GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-08-04 00:19:49 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: f7hp56rl.exe; Driver: C:\Users\Kanon\AppData\Local\Temp\agtiqpog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavSvc.exe[1928] C:\windows\SysWOW64\ntdll.dll!RtlInitializeExceptionChain + 27 000000007727929a 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavSvc.exe[1928] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007727af7d 6 bytes JMP 71af000a .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavSvc.exe[1928] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075768781 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\SysWOW64\ntdll.dll!RtlInitializeExceptionChain + 27 000000007727929a 6 bytes JMP 71af000a .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007727af7d 6 bytes JMP 71a8000a .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075768781 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075902c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074d41401 2 bytes JMP 7578b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074d41419 2 bytes JMP 7578b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074d41431 2 bytes JMP 75808f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074d4144a 2 bytes CALL 7576489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074d414dd 2 bytes JMP 75808822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074d414f5 2 bytes JMP 758089f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074d4150d 2 bytes JMP 75808718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074d41525 2 bytes JMP 75808ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074d4153d 2 bytes JMP 7577fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074d41555 2 bytes JMP 757868ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074d4156d 2 bytes JMP 75808fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074d41585 2 bytes JMP 75808b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074d4159d 2 bytes JMP 758086dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074d415b5 2 bytes JMP 7577fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074d415cd 2 bytes JMP 7578b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074d416b2 2 bytes JMP 75808ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BHipsSvc.exe[1508] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074d416bd 2 bytes JMP 75808671 C:\windows\syswow64\kernel32.dll .text C:\windows\Explorer.EXE[2460] C:\windows\system32\kernel32.dll!CreateProcessW 0000000076f60660 6 bytes {JMP QWORD [RIP+0x90bf9d0]} .text C:\windows\Explorer.EXE[2460] C:\windows\system32\KERNELBASE.dll!LoadLibraryExW + 357 000007fefce4a6f5 3 bytes CALL 6f006400 .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075768781 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074d41401 2 bytes JMP 7578b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074d41419 2 bytes JMP 7578b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074d41431 2 bytes JMP 75808f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074d4144a 2 bytes CALL 7576489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074d414dd 2 bytes JMP 75808822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074d414f5 2 bytes JMP 758089f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074d4150d 2 bytes JMP 75808718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074d41525 2 bytes JMP 75808ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074d4153d 2 bytes JMP 7577fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074d41555 2 bytes JMP 757868ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074d4156d 2 bytes JMP 75808fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074d41585 2 bytes JMP 75808b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074d4159d 2 bytes JMP 758086dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074d415b5 2 bytes JMP 7577fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074d415cd 2 bytes JMP 7578b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074d416b2 2 bytes JMP 75808ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\ScreenSnapshotTool\1.0.1.10301\ScreenShotServ.exe[2768] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074d416bd 2 bytes JMP 75808671 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\bavhm.exe[4056] C:\windows\system32\KERNELBASE.dll!CreateRemoteThreadEx + 626 000007fefce399f2 3 bytes [0A, 66, 06] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\SysWOW64\ntdll.dll!LdrLoadDll 000000007727af7d 6 bytes JMP 71af000a .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000075768781 8 bytes [33, C0, 90, 90, C2, 04, 00, ...] .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\KERNELBASE.dll!LoadLibraryExW + 493 0000000075902c9e 4 bytes CALL 71ac0000 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\USER32.dll!GetScrollInfo 0000000074c34018 7 bytes JMP 000000016fb1b740 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\USER32.dll!SetScrollInfo 0000000074c340cf 7 bytes JMP 000000016fb1b560 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\USER32.dll!ShowScrollBar 0000000074c34162 5 bytes JMP 000000016fb1bba0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\USER32.dll!GetScrollPos 0000000074c34234 5 bytes JMP 000000016fb1b910 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\USER32.dll!SetScrollPos 0000000074c387a5 5 bytes JMP 000000016fb1b810 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\USER32.dll!EnableScrollBar 0000000074c38d3a 7 bytes JMP 000000016fb1bbe0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\USER32.dll!GetScrollRange 0000000074c390c4 5 bytes JMP 000000016fb1bae0 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\USER32.dll!SetScrollRange 0000000074c4d50b 5 bytes JMP 000000016fb1b990 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000074d41401 2 bytes JMP 7578b21b C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000074d41419 2 bytes JMP 7578b346 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000074d41431 2 bytes JMP 75808f29 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000074d4144a 2 bytes CALL 7576489d C:\windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000074d414dd 2 bytes JMP 75808822 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000074d414f5 2 bytes JMP 758089f8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000074d4150d 2 bytes JMP 75808718 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000074d41525 2 bytes JMP 75808ae2 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000074d4153d 2 bytes JMP 7577fca8 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000074d41555 2 bytes JMP 757868ef C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000074d4156d 2 bytes JMP 75808fe3 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000074d41585 2 bytes JMP 75808b42 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000074d4159d 2 bytes JMP 758086dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000074d415b5 2 bytes JMP 7577fd41 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000074d415cd 2 bytes JMP 7578b2dc C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000074d416b2 2 bytes JMP 75808ea4 C:\windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Baidu Security\Baidu Antivirus\5.4.3.122701.0\BavTray.exe[3716] C:\windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000074d416bd 2 bytes JMP 75808671 C:\windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f395745d82 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\e02a827a1093 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f395745d82 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\e02a827a1093 (not active ControlSet) ---- EOF - GMER 2.1 ----