GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-01-11 20:20:37 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD32 rev.01.0 298,09GB Running: d3mofzqb.exe; Driver: C:\Users\Karolina\AppData\Local\Temp\kwddqpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000075771401 2 bytes JMP 750eb21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000075771419 2 bytes JMP 750eb346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000075771431 2 bytes JMP 75168ea9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 000000007577144a 2 bytes CALL 750c48ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000757714dd 2 bytes JMP 751687a2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000757714f5 2 bytes JMP 75168978 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 000000007577150d 2 bytes JMP 75168698 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000075771525 2 bytes JMP 75168a62 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 000000007577153d 2 bytes JMP 750dfca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000075771555 2 bytes JMP 750e68ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 000000007577156d 2 bytes JMP 75168f61 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000075771585 2 bytes JMP 75168ac2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 000000007577159d 2 bytes JMP 7516865c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000757715b5 2 bytes JMP 750dfd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000757715cd 2 bytes JMP 750eb2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000757716b2 2 bytes JMP 75168e24 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\AVG SafeGuard toolbar\vprot.exe[3312] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000757716bd 2 bytes JMP 751685f1 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\Explorer.EXE[1952] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!FreeLibraryAndExitThread] [10002370] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[1952] @ C:\Windows\system32\SHLWAPI.dll[KERNEL32.dll!CreateThread] [100034e0] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll IAT C:\Windows\Explorer.EXE[1952] @ C:\Windows\system32\SHELL32.dll[KERNEL32.dll!LoadLibraryA] [100011e0] C:\Program Files (x86)\EgisTec MyWinLocker\x64\psdprotect.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch@Epoch 21001 Reg HKLM\SYSTEM\CurrentControlSet\services\SharedAccess\Epoch2@Epoch 14857 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{727F85F2-11E0-46B5-992A-8D3A48FAC4AD}@LeaseObtainedTime 1420997214 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{727F85F2-11E0-46B5-992A-8D3A48FAC4AD}@T1 1421040414 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{727F85F2-11E0-46B5-992A-8D3A48FAC4AD}@T2 1421072814 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{727F85F2-11E0-46B5-992A-8D3A48FAC4AD}@LeaseTerminatesTime 1421083614 ---- Files - GMER 2.1 ---- File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\4FEF67DB9162C4577485CC3B2E848ABE708A8A6C 10040 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\CC135C80AD26D3678EFEA100AC5D1E39E8859565 2353 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\186D3543845A30D29A2AB44CB75BC97A531E5F40 0 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\6CF3FB431478EB53408209324353C82AA4C88E33 0 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\BD0953A15386314AE3A1F669C5E2EFFBC88E0ACD 96 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\B4649F21C3A36437BD8D8B929DE5CF447388CD4D 96 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\3DA60CDF035F94C001780513753A1F624C11F820 2022 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\5B5441A625DF1676A53E5264202676FDCD85C918 499 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\C41AC76B154EBF435A8FA5B871962F422AAE3C1A 21178 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\1354A702A35CDAAD8D610CAA2C46CABE72ED73C7 900 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\505126A1792B68FB3DC260D93A77AE961EB2C0D6 725 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\D84A19B3BA2A05EA8B361FA3CC66536AD29D878B 424 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\FCE0EA361BD518E307B00D04797289F680570B6A 0 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\F228E1276F74093877FFCE881B3C9163A32BBC84 12000 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\DB6AB59ED1D170E0C2D2F5632ED0B956048B3D22 6717 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\C4D23652AB2A983332A4150D674A7D803CB05490 2045 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\73F78F9A47B001346AEEC14BD7F84709709FD419 96 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\EDAE4736FBB1217FADBBBD1F4EC92FD1D9F7B227 96 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\9596A25A45F4800058113414E2D662F96F1B42E0 96 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\733E96A71B9EE41A61863198B3376ADC019B5B05 96 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\C4A226156395A7F21A66450B0603586BB3820F22 1629 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\27614134CB64A45B080982B5C97C6318223A89E9 1825 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\504B80EAFF0377D5EA0ABCE462663936FEFE8792 6365 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\A4B2C01738CF106405D0FC216AF71FEF73B8E6D5 900 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\2C64A0D63E873645257AF21F0A4FB3FA0F793F6A 1664 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\99B4FABBC34DF88AC5786EB751A1EF290CB68469 8314 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\A315BC481337355B3E562208D8B9C1CA7BCC05DB 1012 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\90C20C5BB4D84A00B0174E2254F8EB2DA307B41A 11071 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\4051C986401B6F14A2B24EDF39380C119A10A006 62513 bytes File C:\Users\Karolina\AppData\Local\Mozilla\Firefox\Profiles\s5ds4zj7.default\cache2\entries\7C1059BF1FA8FD8DCFE2EB5E34C5225FBBB3F2D9 3414 bytes ---- EOF - GMER 2.1 ----