GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-08-29 16:41:54 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD75 rev.01.0 698,64GB Running: dy2m58td.exe; Driver: C:\Users\user\AppData\Local\Temp\kftcaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\wininit.exe[668] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Windows\system32\services.exe[732] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Windows\system32\winlogon.exe[864] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[996] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[332] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Windows\System32\svchost.exe[516] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Windows\system32\svchost.exe[688] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files\WTouch\WTouchService.exe[1208] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files\NVIDIA Corporation\Display\NvXDSync.exe[1380] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Windows\system32\nvvsvc.exe[1392] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files (x86)\ASUS\SmartLogon\smartlogon.exe[1512] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ASLDRSrv.exe[1640] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATKGFNEX\GFNEXSrv.exe[1792] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Windows\SYSTEM32\WISPTIS.EXE[1864] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe[1872] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files\WTouch\WTouchUser.exe[1916] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files (x86)\Common Files\Microsoft Shared\Ink\TabTip32.exe[2024] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Windows\SysWOW64\brsvc01a.exe[2164] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Windows\SysWOW64\brss01a.exe[2240] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[2464] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076ed8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\afwServ.exe[2464] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\Ath_CoexAgent.exe[2588] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Program Files (x86)\ASUS\ASUS Live Update\LiveUpdate.exe[2648] C:\Windows\syswow64\KERNEL32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Windows\AsScrPro.exe[2676] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Windows\AsScrPro.exe[2676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76] .text C:\Windows\AsScrPro.exe[2676] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76] .text ... * 2 .text C:\Program Files (x86)\Bluetooth Suite\adminservice.exe[3016] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[2336] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2644] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076ed8791 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2644] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2644] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76] .text C:\Program Files\ESET\ESET Smart Security\x86\ekrn.exe[2644] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76] .text ... * 2 .text C:\Windows\system32\Pen_Tablet.exe[3164] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Windows\Explorer.EXE[3560] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Windows\system32\Pen_Tablet.exe[3584] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files\Realtek\Audio\HDA\RAVBg64.exe[3948] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3980] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files (x86)\Bluetooth Suite\BtvStack.exe[4004] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[4176] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files (x86)\CTS\Tray\CTSTray.exe[4344] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files (x86)\Microsoft Office\Office12\ONENOTEM.EXE[4856] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Media\DMedia.exe[5100] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\HControlUser.exe[4164] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4044] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076ed8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\avastui.exe[4044] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Windows\system32\SearchIndexer.exe[4484] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5308] C:\Windows\system32\KERNEL32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5888] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[5888] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76] .text ... * 2 .text C:\Windows\System32\svchost.exe[6044] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\Windows\system32\prevhost.exe[5824] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE[5872] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076ed8791 5 bytes JMP 0000000162e953fc .text C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE[5872] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE[5872] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075e66143 5 bytes JMP 000000016395f68e .text C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE[5872] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 00000000762b3e59 4 bytes JMP 0000000162ec10b7 .text C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE[5872] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 00000000762b3eae 4 bytes JMP 0000000162ecb0be .text C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE[5872] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 00000000762b4731 4 bytes JMP 0000000162efb5dc .text C:\PROGRA~2\MICROS~1\Office12\EXCEL.EXE[5872] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 00000000762b5dee 4 bytes JMP 0000000162efc50f .text C:\Users\user\Downloads\OTL.exe[680] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\Users\user\Downloads\OTL.exe[680] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 69 0000000076a81465 2 bytes [A8, 76] .text C:\Users\user\Downloads\OTL.exe[680] C:\Windows\syswow64\PSAPI.dll!GetModuleInformation + 155 0000000076a814bb 2 bytes [A8, 76] .text ... * 2 .text C:\Windows\notepad.exe[4208] C:\Windows\system32\kernel32.dll!GetBinaryTypeW + 189 000000007712ef8d 1 byte [62] .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE!wdCommandDispatch + 8 000000002ff91a54 2 bytes [F9, 2F] .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE!wdGetApplicationObject + 4 000000002ff91a5a 2 bytes [F9, 2F] .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE!wdGetApplicationObject + 166 000000002ff91afc 2 bytes [F9, 2F] .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE!wdGetApplicationObject + 253 000000002ff91b53 2 bytes [F9, 2F] .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE!wdGetApplicationObject + 320 000000002ff91b96 2 bytes [F9, 2F] .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE!wdGetApplicationObject + 390 000000002ff91bdc 2 bytes [F9, 2F] .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE!wdGetApplicationObject + 738 000000002ff91d38 2 bytes [F9, 2F] .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE!wdGetApplicationObject + 937 000000002ff91dff 2 bytes [F9, 2F] .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE!wdGetApplicationObject + 958 000000002ff91e14 2 bytes [F9, 2F] .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE!wdGetApplicationObject + 970 000000002ff91e20 2 bytes [F9, 2F] .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076ed8791 5 bytes JMP 0000000162e953fc .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\Windows\syswow64\ole32.dll!OleLoadFromStream 0000000075e66143 5 bytes JMP 000000016395f68e .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\Windows\syswow64\OLEAUT32.dll!SysFreeString 00000000762b3e59 4 bytes JMP 0000000162ec10b7 .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\Windows\syswow64\OLEAUT32.dll!VariantClear 00000000762b3eae 4 bytes JMP 0000000162ecb0be .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\Windows\syswow64\OLEAUT32.dll!SysAllocStringByteLen 00000000762b4731 4 bytes JMP 0000000162efb5dc .text C:\PROGRA~2\MICROS~1\Office12\WINWORD.EXE[5052] C:\Windows\syswow64\OLEAUT32.dll!VariantChangeType 00000000762b5dee 4 bytes JMP 0000000162efc50f .text C:\Users\user\Downloads\dy2m58td.exe[5456] C:\Windows\syswow64\kernel32.dll!GetBinaryTypeW + 112 0000000076efa2fd 1 byte [62] ---- Threads - GMER 2.1 ---- Thread System [4:128] fffffa800be36360 Thread C:\Windows\System32\svchost.exe [6044:2636] 000007feed1d9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6088:1688] 000007fefb152bf8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [6088:3856] 000007feec0d4830 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f684212d8 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f684212d8@6c23b94a792d 0x42 0x76 0x11 0xCD ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f684212d8@58c38b79acd5 0x96 0x06 0x9B 0x4A ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f684212d8 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f684212d8@6c23b94a792d 0x42 0x76 0x11 0xCD ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f684212d8@58c38b79acd5 0x96 0x06 0x9B 0x4A ... ---- EOF - GMER 2.1 ----