GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-12-29 21:59:42 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006b ST950032 rev.0003 465,76GB Running: 62r63vd8.exe; Driver: C:\Users\asus\AppData\Local\Temp\kftcqaoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075501401 2 bytes JMP 7702b21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075501419 2 bytes JMP 7702b346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075501431 2 bytes JMP 770a8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007550144a 2 bytes CALL 770048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755014dd 2 bytes JMP 770a87a2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755014f5 2 bytes JMP 770a8978 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007550150d 2 bytes JMP 770a8698 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075501525 2 bytes JMP 770a8a62 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007550153d 2 bytes JMP 7701fca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075501555 2 bytes JMP 770268ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007550156d 2 bytes JMP 770a8f61 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075501585 2 bytes JMP 770a8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007550159d 2 bytes JMP 770a865c C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755015b5 2 bytes JMP 7701fd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755015cd 2 bytes JMP 7702b2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755016b2 2 bytes JMP 770a8e24 C:\Windows\syswow64\kernel32.dll .text C:\Windows\AsScrPro.exe[2592] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755016bd 2 bytes JMP 770a85f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075501401 2 bytes JMP 7702b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075501419 2 bytes JMP 7702b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075501431 2 bytes JMP 770a8ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007550144a 2 bytes CALL 770048ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000755014dd 2 bytes JMP 770a87a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000755014f5 2 bytes JMP 770a8978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007550150d 2 bytes JMP 770a8698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075501525 2 bytes JMP 770a8a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007550153d 2 bytes JMP 7701fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075501555 2 bytes JMP 770268ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007550156d 2 bytes JMP 770a8f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075501585 2 bytes JMP 770a8ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007550159d 2 bytes JMP 770a865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000755015b5 2 bytes JMP 7701fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000755015cd 2 bytes JMP 7702b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000755016b2 2 bytes JMP 770a8e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3520] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000755016bd 2 bytes JMP 770a85f1 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4092:2024] 00000000754e7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4092:3084] 0000000062ec7712 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4092:2100] 0000000077822e65 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4092:4424] 0000000077823e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4092:5632] 0000000077823e85 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [4092:5372] 0000000077823e85 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68fa6f14 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68fa6f14@1c659ddcc05c 0x4C 0x18 0xCE 0x1E ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68fa6f14@b462930dc92d 0xBA 0xF2 0x75 0x33 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68fa6f14@184617622451 0x65 0x55 0xDC 0xA2 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68fa6f14 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68fa6f14@1c659ddcc05c 0x4C 0x18 0xCE 0x1E ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68fa6f14@b462930dc92d 0xBA 0xF2 0x75 0x33 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68fa6f14@184617622451 0x65 0x55 0xDC 0xA2 ... ---- EOF - GMER 2.1 ----