GMER 2.1.19155 - http://www.gmer.net Rootkit scan 2013-03-04 16:51:08 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST9250315AS rev.0020LVM1 232,89GB Running: k9xw5k2v.exe; Driver: C:\Users\krzysiek\AppData\Local\Temp\axldypow.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[1384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075691465 2 bytes [69, 75] .text C:\Program Files (x86)\VMware\VMware Workstation\vmware-authd.exe[1384] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000756914bb 2 bytes [69, 75] .text ... * 2 .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdf745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdf79480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdf9e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\taskhost.exe[2808] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdf9e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\system32\Dwm.exe[2872] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdf745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\Dwm.exe[2872] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdf79480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\Dwm.exe[2872] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdf9e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\Dwm.exe[2872] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdf9e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\Explorer.EXE[3096] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefdf745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\Explorer.EXE[3096] C:\Windows\system32\WS2_32.dll!getsockname 000007fefdf79480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\Explorer.EXE[3096] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefdf9e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\Explorer.EXE[3096] C:\Windows\system32\WS2_32.dll!getpeername 000007fefdf9e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4080] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdf745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4080] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdf79480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4080] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdf9e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Realtek\Audio\HDA\RAVCpl64.exe[4080] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdf9e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\System32\igfxtray.exe[2792] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdf745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\System32\igfxtray.exe[2792] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdf79480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\System32\igfxtray.exe[2792] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdf9e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\System32\igfxtray.exe[2792] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdf9e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\System32\hkcmd.exe[416] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdf745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\System32\hkcmd.exe[416] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdf79480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\System32\hkcmd.exe[416] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdf9e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\System32\hkcmd.exe[416] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdf9e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\System32\igfxpers.exe[1052] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdf745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\System32\igfxpers.exe[1052] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdf79480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\System32\igfxpers.exe[1052] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdf9e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\System32\igfxpers.exe[1052] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdf9e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3216] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdf745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3216] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdf79480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3216] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdf9e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Synaptics\SynTP\SynTPEnh.exe[3216] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdf9e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\System32\TpShocks.exe[1512] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdf745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\System32\TpShocks.exe[1512] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdf79480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\System32\TpShocks.exe[1512] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdf9e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\System32\TpShocks.exe[1512] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdf9e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATICDE.EXE[2840] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdf745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATICDE.EXE[2840] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdf79480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATICDE.EXE[2840] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdf9e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\System32\spool\drivers\x64\3\E_IATICDE.EXE[2840] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdf9e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1556] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdf745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1556] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdf79480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1556] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdf9e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\Synaptics\SynTP\SynTPLpr.exe[1556] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdf9e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[2408] C:\Windows\system32\WS2_32.dll!connect + 1 000007fefdf745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[2408] C:\Windows\system32\WS2_32.dll!getsockname 000007fefdf79480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[2408] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fefdf9e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Program Files\ThinkPad\Bluetooth Software\BTTray.exe[2408] C:\Windows\system32\WS2_32.dll!getpeername 000007fefdf9e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} .text C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe[3644] C:\Windows\syswow64\WS2_32.dll!ioctlsocket + 38 00000000757930aa 7 bytes JMP 00000001032c0095 .text C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe[3644] C:\Windows\syswow64\WS2_32.dll!recv + 202 0000000075796bd8 7 bytes JMP 00000001032c002d .text C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe[3644] C:\Windows\syswow64\WS2_32.dll!WSARecv + 185 0000000075797142 7 bytes JMP 00000001032c00c9 .text C:\Program Files (x86)\Google\Gmail Notifier\gnotify.exe[3644] C:\Windows\syswow64\WS2_32.dll!WSARecvFrom + 148 000000007579cc3a 7 bytes JMP 00000001032c0061 .text C:\Windows\system32\wuauclt.exe[3964] C:\Windows\system32\ws2_32.dll!connect + 1 000007fefdf745c1 5 bytes {JMP QWORD [RIP-0x7fef458e]} .text C:\Windows\system32\wuauclt.exe[3964] C:\Windows\system32\ws2_32.dll!getsockname 000007fefdf79480 6 bytes {JMP QWORD [RIP-0x7fed9416]} .text C:\Windows\system32\wuauclt.exe[3964] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fefdf9e0f0 6 bytes {JMP QWORD [RIP-0x7fefe0be]} .text C:\Windows\system32\wuauclt.exe[3964] C:\Windows\system32\ws2_32.dll!getpeername 000007fefdf9e450 6 bytes {JMP QWORD [RIP-0x7fefe3ae]} ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\svchost.exe [580:1708] 000007fefc1a8274 Thread C:\Windows\system32\svchost.exe [580:2836] 000007fefc1a8274 Thread C:\Windows\System32\spoolsv.exe [1280:2252] 000007fef55610c8 Thread C:\Windows\System32\spoolsv.exe [1280:2260] 000007fef5526144 Thread C:\Windows\System32\spoolsv.exe [1280:2264] 000007fef5315fd0 Thread C:\Windows\System32\spoolsv.exe [1280:2268] 000007fef5303438 Thread C:\Windows\System32\spoolsv.exe [1280:2272] 000007fef53163ec Thread C:\Windows\System32\spoolsv.exe [1280:2280] 000007fef5615e5c Thread C:\Windows\System32\spoolsv.exe [1280:2284] 000007fef5645074 Thread C:\Windows\System32\spoolsv.exe [1280:2860] 000007fef56b2288 Thread C:\Windows\System32\spoolsv.exe [1280:2876] 000007fef55f7b4c Thread C:\Windows\system32\svchost.exe [1308:1620] 000007fefa2035c0 Thread C:\Windows\system32\svchost.exe [1308:2472] 000007fefa205600 Thread C:\Windows\system32\svchost.exe [1308:2588] 000007fef4e52940 Thread C:\Windows\system32\svchost.exe [1308:3120] 000007fef4242888 Thread C:\Windows\system32\svchost.exe [1308:3560] 000007fef4242a40 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [1712:1736] 000007fef953cc10 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [1712:1740] 000007fef93fb564 Thread C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe [1712:1980] 000007fef93fb564 Thread C:\Windows\system32\svchost.exe [2476:2568] 000007fef5192f9c Thread C:\Windows\System32\svchost.exe [3788:4476] 000007feed6a9688 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2216:3460] 000007fefade2a7c Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2216:1084] 000007feededd618 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2216:4240] 000007fef6465124 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00265e99d9d1 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00265e99d9d1 (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\krzysiek\AppData\Local\Opera\Opera\cache\g_005B\opr00LPJ.tmp 0 bytes File C:\Users\krzysiek\AppData\Local\Opera\Opera\cache\sesn\opr00MND.tmp 0 bytes File C:\Users\krzysiek\AppData\Local\Opera\Opera\cache\sesn\opr00MNG.tmp 0 bytes ---- EOF - GMER 2.1 ----