GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-03-07 15:50:30 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST500LT0 rev.0001 465,76GB Running: lkqbjg4n.exe; Driver: C:\Users\Gargamel\AppData\Local\Temp\uxddqpog.sys ---- System - GMER 2.1 ---- SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwCreateThread [0x923C5370] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwLoadDriver [0x923C5430] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSetSystemInformation [0x923C53F0] SSDT \SystemRoot\system32\DRIVERS\ehdrv.sys ZwSystemDebugControl [0x923C53B0] ---- Kernel code sections - GMER 2.1 ---- .text ntkrnlpa.exe!ZwReplaceKey + 1525 8384EB55 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 83888BF2 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} .text ntkrnlpa.exe!KeRemoveQueueEx + 1203 838900D8 4 Bytes [70, 53, 3C, 92] {JO 0x55; CMP AL, 0x92} .text ntkrnlpa.exe!KeRemoveQueueEx + 1313 838901E8 4 Bytes [30, 54, 3C, 92] {XOR [ESP+EDI-0x6e], DL} .text ntkrnlpa.exe!KeRemoveQueueEx + 161F 838904F4 4 Bytes [F0, 53, 3C, 92] {PUSH EBX; CMP AL, 0x92} .text ntkrnlpa.exe!KeRemoveQueueEx + 1667 8389053C 4 Bytes [B0, 53, 3C, 92] {MOV AL, 0x53; CMP AL, 0x92} ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\ekrn.exe[1756] kernel32.dll!SetUnhandledExceptionFilter 7734F6AB 4 Bytes [C2, 04, 00, 00] .text C:\Program Files\CCleaner\CCleaner.exe[3508] USER32.dll!SetScrollRange 77038ECD 5 Bytes JMP 010A7701 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3508] USER32.dll!GetScrollInfo 77042DAB 5 Bytes JMP 010A7688 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3508] USER32.dll!SetScrollInfo 770448E2 5 Bytes JMP 010A773E C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3508] USER32.dll!GetScrollRange 77060472 5 Bytes JMP 010A761F C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3508] USER32.dll!SetScrollPos 770604D6 5 Bytes JMP 010A75F4 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3508] USER32.dll!GetScrollPos 77060E5B 5 Bytes JMP 010A765D C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3508] USER32.dll!EnableScrollBar 770619E6 5 Bytes JMP 010A7778 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3508] USER32.dll!ShowScrollBar 77063CA1 5 Bytes JMP 010A76C1 C:\Program Files\CCleaner\CCleaner.exe ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusStartup] [74575635] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdiplusShutdown] [745756F3] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipAlloc] [745924A2] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipFree] [7459251D] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDeleteGraphics] [74588581] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDisposeImage] [74584D35] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageWidth] [745850DC] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipGetImageHeight] [745851B1] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateBitmapFromHBITMAP] [745866DE] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCreateFromHDC] [745882D8] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetCompositingMode] [74588827] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipSetInterpolationMode] [74589088] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipDrawImageRectI] [7458E22B] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll IAT C:\Windows\Explorer.EXE[3224] @ C:\Windows\Explorer.EXE [gdiplus.dll!GdipCloneImage] [74584C67] C:\Windows\WinSxS\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.19061_none_72d6d48d86649709\gdiplus.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001167558fa7 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689db29f23 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689db29f23@001167fa9bcb 0x3D 0xDE 0x91 0x1D ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\20689db29f23@905f2e9f5beb 0x2D 0x5A 0x0A 0xBF ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\7609c5b303aa Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001167558fa7 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689db29f23 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689db29f23@001167fa9bcb 0x3D 0xDE 0x91 0x1D ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\20689db29f23@905f2e9f5beb 0x2D 0x5A 0x0A 0xBF ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\7609c5b303aa (not active ControlSet) Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Dolby Advanced Audio v2\pcee4.exe 0x2B 0xB0 0x56 0xBC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorIcon.exe 0xA7 0x1F 0x3A 0xBC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Lenovo\Energy Management\Energy Management.exe 0x5B 0x21 0xE3 0xBC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0x35 0x3D 0x44 0xFD ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe 0x4B 0x2A 0xEC 0xFC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\System32\sdiagnhost.exe 0xA4 0x6E 0xCE 0x83 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xE5 0xDD 0xB3 0xE2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v3.0\WPF\PresentationFontCache.exe 0xAD 0xBC 0x83 0xE0 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Windows\Temp\RunBoot-Temp_.c8644f9b-6b0b-4441-ad41-afdc049d74a1\MatsBoot.exe 0x5E 0x2A 0xD0 0x35 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Program Files\Dolby Advanced Audio v2\pcee4e.exe 0xF8 0x8B 0xC5 0xD6 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Gargamel\Downloads\FRST (2).exe 0xF3 0x1E 0xA0 0x4B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume1\Users\Gargamel\Downloads\FRST.exe 0x0E 0x94 0xD3 0x32 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Program Files\TinyWall\TinyWall.exe 0xBB 0x82 0xE5 0xBC ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xC2 0x63 0x0B 0x34 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\WerFault.exe 0x4F 0x50 0x2A 0xAF ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0x82 0xD7 0x8E 0xD4 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\msiexec.exe 0x4B 0xDC 0x14 0xBA ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\GfxUI.exe 0x7D 0xA1 0xD3 0x36 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Gargamel\Downloads\FRST (2).exe 0x85 0x51 0x32 0x4B ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Users\Gargamel\Downloads\FRST.exe 0xFC 0x3B 0x3B 0x32 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume1\Windows\System32\wbem\WmiPrvSE.exe 0x78 0x93 0x8D 0x0C ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\System\Active@A6B35FB1 1368 ---- EOF - GMER 2.1 ----