GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2014-11-05 15:22:04 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000036 ST1000DM003-1CH162 rev.CC47 931,51GB Running: m57g1hli.exe; Driver: C:\Users\Jakub\AppData\Local\Temp\pgddqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\dwm.exe[960] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffec9e3169a 4 bytes [E3, C9, FE, 7F] .text C:\Windows\system32\dwm.exe[960] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffec9e316a2 4 bytes [E3, C9, FE, 7F] .text C:\Windows\system32\dwm.exe[960] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffec9e3181a 4 bytes [E3, C9, FE, 7F] .text C:\Windows\system32\dwm.exe[960] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffec9e31832 4 bytes [E3, C9, FE, 7F] .text C:\Windows\system32\nvvsvc.exe[360] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffec9e3169a 4 bytes [E3, C9, FE, 7F] .text C:\Windows\system32\nvvsvc.exe[360] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffec9e316a2 4 bytes [E3, C9, FE, 7F] .text C:\Windows\system32\nvvsvc.exe[360] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffec9e3181a 4 bytes [E3, C9, FE, 7F] .text C:\Windows\system32\nvvsvc.exe[360] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffec9e31832 4 bytes [E3, C9, FE, 7F] .text C:\Program Files\OO Software\Defrag\oodag.exe[2040] C:\Windows\system32\KERNEL32.DLL!SetUnhandledExceptionFilter 00007ffec80f915c 13 bytes {MOV R11, 0x1400a70c0; JMP R11} .text C:\Windows\Explorer.EXE[2096] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffec9e3169a 4 bytes [E3, C9, FE, 7F] .text C:\Windows\Explorer.EXE[2096] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffec9e316a2 4 bytes [E3, C9, FE, 7F] .text C:\Windows\Explorer.EXE[2096] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffec9e3181a 4 bytes [E3, C9, FE, 7F] .text C:\Windows\Explorer.EXE[2096] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffec9e31832 4 bytes [E3, C9, FE, 7F] .text C:\Windows\Explorer.EXE[2096] C:\Windows\system32\WS2_32.dll!getpeername 00007ffec855ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Windows\Explorer.EXE[2096] C:\Windows\system32\WS2_32.dll!getsockname 00007ffec85601b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Windows\Explorer.EXE[2096] C:\Windows\system32\WS2_32.dll!connect + 1 00007ffec85607f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Windows\Explorer.EXE[2096] C:\Windows\system32\WS2_32.dll!WSAConnect 00007ffec85669b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2064] C:\Windows\system32\WS2_32.dll!getpeername 00007ffec855ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2064] C:\Windows\system32\WS2_32.dll!getsockname 00007ffec85601b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2064] C:\Windows\system32\WS2_32.dll!connect + 1 00007ffec85607f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2064] C:\Windows\system32\WS2_32.dll!WSAConnect 00007ffec85669b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Windows\System32\skydrive.exe[3376] C:\Windows\system32\WS2_32.dll!getpeername 00007ffec855ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Windows\System32\skydrive.exe[3376] C:\Windows\system32\WS2_32.dll!getsockname 00007ffec85601b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Windows\System32\skydrive.exe[3376] C:\Windows\system32\WS2_32.dll!connect + 1 00007ffec85607f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Windows\System32\skydrive.exe[3376] C:\Windows\system32\WS2_32.dll!WSAConnect 00007ffec85669b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[3864] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffec9e3169a 4 bytes [E3, C9, FE, 7F] .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[3864] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffec9e316a2 4 bytes [E3, C9, FE, 7F] .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[3864] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffec9e3181a 4 bytes [E3, C9, FE, 7F] .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[3864] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffec9e31832 4 bytes [E3, C9, FE, 7F] .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[3864] C:\Windows\system32\WS2_32.dll!getpeername 00007ffec855ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[3864] C:\Windows\system32\WS2_32.dll!getsockname 00007ffec85601b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[3864] C:\Windows\system32\WS2_32.dll!connect + 1 00007ffec85607f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[3864] C:\Windows\system32\WS2_32.dll!WSAConnect 00007ffec85669b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[3888] C:\Windows\system32\WS2_32.dll!getpeername 00007ffec855ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[3888] C:\Windows\system32\WS2_32.dll!getsockname 00007ffec85601b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[3888] C:\Windows\system32\WS2_32.dll!connect + 1 00007ffec85607f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[3888] C:\Windows\system32\WS2_32.dll!WSAConnect 00007ffec85669b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [640:652] fffff96000865b90 Thread C:\Windows\Explorer.EXE [2096:2996] 00007ffec4d2d73c ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -962525951 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shutdown@CleanShutdown 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0x85 0x8E 0x32 0x89 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 62530 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsBandwidthBucketDrainTime 0x92 0xC2 0x8F 0x0F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 13845 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x49 0x6E 0x0E 0x0C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeBandwidthBucketDrainTime 0x92 0xC2 0x8F 0x0F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x49 0x6E 0x0E 0x0C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 11807 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherBandwidthBucketDrainTime 0x92 0xC2 0x8F 0x0F ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x49 0x6E 0x0E 0x0C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 69681 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalBandwidthBucketDrainTime 0x06 0xF0 0x5F 0x62 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x49 0x6E 0x0E 0x0C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0xAF 0xD0 0xBE 0x26 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastDownloadCollectionInterest 0x9C 0xAB 0x00 0x90 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 4 ---- EOF - GMER 2.1 ----