GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-20 23:51:44 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-0 WDC_WD25 rev.01.0 232,89GB Running: w25cik56.exe; Driver: C:\Users\darek\AppData\Local\Temp\uwtdipog.sys ---- System - GMER 2.1 ---- SSDT 8552A810 ZwAlertResumeThread SSDT 8552A8A8 ZwAlertThread SSDT 8552AF08 ZwAllocateVirtualMemory SSDT 854035A8 ZwAlpcConnectPort SSDT 8552BB00 ZwAssignProcessToJobObject SSDT 8552BEB0 ZwCreateMutant SSDT 8552B8F8 ZwCreateSymbolicLinkObject SSDT 8552A2F0 ZwCreateThread SSDT 8552B9A0 ZwCreateThreadEx SSDT 8552BB98 ZwDebugActiveProcess SSDT 8552A118 ZwDuplicateObject SSDT 8552AD98 ZwFreeVirtualMemory SSDT 8552BF58 ZwImpersonateAnonymousToken SSDT 8552BFD0 ZwImpersonateThread SSDT 85403530 ZwLoadDriver SSDT 8552ACE0 ZwMapViewOfSection SSDT 8552BE18 ZwOpenEvent SSDT 8552A268 ZwOpenProcess SSDT 8552AF90 ZwOpenProcessToken SSDT 8552BCE8 ZwOpenSection SSDT 8552A1C0 ZwOpenThread SSDT 8552BA58 ZwProtectVirtualMemory SSDT 8552B850 ZwQueueApcThread SSDT 8552B7A8 ZwQueueApcThreadEx SSDT 8552B700 ZwReadVirtualMemory SSDT 8552A940 ZwResumeThread SSDT 8552AB08 ZwSetContextThread SSDT 8552ABA0 ZwSetInformationProcess SSDT 8552BC30 ZwSetSystemInformation SSDT 8552BD80 ZwSuspendProcess SSDT 8552A9D8 ZwSuspendThread SSDT 85524D30 ZwTerminateProcess SSDT 8552AA70 ZwTerminateThread SSDT 8552AC48 ZwUnmapViewOfSection SSDT 8552AE40 ZwWriteVirtualMemory INT 0x61 ? 906707D8 INT 0x71 ? 90670558 ---- Kernel code sections - GMER 2.1 ---- .text ntoskrnl.exe!ZwRequestPort + 14CD 8204EB55 1 Byte [06] .text ntoskrnl.exe!KiDispatchInterrupt + 5A2 8206EE62 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntoskrnl.exe!KeRemoveQueueEx + 13A3 82076468 8 Bytes [10, A8, 52, 85, A8, A8, 52, ...] .text ntoskrnl.exe!KeRemoveQueueEx + 13BB 82076480 4 Bytes [08, AF, 52, 85] .text ntoskrnl.exe!KeRemoveQueueEx + 13C7 8207648C 4 Bytes [A8, 35, 40, 85] .text ntoskrnl.exe!KeRemoveQueueEx + 141B 820764E0 4 Bytes [00, BB, 52, 85] .text ntoskrnl.exe!KeRemoveQueueEx + 1497 8207655C 4 Bytes [B0, BE, 52, 85] .text ... ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Motorola\Bluetooth\obexsrv.exe[1044] ntdll.dll!NtTerminateThread 77396930 5 Bytes JMP 00020050 .text C:\Program Files\Motorola\Bluetooth\obexsrv.exe[1044] USER32.dll!ChangeWindowMessageFilterEx + F 76BB24D7 7 Bytes JMP 0049012A .text C:\Program Files\Motorola\Bluetooth\obexsrv.exe[1044] USER32.dll!RecordShutdownReason + 372 76BF06C2 7 Bytes JMP 00490048 .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1684] ntdll.dll!NtTerminateThread 77396930 5 Bytes JMP 00020050 .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1684] USER32.dll!ChangeWindowMessageFilterEx + F 76BB24D7 7 Bytes JMP 0031012A .text C:\Program Files\Common Files\ArcSoft\Connection Service\Bin\ACService.exe[1684] USER32.dll!RecordShutdownReason + 372 76BF06C2 7 Bytes JMP 00310048 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[1752] ntdll.dll!NtTerminateThread 77396930 5 Bytes JMP 00020050 .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[1752] USER32.dll!ChangeWindowMessageFilterEx + F 76BB24D7 7 Bytes JMP 007C020E .text C:\Program Files\Motorola\Bluetooth\devmgrsrv.exe[1752] USER32.dll!RecordShutdownReason + 372 76BF06C2 7 Bytes JMP 007C012C .text C:\Program Files\System Control Manager\MSIService.exe[1944] ntdll.dll!NtTerminateThread 77396930 5 Bytes JMP 00180050 .text C:\Program Files\System Control Manager\MSIService.exe[1944] USER32.dll!ChangeWindowMessageFilterEx + F 76BB24D7 7 Bytes JMP 0032012A .text C:\Program Files\System Control Manager\MSIService.exe[1944] USER32.dll!RecordShutdownReason + 372 76BF06C2 7 Bytes JMP 00320048 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2140] ntdll.dll!NtTerminateThread 77396930 5 Bytes JMP 00020050 .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2140] USER32.dll!ChangeWindowMessageFilterEx + F 76BB24D7 7 Bytes JMP 0019012A .text C:\Program Files\Common Files\Macrovision Shared\FLEXnet Publisher\FNPLicensingService.exe[2140] USER32.dll!RecordShutdownReason + 372 76BF06C2 7 Bytes JMP 00190048 .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[3920] ntdll.dll!NtTerminateThread 77396930 5 Bytes JMP 00020050 .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[3920] USER32.dll!ChangeWindowMessageFilterEx + F 76BB24D7 7 Bytes JMP 0020012A .text C:\Program Files\Motorola\Bluetooth\audiosrv.exe[3920] USER32.dll!RecordShutdownReason + 372 76BF06C2 7 Bytes JMP 00200048 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002421d25b27 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002421d25b27 (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@A2A60F7D 1175 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PowerTracker\Data\2015-06-20@AC_MonitorOn_Duration 0xFB 0x18 0x00 0x00 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\PowerTracker\Data\2015-06-20@AC_MonitorOff_Duration 0x88 0x03 0x00 0x00 ... ---- EOF - GMER 2.1 ----