GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-14 01:55:57 Windows 6.0.6002 Service Pack 2 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 Hitachi_ rev.BBFO 232,89GB Running: hxk2w02e.exe; Driver: C:\Users\KRZYSZ~1\AppData\Local\Temp\kxddiuog.sys ---- Kernel code sections - GMER 2.1 ---- INITKDBG C:\Windows\system32\ntoskrnl.exe suspicious modification ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1832] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [10002a50] C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\PSDProtect.dll IAT C:\Windows\Explorer.EXE[1832] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!FreeLibraryAndExitThread] [100020c0] C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\PSDProtect.dll IAT C:\Windows\Explorer.EXE[1832] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!GetProcAddress] [10002f30] C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\PSDProtect.dll IAT C:\Windows\Explorer.EXE[1832] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryA] [10001290] C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\PSDProtect.dll IAT C:\Windows\Explorer.EXE[1832] @ C:\Windows\system32\SHDOCVW.dll[KERNEL32.dll!LoadLibraryA] [10001290] C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\PSDProtect.dll IAT C:\Windows\Explorer.EXE[1832] @ C:\Windows\system32\SHDOCVW.dll[KERNEL32.dll!GetProcAddress] [10002f30] C:\Program Files (x86)\Acer\Empowering Technology\eDataSecurity\x64\PSDProtect.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\wininit.exe [584:596] 000007fefeab6200 Thread C:\Windows\System32\svchost.exe [276:1080] 000007fefbca50d0 Thread C:\Windows\System32\svchost.exe [276:1092] 000007fefb8ba2b0 Thread C:\Windows\System32\svchost.exe [276:1284] 000007fefad054f0 Thread C:\Windows\System32\svchost.exe [276:2748] 000007fefb101754 Thread C:\Windows\System32\svchost.exe [276:2756] 000007fefb101bf4 Thread C:\Windows\System32\svchost.exe [276:2760] 000007fefb101d5c Thread C:\Windows\System32\svchost.exe [276:3164] 000007fefd53276c Thread C:\Windows\System32\svchost.exe [276:3776] 000007fef7fc5c54 Thread C:\Windows\System32\svchost.exe [276:3856] 000007fefb8d8a4c Thread C:\Windows\System32\svchost.exe [276:3128] 000007fefb8d8a4c Thread C:\Windows\System32\svchost.exe [276:4032] 000007fefb8d8a4c Thread C:\Windows\System32\svchost.exe [276:1216] 000007fefb8d8a4c Thread C:\Windows\System32\svchost.exe [276:3880] 000007fefb8d8a4c Thread C:\Windows\System32\svchost.exe [276:4052] 000007fefb8d8a4c Thread C:\Windows\System32\svchost.exe [276:4024] 000007fefb8d8a4c Thread C:\Windows\System32\svchost.exe [276:2496] 000007fefb8d8a4c Thread C:\Windows\System32\svchost.exe [276:4040] 000007fefb8d8a4c Thread C:\Windows\System32\svchost.exe [276:2272] 000007fefb8d8a4c Thread C:\Windows\System32\svchost.exe [276:4348] 000007fef3749bec Thread C:\Windows\System32\svchost.exe [276:3896] 000007fef374c3fc Thread C:\Windows\system32\SLsvc.exe [712:1308] 000007fefd9265f0 Thread C:\Windows\system32\SLsvc.exe [712:2632] 000007fefeab6200 Thread C:\Windows\system32\svchost.exe [572:2596] 000007fef987bd78 Thread C:\Windows\system32\svchost.exe [572:2600] 000007fef9886844 Thread C:\Windows\system32\svchost.exe [572:2344] 000007fef76a7ba4 Thread C:\Windows\system32\svchost.exe [572:2288] 000007fef76b19e0 Thread C:\Windows\system32\svchost.exe [572:1160] 000007fef6c19358 Thread C:\Windows\system32\svchost.exe [572:2888] 000007fef6c23820 Thread C:\Windows\system32\svchost.exe [572:3256] 000007fef6c260bc Thread [1148:1192] 000007fefb0d9ae4 Thread [1148:1196] 000007fefb0d6d28 Thread [1148:1200] 000007fefb0d3270 Thread [1148:1208] 0000000076d38440 Thread [1148:2032] 000007fefb0d31a0 Thread [1148:848] 0000000076d37aa0 Thread [1148:124] 000007fef7b7588c Thread [1148:1996] 000007fef9055000 Thread [1148:472] 000007fef6ea7d3c Thread [1148:2592] 000007fefd9265f0 Thread [1148:2160] 000007fefd9265f0 Thread [1148:3276] 000007fef5ae1010 Thread [1148:2260] 000007fef5ae1010 Thread [1148:3356] 000007fef55e3dec Thread [1148:3720] 000007fefb8322f0 Thread [1148:3956] 000007fefb831520 Thread [1148:2424] 000007fef7b55354 Thread [1148:3668] 000007fef5ce7624 Thread [1148:2732] 000007fef6b92084 Thread [1148:4668] 000007fefeab6200 Thread [1148:1696] 0000000076d37aa0 Thread [1148:4408] 0000000076d37aa0 Thread [1148:4852] 000007fefeab6200 Thread C:\Windows\system32\WLANExt.exe [1344:1620] 00000001800da8d0 Thread C:\Windows\system32\WLANExt.exe [1344:1628] 000000018007e270 Thread C:\Windows\system32\WLANExt.exe [1344:1632] 00000001800da8d0 Thread C:\Windows\system32\WLANExt.exe [1344:1868] 000007fefa8b6124 Thread C:\Windows\system32\WLANExt.exe [1344:1944] 0000000001da92a4 Thread C:\Windows\system32\WLANExt.exe [1344:1948] 0000000001da92c0 Thread C:\Windows\system32\WLANExt.exe [1344:1952] 0000000001da9288 Thread C:\Windows\system32\WLANExt.exe [1344:1956] 000007fefa8b6124 Thread [1560:1596] 000007fefebffd70 Thread [1560:1600] 0000000076d38440 Thread [1560:1964] 000007fefd9265f0 Thread [1560:1968] 000007fefd9265f0 Thread [1560:1972] 000007fefa3513dc Thread [1560:1976] 000007fefa3512ac Thread [1560:1988] 000007fefd9265f0 Thread [1560:1992] 000007fef9e31c00 Thread [1560:2008] 000007fef9c538a0 Thread [1560:2036] 000007fef987bd78 Thread [1560:1144] 000007fef987c4f8 Thread [1560:1164] 000007fef9886844 Thread [1560:1412] 000007fefa20a704 Thread [1560:4912] 000007fefeab6200 Thread C:\Windows\system32\taskeng.exe [1744:1924] 000007fefa7f28f0 Thread C:\Windows\system32\taskeng.exe [1744:1932] 000007fefb441010 Thread C:\Windows\system32\taskeng.exe [1744:1936] 000007fefed18564 Thread C:\Windows\system32\taskeng.exe [1744:2004] 000007fef9ada26c Thread C:\Windows\system32\taskeng.exe [1744:684] 000007fef9ad36d0 Thread C:\Windows\system32\taskeng.exe [1744:4336] 000007fefb331604 Thread C:\Windows\Explorer.EXE [1832:1764] 000007fef82e7478 Thread C:\Windows\Explorer.EXE [1832:456] 000007fefb331604 Thread C:\Windows\Explorer.EXE [1832:2084] 000007fefc473ee0 Thread C:\Windows\Explorer.EXE [1832:2088] 000007fefb375ce8 Thread C:\Windows\Explorer.EXE [1832:2164] 000007fefb374460 Thread C:\Windows\Explorer.EXE [1832:2640] 000007fefc012148 Thread C:\Windows\Explorer.EXE [1832:4000] 000007fefb441010 Thread C:\Windows\Explorer.EXE [1832:3108] 000007fefa8b6124 Thread [504:1088] 0000000076d38440 Thread [504:1112] 000007fefd53276c Thread [504:1224] 000007fefd53276c Thread [504:1404] 000007fefd53276c Thread [504:1420] 000007fef929d810 Thread [504:1432] 000007fef92c4970 Thread [504:1436] 000007fef928fcb0 Thread [504:1484] 0000000076d37aa0 Thread [504:1128] 000007fefebffd70 Thread [504:1796] 000007fefb497ef4 Thread [504:836] 000007fefb48e984 Thread [504:1000] 000007fefb48e984 Thread [504:792] 000007fefb48e984 Thread [504:2052] 000007fefb48e984 Thread [504:2056] 000007fefb48e984 Thread [504:3972] 000007fefb49cab8 Thread [504:3628] 000007fefb8d8a4c Thread [504:3088] 000007fefb8d8a4c Thread [504:3608] 000007fefb8d8a4c Thread [504:1716] 000007fefb8d8a4c Thread [504:3792] 000007fefb8d8a4c Thread [504:2456] 000007fefb8d8a4c Thread [504:1588] 000007fefb8d8a4c Thread [504:2016] 000007fefb8d8a4c Thread [504:1592] 000007fefb8d8a4c Thread [504:2200] 000007fefb8d8a4c Thread [504:2872] 000007fefeab6200 Thread [504:3388] 000007fefeab6200 Thread [504:4292] 000007fefeab6200 Thread C:\Windows\system32\svchost.exe [1108:996] 000007fefc1d4b64 Thread C:\Windows\system32\svchost.exe [1108:1136] 000007fefeab6200 Thread C:\Windows\SysWOW64\ntdll.dll [3000:3004] 0000000000fb744e Thread C:\Windows\SysWOW64\ntdll.dll [3000:3352] 0000000000f1f560 Thread C:\Windows\SysWOW64\ntdll.dll [3000:3496] 0000000000f243e0 Thread C:\Windows\SysWOW64\ntdll.dll [3000:3536] 0000000000f7e580 Thread C:\Windows\SysWOW64\ntdll.dll [3000:3540] 0000000000f7e7d0 Thread C:\Windows\SysWOW64\ntdll.dll [3000:3544] 0000000000f87290 Thread C:\Windows\SysWOW64\ntdll.dll [3000:4512] 0000000000f87490 Thread C:\Windows\SysWOW64\ntdll.dll [3000:4524] 0000000000f87290 Thread C:\Windows\SysWOW64\ntdll.dll [3000:4532] 0000000000f87490 Thread C:\Windows\SysWOW64\ntdll.dll [3000:4556] 0000000000f87290 Thread C:\Windows\SysWOW64\ntdll.dll [3000:4564] 0000000000f87490 Thread C:\Windows\SysWOW64\ntdll.dll [3000:4572] 0000000000f87290 Thread C:\Windows\SysWOW64\ntdll.dll [3000:4576] 0000000000f87490 Thread C:\Windows\system32\svchost.exe [2304:2348] 000007fefebffd70 Thread C:\Windows\system32\svchost.exe [2304:2280] 000007fefeab6200 Thread C:\Windows\system32\svchost.exe [2304:2208] 000007fef987bd78 Thread C:\Windows\system32\svchost.exe [2304:2608] 000007fef987c4f8 Thread C:\Windows\system32\svchost.exe [2304:2472] 000007fef9886844 Thread C:\Windows\system32\svchost.exe [2304:816] 000007fef6f65358 Thread C:\Windows\system32\svchost.exe [2436:2316] 000007fef7f51b58 Thread C:\Windows\system32\svchost.exe [2436:2320] 000007fef7f51b58 Thread C:\Windows\system32\svchost.exe [2436:2364] 000007fef7f51b58 Thread C:\Windows\system32\svchost.exe [2436:2400] 000007fef7f51b58 Thread C:\Windows\system32\svchost.exe [2436:1100] 000007fef7e9b9f0 Thread C:\Windows\system32\wbem\wmiprvse.exe [3288:508] 000007fefd071be8 Thread C:\Windows\system32\wbem\wmiprvse.exe [3288:3884] 0000000180006e60 Thread C:\Windows\system32\SearchIndexer.exe [4252:4552] 000007fef73739f0 Thread C:\Windows\system32\svchost.exe [5036:3076] 00000000651d83c0 Thread C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [1648:4580] 000007fefebffd70 Thread C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WPF\WPFFontCache_v0400.exe [1648:4824] 000007fefeab6200 ---- Processes - GMER 2.1 ---- Process C:\Users\KRZYSZ~1\AppData\Local\Temp\RtkBtMnt.exe (*** suspicious ***) @ C:\Users\KRZYSZ~1\AppData\Local\Temp\RtkBtMnt.exe [4012] (Realtek HD Audio Data Rerouter/Realtek Semiconductor Corp.)(2015-10-13 12:27:24) 0000000140000000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2f65c07 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2f65c07@1886acd504d1 0x03 0x17 0xAD 0xE3 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2f65c07@dc3ef812912f 0xBD 0xAC 0x5F 0xA6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\001fe2f65c07@407a80974899 0x88 0xE0 0x8D 0x1F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 13142 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8F 0x4F 0xC4 0xE6 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\Interfaces\{91387a24-2e47-4f35-98a5-70ea61539555}@Dhcpv6State 0 Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2f65c07 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2f65c07@1886acd504d1 0x03 0x17 0xAD 0xE3 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2f65c07@dc3ef812912f 0xBD 0xAC 0x5F 0xA6 ... Reg HKLM\SYSTEM\ControlSet003\Services\BTHPORT\Parameters\Keys\001fe2f65c07@407a80974899 0x88 0xE0 0x8D 0x1F ... Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet003\Services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0x8F 0x4F 0xC4 0xE6 ... ---- EOF - GMER 2.1 ----