GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-12-01 17:16:53 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GS00 465,76GB Running: gmer.exe; Driver: C:\Users\USER\AppData\Local\Temp\kxdiqpob.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\AVAST Software\Avast\avastui.exe[2336] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076228791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075dc1401 2 bytes JMP 7624b233 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075dc1419 2 bytes JMP 7624b35e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075dc1431 2 bytes JMP 762c9011 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000075dc144a 2 bytes CALL 762248ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000075dc14dd 2 bytes JMP 762c890a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000075dc14f5 2 bytes JMP 762c8ae0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000075dc150d 2 bytes JMP 762c8800 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075dc1525 2 bytes JMP 762c8bca C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000075dc153d 2 bytes JMP 7623fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075dc1555 2 bytes JMP 76246907 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000075dc156d 2 bytes JMP 762c90c9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075dc1585 2 bytes JMP 762c8c2a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000075dc159d 2 bytes JMP 762c87c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000075dc15b5 2 bytes JMP 7623fd59 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000075dc15cd 2 bytes JMP 7624b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000075dc16b2 2 bytes JMP 762c8f8c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Intel\Bluetooth\mediasrv.exe[4452] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000075dc16bd 2 bytes JMP 762c8759 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [3476:3360] 000007feee4d9688 ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Mobile Partner\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [3312](2015-12-07 18:37:18) 000000006fbc0000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [3312](2015-12-07 18:37:18) 000000006e940000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [3312](2015-12-07 18:37:18) 000000006a1c0000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [3312](2015-12-07 18:37:18) 000000006ff00000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QueryStrategy.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [3312](2015-12-07 18:37:18) 000000006efc0000 Library C:\ProgramData\Mobile Partner\OnlineUpdate\QtXml4.dll (*** suspicious ***) @ C:\ProgramData\Mobile Partner\OnlineUpdate\ouc.exe [3312](2015-12-07 18:37:18) 000000006ed40000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14677431450612272@SetupOperations ???w?z???????????,??10??|????????;?????????P????v2.10|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|App=%ProgramFiles%\Windows Media Player\wmplayer.exe|Name=@FirewallAPI.dll,-31011|Desc=@FirewallAPI.dll,-31014|EmbedCtxt=@FirewallAPI.dll,-31002|?????????;???;???????????;???&???????i???????????????????S????H?X??????4?????????? ????????????????? ???????????CSCFlags=2048?MaxUses=4294967295?Path=C:\Users?Permissions=0?Remark=?ShareName=Users?Type=0??w???????;???-???0???????????;???;???????????;???????;?????????????????e????v2.10|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Domain|LPort=2177|App=%SystemRoot%\system32\svchost.exe|Svc=Qwave|Name=@FirewallAPI.dll,-31253|Desc=@FirewallAPI.dll,-31256|EmbedCtxt=@FirewallAPI.dll,-31252|?????????R??;?????????n????@%SystemRoot%\system32\wlansvc.dll,-4102?????????;??????????????????????????? ???????;???????????:??????????R?????1?????????????1?????R??;??????????????@%SystemRoot%\system32\wlansvc.dll,-4103?????;????R??;?????????n????@%SystemRoot%\system32\wlansvc.dll, Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14677431849822272@SetupOperations ???x?????????????????l??????In??@usbport.inf,%generic.mfg%;(Standardowy kontroler hosta USB)??????R??????|?????t?}???????w???5??????????????????????? 0??????8?????896??disk?????????????a???????????????????????\?`?`?d?x?y????????ic??soft????{00000000-0000-0000-0000-000000000000}?\RO?????????????x?z??????????????????????????????????????t????????????f???????????????p?????s96??{8ECC055D-047F-11D1-A537-0000F8753ED1}?NS-??53ED1}?NS-??? ???????{??????????? ??????????????????{5d624f94-8850-40c3-a3fa-a4fd2080baf3}\vwifimp??D-???????@??????????????*teredo?????.NT?so????N??????4??????62???f??????????{533c5b84-ec70-11d2-9505-00c04f79deaf}\0005?????Sterownik Mened?era wolumin?w???Typ?????????????STORAGE\VolumeSnapshot??s??????????????g????? ???k???????????????????????????????????e??????$???4????? ??????? ??????????????????????????????????????????????????????? ??????????? ??????????? ??????????????? ????????6??HJ???????????_???????_???_???_???????????????6???????_???_???_???????????????????????_?????????????????? ???????? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\685d434f6301 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\685d4362dfc6 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\685d4362dfc6@a04e04afe210 0x58 0x11 0x75 0x2E ... Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14677431450612272@SetupOperations ????????{00000000-0000-0000-FFFF-FFFFFFFFFFFF}??????? ???????????????????t?0????????????????????? ?????????????????????0?????????????????????????????????????????????????????????e????????f??????e????h?????????????@volsnap.inf,%msft%;Microsoft???????????6.1.7601.17577?\?\???p??STORAGE\VolumeSnapshot??????{533c5b84-ec70-11d2-9505-00c04f79deaf}\0030?ex??????????????????????????{00000000-0000-0000-0000-000000000000}???????????????7??????????????????? l??????l??????????STORAGE\VOLUMESNAPSHOT\HARDDISKVOLUMESNAPSHOT13??????????????{???|??USB?????????????? ??????????????????? ???????D??????n???{533c5b84-ec70-11d2-9505-00c04f79deaf}\0022?????? ?????????????????????0????????????????????.NTAMD64?_????N?????????????76??DiskDrive???????????? ???????????????????d?0?????????????????????t?{?|?}????????????????????ed??????????????????????????@disk.inf,%disk_devdesc%;Stacja dysk?w???????????????_??YE???????b???????????d??? 0??????t??????????? ?????????????????????????????????s????volume_snapshot_install??????????????????t????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14677431849822272@SetupOperations ????????{18B726BB-6FE6-4FB9-9276-ED57CE7C7CB2}??????6-21-2006???? ???????????????????s?0????????(? ?*??????????????????????}????v2.10|Action=Allow|Active=TRUE|Dir=In|App=C:\Program Files\Intel\WiFi\bin\PanDhcpDns.exe|Name=Wireless PAN DHCP Server|EmbedCtxt=MyWiFiDHCPDNS|?C1??Port_#0001.Hub_#0001?S???????????????????????????????j??????????????????????*isatap?????usbcdcacm bus???v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|LPort=5358|RA4=LocalSubnet|RA6=LocalSubnet|App=System|Name=@FirewallAPI.dll,-32813|Desc=@FirewallAPI.dll,-32814|EmbedCtxt=@FirewallAPI.dll,-32752|???????&???????;???????????????????;??tunnel???Z??????????? ???????????????????k?0???????????{????????? ?????????????????????0????????????????????? ???????????????????????\???????????????????????????????????????w??????????e???? ???????e???????e???????????????o?o?o?o?o?o?o?o?o?o?o?o?o??\W???????j??????????????????????? x???????????????????X?????????????VolumeSnapshot??????v2.10|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile= Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\685d434f6301 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\685d4362dfc6 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\685d4362dfc6@a04e04afe210 0x58 0x11 0x75 0x2E ... ---- EOF - GMER 2.1 ----