GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-07 21:22:04 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9250315AS rev.0002SDM1 232,89GB Running: kgtgkb1o.exe; Driver: C:\Users\elza\AppData\Local\Temp\aftcyaog.sys ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwReplaceKey + 1525 8307AB55 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 830B4BB2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe[112] kernel32.dll!LoadLibraryA 7699DD65 5 Bytes JMP 701DAD80 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll .text C:\Program Files\Common Files\Mcafee\Platform\McSvcHost\McSvHost.exe[112] kernel32.dll!LoadLibraryW 7699F042 5 Bytes JMP 701DAE80 C:\Program Files\Common Files\McAfee\McProxy\mcproxy.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] shell32.DLL!RealDriveType + 173D 76F3FD10 4 Bytes [70, C4, 6D, 6F] {JO 0xffffffc6; INS DWORD [ES:EDI], DX; OUTS DX, DWORD [ESI]} .text C:\Program Files\Internet Explorer\iexplore.exe[4160] shell32.DLL!RealDriveType + 1745 76F3FD18 8 Bytes [70, 15, 6D, 6F, 40, C5, 6D, ...] {JO 0x17; INS DWORD [ES:EDI], DX; OUTS DX, DWORD [ESI]; INC EAX; LDS EBP, [EBP+0x6f]} .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WININET.dll!InternetCloseHandle 76351BB0 5 Bytes JMP 6F68D7C0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WININET.dll!HttpOpenRequestW 76355AB0 5 Bytes JMP 6F68D3E0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WININET.dll!InternetConnectW 763596E0 5 Bytes JMP 6F68D150 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WININET.dll!InternetReadFile 76361C80 5 Bytes JMP 6F68D760 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WININET.dll!InternetQueryDataAvailable 76367540 5 Bytes JMP 6F68D810 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WS2_32.dll!closesocket 76523918 5 Bytes JMP 08FBA080 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WS2_32.dll!WSASocketW 76523CD3 7 Bytes JMP 08FBAE60 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WS2_32.dll!socket 76523EB8 5 Bytes JMP 08FC2600 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WS2_32.dll!WSASend 76524406 5 Bytes JMP 08FBEB90 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WS2_32.dll!recv 76526B0E 5 Bytes JMP 08FB9B50 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WS2_32.dll!connect 76526BDD 5 Bytes JMP 08FBA420 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WS2_32.dll!send 76526F01 5 Bytes JMP 08FBFB20 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WS2_32.dll!WSARecv 76527089 5 Bytes JMP 08FC3730 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WS2_32.dll!WSASocketA 7652C82A 5 Bytes JMP 08FB2140 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[4160] WS2_32.dll!WSAConnect 7652CC3F 5 Bytes JMP 08FB8D20 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] shell32.DLL!RealDriveType + 173D 76F3FD10 4 Bytes [70, C4, 6D, 6F] {JO 0xffffffc6; INS DWORD [ES:EDI], DX; OUTS DX, DWORD [ESI]} .text C:\Program Files\Internet Explorer\iexplore.exe[5700] shell32.DLL!RealDriveType + 1745 76F3FD18 8 Bytes [70, 15, 6D, 6F, 40, C5, 6D, ...] {JO 0x17; INS DWORD [ES:EDI], DX; OUTS DX, DWORD [ESI]; INC EAX; LDS EBP, [EBP+0x6f]} .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WININET.dll!InternetCloseHandle 76351BB0 5 Bytes JMP 6F68D7C0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WININET.dll!HttpOpenRequestW 76355AB0 5 Bytes JMP 6F68D3E0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WININET.dll!InternetConnectW 763596E0 5 Bytes JMP 6F68D150 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WININET.dll!InternetReadFile 76361C80 5 Bytes JMP 6F68D760 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WININET.dll!InternetQueryDataAvailable 76367540 5 Bytes JMP 6F68D810 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WS2_32.dll!closesocket 76523918 5 Bytes JMP 0919A080 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WS2_32.dll!WSASocketW 76523CD3 7 Bytes JMP 0919AE60 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WS2_32.dll!socket 76523EB8 5 Bytes JMP 091A2600 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WS2_32.dll!WSASend 76524406 5 Bytes JMP 0919EB90 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WS2_32.dll!recv 76526B0E 5 Bytes JMP 09199B50 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WS2_32.dll!connect 76526BDD 5 Bytes JMP 0919A420 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WS2_32.dll!send 76526F01 5 Bytes JMP 0919FB20 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WS2_32.dll!WSARecv 76527089 5 Bytes JMP 091A3730 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WS2_32.dll!WSASocketA 7652C82A 5 Bytes JMP 09192140 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5700] WS2_32.dll!WSAConnect 7652CC3F 5 Bytes JMP 09198D20 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] shell32.DLL!RealDriveType + 173D 76F3FD10 4 Bytes [70, C4, 6D, 6F] {JO 0xffffffc6; INS DWORD [ES:EDI], DX; OUTS DX, DWORD [ESI]} .text C:\Program Files\Internet Explorer\iexplore.exe[5972] shell32.DLL!RealDriveType + 1745 76F3FD18 8 Bytes [70, 15, 6D, 6F, 40, C5, 6D, ...] {JO 0x17; INS DWORD [ES:EDI], DX; OUTS DX, DWORD [ESI]; INC EAX; LDS EBP, [EBP+0x6f]} .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WININET.dll!InternetCloseHandle 76351BB0 5 Bytes JMP 6F68D7C0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WININET.dll!HttpOpenRequestW 76355AB0 5 Bytes JMP 6F68D3E0 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WININET.dll!InternetConnectW 763596E0 5 Bytes JMP 6F68D150 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WININET.dll!InternetReadFile 76361C80 5 Bytes JMP 6F68D760 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WININET.dll!InternetQueryDataAvailable 76367540 5 Bytes JMP 6F68D810 c:\PROGRA~1\mcafee\SITEAD~1\mcieplg.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WS2_32.dll!closesocket 76523918 5 Bytes JMP 088AA080 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WS2_32.dll!WSASocketW 76523CD3 7 Bytes JMP 088AAE60 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WS2_32.dll!socket 76523EB8 5 Bytes JMP 088B2600 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WS2_32.dll!WSASend 76524406 5 Bytes JMP 088AEB90 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WS2_32.dll!recv 76526B0E 5 Bytes JMP 088A9B50 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WS2_32.dll!connect 76526BDD 5 Bytes JMP 088AA420 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WS2_32.dll!send 76526F01 5 Bytes JMP 088AFB20 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WS2_32.dll!WSARecv 76527089 5 Bytes JMP 088B3730 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WS2_32.dll!WSASocketA 7652C82A 5 Bytes JMP 088A2140 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll .text C:\Program Files\Internet Explorer\iexplore.exe[5972] WS2_32.dll!WSAConnect 7652CC3F 5 Bytes JMP 088A8D20 C:\Users\elza\AppData\Local\CantharisIncineration\MussilyDenseness.dll ---- EOF - GMER 2.1 ----