GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-04 12:38:20 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST1000DM003-1CH162 rev.CC46 931,51GB Running: f0o8ssyv.exe; Driver: C:\Users\Aniut\AppData\Local\Temp\pwddakod.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76] .text C:\Program Files (x86)\Microsoft Office\Office14\MSOSYNC.EXE[2624] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76] .text ... * 2 .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[3900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76] .text C:\Program Files (x86)\AVG\AVG2013\avgui.exe[3900] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76] .text ... * 2 .text C:\Windows\SysWOW64\vmnat.exe[3472] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 26 00000000737813c6 2 bytes [78, 73] .text C:\Windows\SysWOW64\vmnat.exe[3472] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 74 00000000737813f6 2 bytes [78, 73] .text C:\Windows\SysWOW64\vmnat.exe[3472] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 257 00000000737814ad 2 bytes [78, 73] .text C:\Windows\SysWOW64\vmnat.exe[3472] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 303 00000000737814db 2 bytes [78, 73] .text ... * 2 .text C:\Windows\SysWOW64\vmnat.exe[3472] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 79 0000000073781577 2 bytes [78, 73] .text C:\Windows\SysWOW64\vmnat.exe[3472] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 175 00000000737815d7 2 bytes [78, 73] .text C:\Windows\SysWOW64\vmnat.exe[3472] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 620 0000000073781794 2 bytes [78, 73] .text C:\Windows\SysWOW64\vmnat.exe[3472] C:\Windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 921 00000000737818c1 2 bytes [78, 73] .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[4244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 00000000765c1465 2 bytes [5C, 76] .text C:\Program Files (x86)\VMware\VMware Player\vmware-authd.exe[4244] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000765c14bb 2 bytes [5C, 76] .text ... * 2 ---- Processes - GMER 2.1 ---- Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUpdater.exe (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUpdater.exe [ 000000013fb70000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\RCF.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUpdater.exe [3436] 000007fee9190000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\MSVCP100.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUpdater.exe [3436] 000000006fb10000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\MSVCR100.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUpdater.exe [3436] 000000006fa30000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\boost_date_time-vc100-mt-1_57.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwa 000007feee2a0000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\boost_filesystem-vc100-mt-1_57.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAw 000007feed5e0000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\boost_system-vc100-mt-1_57.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareU 000007fef9ea0000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\boost_thread-vc100-mt-1_57.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareU 000007feed5c0000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\boost_chrono-vc100-mt-1_57.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareU 000007fef2ae0000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\boost_locale-vc100-mt-1_57.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareU 000007feeaf50000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\HtmlFramework.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUpdater.exe [3 000007fee8f80000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\htmlayout.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUpdater.exe [3436] 0000000180000000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUpdaterKernel.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUpdater 000007fee8be0000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\boost_regex-vc100-mt-1_57.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUp 000007fee9c10000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\boost_program_options-vc100-mt-1_57.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299 000007fee9b90000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\Statistics.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUpdater.exe [3436 000007fee99d0000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\DllStorage.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUpdater.exe [3436 000007feec4e0000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUpdaterDefaultSkin.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUp 000007fee7320000 Library C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\Localization.dll (*** suspicious ***) @ C:\Program Files\Common Files\Lavasoft\Ad-Aware Antivirus\Ad-Aware Antivirus Updater\11.5.202.7299\AdAwareUpdater.exe [34 000007fee9900000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{64DCB74D-5B96-4324-9189-1C02870373D4}\Connection@Name isatap.{FE31CB6F-7DDD-49D3-8F13-2930EE3C9269} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{B448C74D-A0C3-4581-9700-7C523B5FEA28}\Linkage@Bind \Device\{64DCB74D-5B96-4324-9189-1C02870373D4}?\Device\{69DF6E16-44B2-4594-AD59-C2128592B997}?\Device\{B03F5CC2-DBCA-41AB-A1F8-852A03E777F6}?\Device\{DEA8E3F7-A6D6-48C4-AF16-937C81245C33}?\Device\{CA529682-C082-486B-889E-0493BD609C8C}?\Device\{CA06FF51-CE62-4A2A-B9EA-4FFE5AC9C9F5}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{B448C74D-A0C3-4581-9700-7C523B5FEA28}\Linkage@Route "{64DCB74D-5B96-4324-9189-1C02870373D4}"?"{69DF6E16-44B2-4594-AD59-C2128592B997}"?"{B03F5CC2-DBCA-41AB-A1F8-852A03E777F6}"?"{DEA8E3F7-A6D6-48C4-AF16-937C81245C33}"?"{CA529682-C082-486B-889E-0493BD609C8C}"?"{CA06FF51-CE62-4A2A-B9EA-4FFE5AC9C9F5}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{B448C74D-A0C3-4581-9700-7C523B5FEA28}\Linkage@Export \Device\TCPIP6TUNNEL_{64DCB74D-5B96-4324-9189-1C02870373D4}?\Device\TCPIP6TUNNEL_{69DF6E16-44B2-4594-AD59-C2128592B997}?\Device\TCPIP6TUNNEL_{B03F5CC2-DBCA-41AB-A1F8-852A03E777F6}?\Device\TCPIP6TUNNEL_{DEA8E3F7-A6D6-48C4-AF16-937C81245C33}?\Device\TCPIP6TUNNEL_{CA529682-C082-486B-889E-0493BD609C8C}?\Device\TCPIP6TUNNEL_{CA06FF51-CE62-4A2A-B9EA-4FFE5AC9C9F5}? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bdc003491 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\001bdc003491@00023c24ee4f 0x34 0x60 0x71 0x63 ... Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{64DCB74D-5B96-4324-9189-1C02870373D4}@InterfaceName isatap.{FE31CB6F-7DDD-49D3-8F13-2930EE3C9269} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{64DCB74D-5B96-4324-9189-1C02870373D4}@ReusableType 0 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bdc003491 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\001bdc003491@00023c24ee4f 0x34 0x60 0x71 0x63 ... ---- EOF - GMER 2.1 ----