Thread C:\Windows\system32\svchost.exe [512:4768] 000007feeece26e0 Thread C:\Windows\system32\svchost.exe [3988:4128] 000007feef965708 Thread C:\Windows\system32\svchost.exe [3988:4120] 000007feef966e5c Thread C:\Windows\system32\SearchIndexer.exe [3436:4904] 000007feefc6f3c0 Thread C:\Windows\system32\svchost.exe [512:3608] 000007feefd6506c Thread C:\Windows\system32\svchost.exe [1288:5032] 000007feefe45170 Thread C:\Windows\system32\svchost.exe [512:3648] 000007fef0591c20 Thread C:\Windows\system32\svchost.exe [512:3956] 000007fef0591c20 Thread C:\Windows\system32\wbem\wmiprvse.exe [4004:3652] 000007fef0591c20 Thread C:\Windows\system32\svchost.exe [1064:3132] 000007fef0949db0 Thread C:\Windows\system32\svchost.exe [1064:5320] 000007fef094aa10 Thread C:\Windows\system32\svchost.exe [1064:3204] 000007fef0950ea8 Thread C:\Windows\system32\svchost.exe [1064:3576] 000007fef0951c94 Thread C:\Windows\System32\spoolsv.exe [1872:4212] 000007fef1055fd0 Thread C:\Windows\system32\svchost.exe [2896:4792] 000007fef1055fd0 Thread C:\Windows\System32\spoolsv.exe [1872:1312] 000007fef10563ec Thread C:\Windows\system32\svchost.exe [2896:4808] 000007fef10563ec Thread C:\Windows\System32\spoolsv.exe [1872:4752] 000007fef10f3438 Thread C:\Windows\system32\svchost.exe [2896:4804] 000007fef10f3438 Thread C:\Windows\system32\svchost.exe [512:1052] 000007fef3964164 Thread C:\Windows\System32\svchost.exe [344:3752] 000007fef5b644e0 Thread C:\Windows\System32\svchost.exe [344:1472] 000007fef5b7d710 Thread C:\Windows\system32\svchost.exe [1288:4576] 000007fef6a55124 Thread C:\Windows\System32\svchost.exe [4544:4560] 000007fef6a59874 Thread C:\Windows\system32\svchost.exe [1288:2800] 000007fef6babec4 Thread C:\Windows\System32\svchost.exe [344:840] 000007fef6c488f8 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [3488:1092] 000007fef70b472c Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [3488:3100] 000007fef71f80ec Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [3488:5156] 000007fef71f80ec Thread C:\Windows\system32\svchost.exe [1288:3388] 000007fef796341c Thread C:\Windows\system32\svchost.exe [1288:3532] 000007fef7963768 Thread C:\Windows\system32\svchost.exe [1288:5856] 000007fef7963900 Thread C:\Windows\system32\svchost.exe [1288:4076] 000007fef7963a2c Thread C:\Windows\system32\svchost.exe [1288:1308] 000007fef7965c20 Thread C:\Windows\System32\svchost.exe [344:4216] 000007fef79914a0 Thread C:\Windows\system32\svchost.exe [1064:1104] 000007fef8946b8c Thread C:\Windows\system32\svchost.exe [1064:3736] 000007fef8946ed4 Thread C:\Windows\System32\svchost.exe [108:5980] 000007fef8961d88 Thread C:\Windows\System32\svchost.exe [108:5972] 000007fef8966b8c Thread C:\Windows\system32\svchost.exe [512:1028] 000007fef8bd1a50 Thread C:\Windows\system32\svchost.exe [512:1976] 000007fef8c81e00 Thread C:\Windows\System32\svchost.exe [344:1388] 000007fefa6259a0 Thread C:\Windows\system32\LogonUI.exe [5464:5956] 000007fefc21b170 Thread C:\Windows\System32\svchost.exe [344:2388] 000007fefcd41a70 Thread C:\Windows\system32\svchost.exe [512:3332] 000007fefcd41a70 Thread C:\Windows\system32\svchost.exe [3988:3588] 000007fefd6ba808 Thread C:\Windows\system32\LogonUI.exe [5464:1936] 000007fefdcc9274 Thread C:\Windows\SYSTEM32\WISPTIS.EXE [1424:1536] 000007fefeb60168 Thread C:\Windows\system32\LogonUI.exe [5464:2688] 000007feff0f73fc Thread C:\Windows\SYSTEM32\WISPTIS.EXE [1200:1228] 000007feff0f73fc Thread C:\Windows\SYSTEM32\WISPTIS.EXE [1200:1260] 000007feff0f73fc Thread C:\Windows\SYSTEM32\WISPTIS.EXE [1424:1548] 000007feff0f73fc Thread C:\Windows\SYSTEM32\WISPTIS.EXE [1424:1552] 000007feff0f73fc Thread C:\Windows\SYSTEM32\WISPTIS.EXE [1424:1580] 000007feff0f73fc Thread C:\Windows\SYSTEM32\WISPTIS.EXE [1424:2804] 000007feff0f73fc Thread C:\Windows\SYSTEM32\WISPTIS.EXE [1424:2808] 000007feff0f73fc Thread C:\Windows\SYSTEM32\WISPTIS.EXE [1424:2832] 000007feff0f73fc ---- Files - GMER 2.1 ---- File C:\avast! sandbox 0 bytes File C:\avast! sandbox\S-1-5-21-3915100798-2594843860-4059984336-1000 0 bytes File C:\avast! sandbox\S-1-5-21-3915100798-2594843860-4059984336-1000\r21 0 bytes File C:\avast! sandbox\S-1-5-21-3915100798-2594843860-4059984336-1000\r21\OTL.exe_{e4a70715-31ac-11e4-9225-e006e69d63bc} 0 bytes File C:\avast! sandbox\S-1-5-21-3915100798-2594843860-4059984336-1000\r21\OTL.exe_{e4a7071c-31ac-11e4-9225-e006e69d63bc} 0 bytes File C:\avast! sandbox\snx_rhive 262144 bytes File C:\avast! sandbox\snx_rhive.LOG1 5120 bytes File C:\avast! sandbox\snx_rhive.LOG2 0 bytes File C:\avast! sandbox\snx_rhive{e4a70717-31ac-11e4-9225-e006e69d63bc}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{e4a70717-31ac-11e4-9225-e006e69d63bc}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{e4a70717-31ac-11e4-9225-e006e69d63bc}.TMContainer00000000000000000002.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{e4a7071e-31ac-11e4-9225-e006e69d63bc}.TM.blf 65536 bytes File C:\avast! sandbox\snx_rhive{e4a7071e-31ac-11e4-9225-e006e69d63bc}.TMContainer00000000000000000001.regtrans-ms 524288 bytes File C:\avast! sandbox\snx_rhive{e4a7071e-31ac-11e4-9225-e006e69d63bc}.TMContainer00000000000000000002.regtrans-ms 524288 bytes ---- EOF - GMER 2.1 ----