GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-09 15:44:06 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IAAStorageDevice-1 ST1000LM rev.LVD3 931,51GB Running: gmer.exe; Driver: C:\Users\user\AppData\Local\Temp\kwtdapob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000145200 7 bytes [C0, 73, F3, FF, 41, 83, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000145208 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075061401 2 bytes JMP 75cdb21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075061419 2 bytes JMP 75cdb346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075061431 2 bytes JMP 75d58fd1 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007506144a 2 bytes CALL 75cb489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000750614dd 2 bytes JMP 75d588c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000750614f5 2 bytes JMP 75d58aa0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007506150d 2 bytes JMP 75d587ba C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075061525 2 bytes JMP 75d58b8a C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007506153d 2 bytes JMP 75ccfca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075061555 2 bytes JMP 75cd68ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007506156d 2 bytes JMP 75d59089 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075061585 2 bytes JMP 75d58bea C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007506159d 2 bytes JMP 75d5877e C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000750615b5 2 bytes JMP 75ccfd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000750615cd 2 bytes JMP 75cdb2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000750616b2 2 bytes JMP 75d58f4c C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\RunDll32.exe[4908] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000750616bd 2 bytes JMP 75d58713 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\002713a05e70 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\402cf415919d Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\402cf47a071b Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\402cf48a0ab1 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\70f3955f9606 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52af842fde Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\cc52af842fde@78923e978df0 0xFE 0xD5 0xFE 0x47 ... Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Linkage@Export ????????????A-???????????????????d??6-21-2006???????????????????????? 0??????.??????????@????????????????????????????????????D??????{C??????A-??????????????????????????????????? ?????????????????????,????????????'????????????????????}???????????????????????{????????21D0????N?????????????????ed??{1BF6CB2D-2AE0-4879-A7AA-A75834FBD0E3}??????%SystemRoot%\System32\IWMSSvc.dll???MsPorts.dll,SerialPortPropPageProvider??????? ???????3?????3????GenericSerial???? ???@???????????????????????????????????????????????????????????????????????????????n??????t%??????1???????????????????????1????????????????????????m??????????????????????wdmaud.drv???e??? ???????i??????????????????????6-21-2006???????9-??? ???????@???????????????????? ?^???????33??.NT?????{8ECC055D-047F-11D1-A537-0000F8753ED1}??am??????????????????????????er???????????????????????-??????1B??????.NT?25???????????????????????????-?????????DF8??BTHMODEM????Microsoft????????????{??sD????????????????lash???????????6??1.??????os???????????????????????d??Port_#0002. Reg HKLM\SYSTEM\CurrentControlSet\services\LanmanWorkstation\Linkage@Export ?????????????????????m????X?????????????????????????70??? ???????n?????????????,????????J???????????????????????????Provides registry access to all Intel? PROSet/Wireless Software components??????? ???????v?????????????:????????N????????d??{3B21D9BF-5BEC-42F5-A150-3842FFED01B9}??W????????????1??_0??????????????????? ???????????????????j?0????????????????????????????????????????? 0??????|???????|???????????????????.??????????????????????????? ???????u?????????????,????????????&????????????????????D??? ???????u?????????????,????????????&????????????????????B??? ??????????????????7&1170d554&1????????????????????????? ???????????????????p?:????????h?????????????h?????H???@???????@???????H???????????????????????????? ???????????????????p?:????????h?????????????h?????H???@???????@???????H???????????????????????????? ???????v?????????????:????????N???????????? ???????v?????????????:????????N???????????? ???????????????????s?:????????h???????H???? ???????v?????????????:????????N??????294??????????????? ????????????? Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\002713a05e70 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\402cf415919d (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\402cf47a071b (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\402cf48a0ab1 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\70f3955f9606 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52af842fde (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\cc52af842fde@78923e978df0 0xFE 0xD5 0xFE 0x47 ... Reg HKLM\SYSTEM\ControlSet002\services\LanmanServer\Linkage@Export ???p????????????????????t???????????????t????????????????????????l?n?n???n??Tcpip????????u???t????????????????????????????????????????T??n????????h?????\SystemRoot\system32\drivers\BrFiltLo.sys?????Z??n?????????e????Brother USB Mass-Storage Lower Filter Driver?????????n??????p???extended base????n?n?n?n?n?n?n????X??n???????????d??brmfcsto.inf_amd64_neutral_2d7208355536945e?????????????????t???????????????????????????? ???????n?????????????,????????R?.???????????:????????????e?????????n?????????e??????????????????s??????????}?????????????????????g?????z??????????????????t???SCSI CDROM Class?????????????p??? ????????????????????????????????????????????s??????????n??????????????? ???????n?????b???????????????????????????????n????? ???????n?????n?????????? ????????????????????n????? ???????n???????????n??????????????????s???????`?????????s????????n????? ???????n??????????????????????????????????? ???????n?????n???????,?????????????????????????&???&??? ???????n?????n?????????? ????????????????????n???n?????n????? Reg HKLM\SYSTEM\ControlSet002\services\LanmanWorkstation\Linkage@Export ???????????????.1.??@%SystemRoot%\system32\tcpipcfg.dll,-50004??????? ???????u?????t?????t?????????????? ?????????????????????5?????? ???????n?????u?????t??????????T?????????????????????????????????:??u????????h??????????????????????????????????????????????????????????????????????????????u??@%systemroot%\system32\drivers\RDPENCDD.sys,-100?????}?}?????????????????????????????????????????%???%??????????? ???????u?????l?????t?????????????? ????????????????u??????????? ???????u???????????t??????????????????????????????????????t???? ???????n???????????u??????????V????????????????????????????????u??????p????u?u?u????????????????????????P??u????????h?????\SystemRoot\system32\drivers\nv_agp.sys??????u?u?u????:??u?????????e????NVIDIA nForce AGP Bus Filter????PnP Filter???????u?u?u?u?u?u?u????V??u???????????d??machine.inf_amd64_neutral_9e6bb86c3b39a3e9??????????????????t???????? ???????n???????????u??????????Z?????????????????????????????????????????????????T??u????????h?????\SystemRoot\system32\drivers\ohci1394.sys?? ---- EOF - GMER 2.1 ----