GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-04-14 01:12:13 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\00000079 PLEXTOR_ rev.1.03 119,24GB Running: z30h244y.exe; Driver: C:\Users\SEBAST~1\AppData\Local\Temp\kwtyauow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000777c1401 2 bytes JMP 767cb233 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000777c1419 2 bytes JMP 767cb35e C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000777c1431 2 bytes JMP 76849011 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000777c144a 2 bytes CALL 767a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777c14dd 2 bytes JMP 7684890a C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777c14f5 2 bytes JMP 76848ae0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000777c150d 2 bytes JMP 76848800 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000777c1525 2 bytes JMP 76848bca C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000777c153d 2 bytes JMP 767bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000777c1555 2 bytes JMP 767c6907 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000777c156d 2 bytes JMP 768490c9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000777c1585 2 bytes JMP 76848c2a C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000777c159d 2 bytes JMP 768487c4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777c15b5 2 bytes JMP 767bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777c15cd 2 bytes JMP 767cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777c16b2 2 bytes JMP 76848f8c C:\Windows\syswow64\kernel32.dll .text C:\Windows\system32\PnkBstrA.exe[1792] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777c16bd 2 bytes JMP 76848759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000777c1401 2 bytes JMP 767cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000777c1419 2 bytes JMP 767cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000777c1431 2 bytes JMP 76849011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000777c144a 2 bytes CALL 767a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777c14dd 2 bytes JMP 7684890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777c14f5 2 bytes JMP 76848ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000777c150d 2 bytes JMP 76848800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000777c1525 2 bytes JMP 76848bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000777c153d 2 bytes JMP 767bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000777c1555 2 bytes JMP 767c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000777c156d 2 bytes JMP 768490c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000777c1585 2 bytes JMP 76848c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000777c159d 2 bytes JMP 768487c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777c15b5 2 bytes JMP 767bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777c15cd 2 bytes JMP 767cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777c16b2 2 bytes JMP 76848f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Bloody5\Bloody5\Bloody5.exe[3080] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777c16bd 2 bytes JMP 76848759 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000777c1401 2 bytes JMP 767cb233 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000777c1419 2 bytes JMP 767cb35e C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000777c1431 2 bytes JMP 76849011 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000777c144a 2 bytes CALL 767a48ad C:\Windows\syswow64\KERNEL32.dll .text ... * 9 .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777c14dd 2 bytes JMP 7684890a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777c14f5 2 bytes JMP 76848ae0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000777c150d 2 bytes JMP 76848800 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000777c1525 2 bytes JMP 76848bca C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000777c153d 2 bytes JMP 767bfcc0 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000777c1555 2 bytes JMP 767c6907 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000777c156d 2 bytes JMP 768490c9 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000777c1585 2 bytes JMP 76848c2a C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000777c159d 2 bytes JMP 768487c4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777c15b5 2 bytes JMP 767bfd59 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777c15cd 2 bytes JMP 767cb2f4 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777c16b2 2 bytes JMP 76848f8c C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files\Intel\Intel(R) Rapid Storage Technology\IAStorDataMgrSvc.exe[3828] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777c16bd 2 bytes JMP 76848759 C:\Windows\syswow64\KERNEL32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000777c1401 2 bytes JMP 767cb233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000777c1419 2 bytes JMP 767cb35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000777c1431 2 bytes JMP 76849011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000777c144a 2 bytes CALL 767a48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000777c14dd 2 bytes JMP 7684890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000777c14f5 2 bytes JMP 76848ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000777c150d 2 bytes JMP 76848800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000777c1525 2 bytes JMP 76848bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000777c153d 2 bytes JMP 767bfcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000777c1555 2 bytes JMP 767c6907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000777c156d 2 bytes JMP 768490c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000777c1585 2 bytes JMP 76848c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000777c159d 2 bytes JMP 768487c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000777c15b5 2 bytes JMP 767bfd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000777c15cd 2 bytes JMP 767cb2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000777c16b2 2 bytes JMP 76848f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\DAL\jhi_service.exe[5044] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000777c16bd 2 bytes JMP 76848759 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.2 ---- Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3636:2708] 000007fefb782af8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3636:2760] 000007fee4858f70 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [3636:4384] 000007fef9c85124 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3316:3368] 00000000757f7587 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3316:840] 00000000660a9946 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3316:1168] 0000000077dcc6d7 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3316:2504] 0000000077de29b1 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3316:3640] 0000000077de29b1 Thread C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe [3316:4364] 0000000077de29b1 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\303a64e16035 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Programy\DAEMON Tools Lite\ Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\303a64e16035 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\19659239224E364682FA4BAF72C53EA4@p0 D:\Programy\DAEMON Tools Lite\ ---- Files - GMER 2.2 ---- File C:\Users\Sebastian\AppData\Local\Temp\tmp97EF.tmp 0 bytes ---- EOF - GMER 2.2 ----