GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-11-08 04:21:25 Windows 6.0.6002 Service Pack 2 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS542516K9SA00 rev.BBCOC31P 149,05GB Running: 803tlkvf.exe; Driver: C:\Users\komodore\AppData\Local\Temp\fwlirkow.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwNotifyChangeKey [0x8F5D86E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwNotifyChangeMultipleKeys [0x8F5D8800] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwOpenProcess [0x8F5D8010] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwOpenThread [0x8F5D84D0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwSuspendProcess [0x8F5D8300] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwSuspendThread [0x8F5D83E0] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwTerminateProcess [0x8F5D8120] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwTerminateThread [0x8F5D8210] SSDT \SystemRoot\system32\DRIVERS\avgidsshimx.sys (AVG IDS Application Activity Monitor Loader Driver/AVG Technologies CZ, s.r.o.) ZwWriteVirtualMemory [0x8F5D85E0] Code \??\C:\Windows\system32\drivers\mbamchameleon.sys (Malwarebytes Chameleon Protection Driver/Malwarebytes Corporation) KeInsertQueueApc ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\system32\DRIVERS\atikmdag.sys section is writeable [0x8D00D000, 0x267978, 0xE8000020] .text ntkrnlpa.exe!KeSetEvent + 3BD 820CBA08 8 Bytes [E0, 86, 5D, 8F, 00, 88, 5D, ...] {LOOPNZ 0xffffff88; POP EBP; POP DWORD [EAX]; MOV [EBP-0x71], BL} .text ntkrnlpa.exe!KeSetEvent + 3F1 820CBA3C 4 Bytes [10, 80, 5D, 8F] .text ntkrnlpa.exe!KeSetEvent + 40D 820CBA58 4 Bytes [D0, 84, 5D, 8F] .text ntkrnlpa.exe!KeSetEvent + 611 820CBC5C 8 Bytes [00, 83, 5D, 8F, E0, 83, 5D, ...] .text ntkrnlpa.exe!KeSetEvent + 621 820CBC6C 8 Bytes [20, 81, 5D, 8F, 10, 82, 5D, ...] .text ... .text ntkrnlpa.exe!KeInsertQueueApc 820D2F13 5 Bytes JMP 8D7E4A0E \??\C:\Windows\system32\drivers\mbamchameleon.sys (Malwarebytes Chameleon Protection Driver/Malwarebytes Corporation) ---- Devices - GMER 2.1 ---- AttachedDevice \Driver\tdx \Device\Tcp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) Device \Driver\BTHUSB \Device\00000065 bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) Device \Driver\BTHUSB \Device\00000067 bthport.sys (Sterownik magistrali Bluetooth/Microsoft Corporation) AttachedDevice \Driver\tdx \Device\Udp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \Driver\tdx \Device\RawIp avgtdix.sys (AVG Network connection watcher/AVG Technologies CZ, s.r.o.) AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys (Menedżer filtrów systemu plików firmy Microsoft/Microsoft Corporation) Device \FileSystem\cdfs \Cdfs B39B805C ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fc647ec17 Reg HKLM\SYSTEM\ControlSet002\Services\BTHPORT\Parameters\Keys\001fc647ec17 (not active ControlSet) ---- EOF - GMER 2.1 ---- GMER 2.1.19357 - http://www.gmer.net Autostart scan 2014-11-08 04:32:47 Windows 6.0.6002 Service Pack 2 AdobeARMservice@ = "C:\Program Files\Common Files\Adobe\ARM\1.0\armsvc.exe" ASLDRService@ = C:\Program Files\ASUS\ATK Hotkey\ASLDRSrv.exe Ati External Event Utility@ = %SystemRoot%\system32\Ati2evxx.exe AVGIDSAgent@ = "C:\Program Files\AVG\AVG2015\avgidsagent.exe" avgwd@ = "C:\Program Files\AVG\AVG2015\avgwdsvc.exe" FsUsbExService@ = C:\Windows\system32\FsUsbExService.Exe gupdate@ = "C:\Program Files\Google\Update\GoogleUpdate.exe" /svc MBAMScheduler@ = "C:\Program Files\Malwarebytes Anti-Malware\mbamscheduler.exe" MBAMService@ = "C:\Program Files\Malwarebytes Anti-Malware\mbamservice.exe" vToolbarUpdater3.2.0@ = C:\Program Files\Common Files\AVG Secure Search\vToolbarUpdater\3.2.0\ToolbarUpdater.exe /*file not found*/ HKLM\Software\Microsoft\Windows\CurrentVersion\Run >>> @StartCCC"C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun = "C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\CLIStart.exe" MSRun @Adobe ARM"C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" = "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe" @HControlUserC:\Program Files\ASUS\ATK Hotkey\HControlUser.exe = C:\Program Files\ASUS\ATK Hotkey\HControlUser.exe @AVG_UI"C:\Program Files\AVG\AVG2015\avgui.exe" /TRAYONLY = "C:\Program Files\AVG\AVG2015\avgui.exe" /TRAYONLY HKCU\Software\Microsoft\Windows\CurrentVersion\Run >>> @VirtualDiskAutomountrundll32 "C:\Program Files\TC UP\PLUGINS\wfx\VirtualDisk\VirtualDisk.wfx",MountAfterReboot /*file not found*/ = rundll32 "C:\Program Files\TC UP\PLUGINS\wfx\VirtualDisk\VirtualDisk.wfx",MountAfterReboot /*file not found*/ @ /*file not found*/ = /*file not found*/ HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved >>> @{FAC3CBF6-8697-43d0-BAB9-DCD1FCE19D75} /*IE User Assist*/(null) = @{b2c761c6-29bc-4f19-9251-e6195265baf1} /*Color Control Panel Applet*/(null) = @{7A979262-40CE-46ff-AEEE-7884AC3B6136} /*Add New Hardware*/(null) = @{3e7efb4c-faf1-453d-89eb-56026875ef90} /*Get Programs Online*/(null) = @{1b24a030-9b20-49bc-97ac-1be4426f9e59} /*ActiveDirectory Folder*/(null) = @{34449847-FD14-4fc8-A75A-7432F5181EFB} /*ActiveDirectory Folder*/(null) = @{C8494E42-ACDD-4739-B0FB-217361E4894F} /*Sam Account Folder*/(null) = @{E29F9716-5C08-4FCD-955A-119FDB5A522D} /*Sam Account Folder*/(null) = @{5399E694-6CE5-4D6C-8FCE-1D8870FDCBA0} /*Control Panel command object for Start menu*/(null) = @{E44E5D18-0652-4508-A4E2-8A090067BCB0} /*Default Programs command object for Start menu*/(null) = @{6dfd7c5c-2451-11d3-a299-00c04f8ef6af} /*Folder Options*/(null) = @{2C2577C2-63A7-40e3-9B7F-586602617ECB} /*Explorer Query Band*/(null) = @{38a98528-6cbf-4ca9-8dc0-b1e1d10f7b1b} /*View Available Networks*/(null) = @{0F8604A5-4ECE-4DE1-BA7D-CF10F8AA4F48} /*Contacts folder*/(null) = @{4026492f-2f69-46b8-b9bf-5654fc07e423} /*Windows Firewall*/(null) = @{fcfeecae-ee1b-4849-ae50-685dcf7717ec} /*Problem Reports and Solutions*/(null) = @{a304259d-52b8-4526-8b1a-a1d6cecc8243} /*iSCSI Initiator*/(null) = @{911051fa-c21c-4246-b470-070cd8df6dc4} /*.cab or .zip files*/(null) = @{da67b8ad-e81b-4c70-9b91b417b5e33527} /*Windows Search Shell Service*/(null) = @{d3e34b21-9d75-101a-8c3d-00aa001a1652} /*Bitmap Image*/(null) = @{00f2886f-cd64-4fc9-8ec5-30ef6cdbe8c3} /*Microsoft.ScannersAndCameras*/(null) = @{9D687A4C-1404-41ef-A089-883B6FBECDE6} /*Windows Photo Gallery Viewer Autoplay Handler*/(null) = @{37efd44d-ef8d-41b1-940d-96973a50e9e0} /*Windows Sidebar Properties*/(null) = @{67718415-c450-4f3c-bf8a-b487642dc39b} /*Windows Features*/(null) = @{d8559eb9-20c0-410e-beda-7ed416aecc2a} /*Windows Defender*/(null) = @{5ea4f148-308c-46d7-98a9-49041b1dd468} /*Mobility Center Control Panel*/(null) = @{031EE060-67BC-460d-8847-E4A7C5E45A27} /*Windows Media Player Rich Preview Handler*/(null) = @{5E2121EE-0300-11D4-8D3B-444553540000} /*Catalyst Context Menu extension*/C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll = C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll @{0563DB41-F538-4B37-A92D-4659049B7766} /*WLMD Message Handler*/(null) = @{06A2568A-CED6-4187-BB20-400B8C02BE5A} /**/(null) = @{2BE99FD4-A181-4996-BFA9-58C5FFD11F6C} /*Windows Live Photo Gallery Autoplay Drop Target*/(null) = @{00F30F64-AC33-42F5-8FD1-5DC2D3FDE06C} /*Windows Live Photo Gallery Viewer Drop Target*/(null) = @{00F374B7-B390-4884-B372-2FC349F2172B} /*Windows Live Photo Gallery Editor Drop Target*/(null) = @{544F5441-4C43-4D44-5550-5348454C4C00} /*TCUP: Shell Extention*/C:\PROGRA~1\TCUP~1\PLUGINS\Library\TCUPSH~1.DLL = C:\PROGRA~1\TCUP~1\PLUGINS\Library\TCUPSH~1.DLL @{9E96C1F5-0EFA-4348-9460-15D6802C70AA} /*BDFVCtxMenuExt*/(null) = @{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} /*AVG Shell Extension*/C:\Program Files\AVG\AVG2015\avgse.dll = C:\Program Files\AVG\AVG2015\avgse.dll @{9F97547E-460A-42C5-AE0C-81C61FFAEBC3} /*AVG Find Extension*/(null) = HKLM\Software\Classes\*\shellex\ContextMenuHandlers\ >>> AVG Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\AVG\AVG2015\avgse.dll TCUPShellExt@{544F5441-4C43-4D44-5550-5348454C4C00} = C:\PROGRA~1\TCUP~1\PLUGINS\Library\TCUPSH~1.DLL HKLM\Software\Classes\Directory\shellex\ContextMenuHandlers\TCUPShellExt@{544F5441-4C43-4D44-5550-5348454C4C00} = C:\PROGRA~1\TCUP~1\PLUGINS\Library\TCUPSH~1.DLL HKLM\Software\Classes\Directory\Background\ShellEx\ContextMenuHandlers\ >>> ACE@{5E2121EE-0300-11D4-8D3B-444553540000} = C:\Program Files\ATI Technologies\ATI.ACE\Core-Static\atiacmxx.dll ComposerSetup@{9DF9AD0B-5D99-485A-840E-858003F87478} = C:\Program Files\ComposerSetup\shellext32.dll HKLM\Software\Classes\Folder\shellex\ContextMenuHandlers\AVG Shell Extension@{9F97547E-4609-42C5-AE0C-81C61FFAEBC3} = C:\Program Files\AVG\AVG2015\avgse.dll HKLM\Software\Classes\Folder\Shellex\ColumnHandlers@{F9DB5320-233E-11D1-9F84-707F02C10627} = C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\PDFShell.dll HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects >>> @{761497BB-D6F0-462C-B6EB-D4DAF1D92D43}C:\Program Files\Java\jre1.8.0_20\bin\ssv.dll = C:\Program Files\Java\jre1.8.0_20\bin\ssv.dll @{DBC80044-A445-435b-BC74-9C25C1C588A9}C:\Program Files\Java\jre1.8.0_20\bin\jp2ssv.dll = C:\Program Files\Java\jre1.8.0_20\bin\jp2ssv.dll HKLM\Software\Microsoft\Windows NT\CurrentVersion\Drivers32@VIDC.I420 = MSh263.drv /*file not found*/ HKLM\Software\Microsoft\Internet Explorer\Main >>> @Start Pageabout:blank = about:blank @Local PageC:\Windows\System32\blank.htm = C:\Windows\System32\blank.htm HKCU\Software\Microsoft\Internet Explorer\Main >>> @Start Pageabout:blank = about:blank @Local PageC:\Windows\system32\blank.htm = C:\Windows\system32\blank.htm HKLM\Software\Classes\PROTOCOLS\Handler\ms-itss@CLSID = C:\Program Files\Common Files\Microsoft Shared\Information Retrieval\MSITSS.DLL ---- EOF - GMER 2.1 ----