GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-08 12:05:03 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002e WDC_WD10S12X-55JTET0 rev.01.01A05 946,43GB Running: 655vyk07.exe; Driver: C:\Users\TEMP\AppData\Local\Temp\kwtdqkoc.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff96000131800 15 bytes [C0, BB, ED, 01, 40, 02, 6A, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 16 fffff96000131810 11 bytes [00, 7E, FC, FF, 00, A7, B2, ...] ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleInformation 00007ffbae213e10 7 bytes JMP 00007ffbad4002d0 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\KERNEL32.DLL!RegQueryValueExW 00007ffbae213e20 7 bytes JMP 00007ffbad400308 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExW 00007ffbae2c39b0 7 bytes JMP 00007ffbad4003b0 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\KERNEL32.DLL!RegDeleteValueW 00007ffbae2c3ef0 7 bytes JMP 00007ffbad400340 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\KERNEL32.DLL!RegSetValueExA 00007ffbae2c3fe0 7 bytes JMP 00007ffbad400378 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ffbae2f06c0 7 bytes JMP 00007ffbad400228 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\KERNEL32.DLL!K32GetMappedFileNameW 00007ffbae2f0730 7 bytes JMP 00007ffbad400298 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\KERNEL32.DLL!K32GetModuleFileNameExW 00007ffbae2f0760 7 bytes JMP 00007ffbad400260 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\KERNELBASE.dll!FreeLibrary 00007ffbad4121d0 5 bytes JMP 00007ffbad400180 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleW 00007ffbad4129d0 7 bytes JMP 00007ffbad4000d8 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\KERNELBASE.dll!GetModuleHandleExW 00007ffbad414310 5 bytes JMP 00007ffbad400110 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\KERNELBASE.dll!LoadLibraryExW 00007ffbad418c40 5 bytes JMP 00007ffbad400148 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\USER32.dll!CreateWindowExW 00007ffbadc96d80 10 bytes JMP 00007ffbad400490 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesW 00007ffbadca55c0 5 bytes JMP 00007ffbad400458 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\USER32.dll!DisplayConfigGetDeviceInfo 00007ffbadca5680 9 bytes JMP 00007ffbad4003e8 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\USER32.dll!EnumDisplayDevicesA 00007ffbadcab080 5 bytes JMP 00007ffbad400420 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\GDI32.dll!D3DKMTGetDisplayModeList 00007ffbaded1500 8 bytes JMP 00007ffbad4001b8 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\system32\GDI32.dll!D3DKMTQueryAdapterInfo 00007ffbaded1750 8 bytes JMP 00007ffbad4001f0 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\System32\dxgi.dll!CreateDXGIFactory 00007ffbaaf47750 5 bytes JMP 00007ffbaadc00d8 .text C:\WINDOWS\System32\dwm.exe[8024] C:\WINDOWS\System32\dxgi.dll!CreateDXGIFactory1 00007ffbaaf48ee0 5 bytes JMP 00007ffbaadc0110 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [8868:8836] fffff9600085a2d0 ---- Services - GMER 2.2 ---- Service C:\WINDOWS\system32\drivers\aswHdsKe.sys (*** hidden *** ) [MANUAL] aswHdsKe <-- ROOTKIT !!! ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -845993675 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswHdsKe Reg HKLM\SYSTEM\CurrentControlSet\Services\aswHdsKe@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswHdsKe@Start 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswHdsKe@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswHdsKe@ImagePath \??\C:\WINDOWS\system32\drivers\aswHdsKe.sys Reg HKLM\SYSTEM\CurrentControlSet\Services\aswHdsKe@DisplayName aswHdsKe Reg HKLM\SYSTEM\CurrentControlSet\Services\aswHdsKe@WOW64 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswHdsKe Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14742730330782280@SetupOperations ???0?????0?0?1??????????????????????????????????????????????????????????????? ???????0???????????0???????? ??? ??????????????????????0??????Commited?F???0?0?0?0?0?0?0?0?????????????.?????t?/???????????C?????tra???????0???S??????wa???????????????0???t???????s?????0?????1?1?1?2?2??????????????????????????????????????????????4???????????????? ???????/?????2?????0??????????P?.??????n???????????????#???0?0?0?0?0?0?0?0?????????????????????????????8????????????P??0???d??????????\SystemRoot\system32\drivers\aswSnx.sys?ys???_???????0?????????e 8??aswSnx?c?3????0??0???????U??FSFilter Virtualization?02???????0??????????????FltMgr???_????L??0???_?????n72??avast! virtualization driver (aswSnx)????? ??2???????????e???0??????????????MoveFile("\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js.147738346035901","\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js",TRUE)?MoveFile("\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js.s Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters\Instup_14742730685782280@SetupOperations ???0?????1?1?1?2?2??????????????????????????????????????????????4???????????????? ???????/?????2?????0??????????P?.??????n???????????????#???0?0?0?0?0?0?0?0?????????????????????????????8????????????P??0???d??????????\SystemRoot\system32\drivers\aswSnx.sys?ys???_???????0?????????e 8??aswSnx?c?3????0??0???????U??FSFilter Virtualization?02???????0??????????????FltMgr???_????L??0???_?????n72??avast! virtualization driver (aswSnx)????? ??2???????????e???0??????????????MoveFile("\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js.147738346035901","\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js",TRUE)?MoveFile("\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js.sum.147738346035901","\??\c:\program files\avast software\avast\webrep\ie\templates\safeshop\safeshop.js.sum",TRUE)?MoveFile("\??\c:\program files\avast software\avast\webrep\ie\templates\show_safeshop_toolbar.js.147738346035901","\??\c:\program files\avast sof Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\0c8bfd8c2912 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0002 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0002@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0002@Bluetooth_UniqueID {00001116-0000-1000-8000-00805f9b34fb}#44D4E079C64A_C00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0002@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0003 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0003@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0003@Bluetooth_UniqueID {0000110a-0000-1000-8000-00805f9b34fb}#44D4E079C64A_C00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0003@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0005 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0005@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0005@Bluetooth_UniqueID {0000111f-0000-1000-8000-00805f9b34fb}#44D4E079C64A_C00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0005@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0006 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0006@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0006@Bluetooth_UniqueID {0000110c-0000-1000-8000-00805f9b34fb}#44D4E079C64A_C00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0006@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0007 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0007@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0007@Bluetooth_UniqueID {00001105-0000-1000-8000-00805f9b34fb}#44D4E079C64A_C00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0007@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0008 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0008@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0008@Bluetooth_UniqueID {00000000-0000-0000-0000-000000000000}#44D4E079C64A_00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0008@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0009 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0009@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0009@Bluetooth_UniqueID {00001112-0000-1000-8000-00805f9b34fb}#44D4E079C64A_C00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0009@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 10817 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2942 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters@DhcpNameServer 192.168.1.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A1432318-FFBC-4B52-B78D-15A16B346E82}@DhcpServer 192.168.1.1 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A1432318-FFBC-4B52-B78D-15A16B346E82}@Lease 604800 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A1432318-FFBC-4B52-B78D-15A16B346E82}@LeaseObtainedTime 1486549880 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A1432318-FFBC-4B52-B78D-15A16B346E82}@T1 1486852280 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A1432318-FFBC-4B52-B78D-15A16B346E82}@T2 1487079080 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A1432318-FFBC-4B52-B78D-15A16B346E82}@LeaseTerminatesTime 1487154680 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A1432318-FFBC-4B52-B78D-15A16B346E82}@DhcpIPAddress 192.168.1.5 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A1432318-FFBC-4B52-B78D-15A16B346E82}@DhcpDefaultGateway 192.168.1.1? Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{A1432318-FFBC-4B52-B78D-15A16B346E82}@DhcpNameServer 192.168.1.1 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\1@RwMask 0x64 0x62 0x03 0x00 ... ---- EOF - GMER 2.2 ----