GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-13 09:42:32 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST350041 rev.HP63 465,76GB Running: sucin8tz.exe; Driver: C:\Users\Kamil\AppData\Local\Temp\kgtiqpod.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwReplaceKey + 1525 83875B55 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 838AFBB2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.1 ---- ? C:\Program Files\Kaspersky Lab\Kaspersky Security Scan\kss.exe[3756] C:\Windows\SYSTEM32\ntdll.dll time/date stamp mismatch; .text C:\Program Files\Kaspersky Lab\Kaspersky Security Scan\kss.exe[3756] ntdll.dll!NtProtectVirtualMemory 77BF6000 5 Bytes JMP 69921986 C:\Program Files\Kaspersky Lab\Kaspersky Security Scan\ushata.dll ? C:\Program Files\Kaspersky Lab\Kaspersky Security Scan\kss.exe[3756] C:\Windows\system32\kernel32.dll time/date stamp mismatch; unknown module: uxtheme.dllunknown module: KERNELBASE.dll .text C:\Program Files\Kaspersky Lab\Kaspersky Security Scan\kss.exe[3756] USER32.dll!NotifyWinEvent + 6AE 769AD66C 4 Bytes [F0, 28, 92, 69] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdipAlloc] [74432493] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusStartup] [74415625] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdiplusShutdown] [744156E3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdipFree] [7443250E] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDeleteGraphics] [74428572] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDisposeImage] [74424D26] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageWidth] [744250CD] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdipGetImageHeight] [744251A2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [744266CF] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCreateFromHDC] [744282C9] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetCompositingMode] [74428818] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdipSetInterpolationMode] [74429079] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdipDrawImageRectI] [7442E21C] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll IAT C:\Windows\explorer.exe[6960] @ C:\Windows\explorer.exe [gdiplus.dll!GdipCloneImage] [74424C58] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.18946_none_72d45ee78666ea32\gdiplus.dll ---- Devices - GMER 2.1 ---- AttachedDevice \FileSystem\Ntfs \Ntfs cbfs5.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\fastfat \Fat fltmgr.sys AttachedDevice \FileSystem\fastfat \Fat cbfs5.sys ---- Registry - GMER 2.1 ---- Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers@AliveServerCount 7 Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\347BDBB7-DEA1-4F67-9CB8-8D1642EDBE7F@IPAddress fe80::703f:d2f9:fd72:16a4 Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\347BDBB7-DEA1-4F67-9CB8-8D1642EDBE7F@Alive 0 Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\4FE9F4BD-4DFC-4047-8C6C-32E86448072A@IPAddress fe80::703f:d2f9:fd72:16a4 Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\4FE9F4BD-4DFC-4047-8C6C-32E86448072A@Alive 0 Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\BD061224-9033-4DEC-AED6-8A6CC8C0DBD6@Alive 0 Reg HKLM\SOFTWARE\Microsoft\Windows Media Player NSS\3.0\Servers\D7E3031A-6DBC-4340-9931-4A1C32814513@IPAddress fe80::703f:d2f9:fd72:16a4 Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@14057CEC 653 Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@SIGN.MEDIA=239F04 IPCamSetup\x2014for Windows OS\IPCamSetup.exe 1 ---- Files - GMER 2.1 ---- File C:\ProgramData\G DATA\OutbreakShield\cteng_1_2_151444626747r.dat 0 bytes File C:\ProgramData\G DATA\OutbreakShield\cteng_1_1_501444636397r.dat 0 bytes File C:\ProgramData\G DATA\OutbreakShield\cteng_1_2_231444627346f.dat 0 bytes ---- EOF - GMER 2.1 ----