GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-02-14 19:30:56 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000039 ST1000DM003-1CH162 rev.CC47 931,51GB Running: vbtscstw.exe; Driver: C:\Users\Jakub\AppData\Local\Temp\pgddqpoc.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff9600014b200 15 bytes [00, 28, F6, 01, 80, 1C, 6C, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff9600014b210 11 bytes [00, 0E, FC, FF, 00, 05, C4, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\spoolsv.exe[1456] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe4b42169a 4 bytes [42, 4B, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1456] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe4b4216a2 4 bytes [42, 4B, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1456] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe4b42181a 4 bytes [42, 4B, FE, 7F] .text C:\Windows\System32\spoolsv.exe[1456] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe4b421832 4 bytes [42, 4B, FE, 7F] .text C:\Program Files\OO Software\Defrag\oodag.exe[2012] C:\Windows\system32\KERNEL32.DLL!SetUnhandledExceptionFilter 00007ffe4906915c 13 bytes {MOV R11, 0x14001f870; JMP R11} .text C:\Windows\system32\svchost.exe[1664] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe4b42169a 4 bytes [42, 4B, FE, 7F] .text C:\Windows\system32\svchost.exe[1664] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe4b4216a2 4 bytes [42, 4B, FE, 7F] .text C:\Windows\system32\svchost.exe[1664] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe4b42181a 4 bytes [42, 4B, FE, 7F] .text C:\Windows\system32\svchost.exe[1664] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe4b421832 4 bytes [42, 4B, FE, 7F] .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2096] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe4b42169a 4 bytes [42, 4B, FE, 7F] .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2096] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe4b4216a2 4 bytes [42, 4B, FE, 7F] .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2096] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe4b42181a 4 bytes [42, 4B, FE, 7F] .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesService64.exe[2096] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe4b421832 4 bytes [42, 4B, FE, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[2120] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 506 00007ffe4b42169a 4 bytes [42, 4B, FE, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[2120] C:\Windows\system32\psapi.dll!GetModuleBaseNameA + 514 00007ffe4b4216a2 4 bytes [42, 4B, FE, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[2120] C:\Windows\system32\psapi.dll!QueryWorkingSet + 118 00007ffe4b42181a 4 bytes [42, 4B, FE, 7F] .text C:\Program Files\Windows Defender\MsMpEng.exe[2120] C:\Windows\system32\psapi.dll!QueryWorkingSet + 142 00007ffe4b421832 4 bytes [42, 4B, FE, 7F] .text C:\Windows\Explorer.EXE[1720] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe4b42169a 4 bytes [42, 4B, FE, 7F] .text C:\Windows\Explorer.EXE[1720] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe4b4216a2 4 bytes [42, 4B, FE, 7F] .text C:\Windows\Explorer.EXE[1720] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe4b42181a 4 bytes [42, 4B, FE, 7F] .text C:\Windows\Explorer.EXE[1720] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe4b421832 4 bytes [42, 4B, FE, 7F] .text C:\Windows\Explorer.EXE[1720] C:\Windows\system32\WS2_32.dll!getpeername 00007ffe4b54ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Windows\Explorer.EXE[1720] C:\Windows\system32\WS2_32.dll!getsockname 00007ffe4b5501b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Windows\Explorer.EXE[1720] C:\Windows\system32\WS2_32.dll!connect + 1 00007ffe4b5507f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Windows\Explorer.EXE[1720] C:\Windows\system32\WS2_32.dll!WSAConnect 00007ffe4b5569b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[1372] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe4b42169a 4 bytes [42, 4B, FE, 7F] .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[1372] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe4b4216a2 4 bytes [42, 4B, FE, 7F] .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[1372] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe4b42181a 4 bytes [42, 4B, FE, 7F] .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[1372] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe4b421832 4 bytes [42, 4B, FE, 7F] .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[1372] C:\Windows\system32\ws2_32.dll!getpeername 00007ffe4b54ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[1372] C:\Windows\system32\ws2_32.dll!getsockname 00007ffe4b5501b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[1372] C:\Windows\system32\ws2_32.dll!connect + 1 00007ffe4b5507f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Program Files (x86)\AVG\AVG PC TuneUp\TuneUpUtilitiesApp64.exe[1372] C:\Windows\system32\ws2_32.dll!WSAConnect 00007ffe4b5569b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Windows\System32\skydrive.exe[3784] C:\Windows\system32\WS2_32.dll!getpeername 00007ffe4b54ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Windows\System32\skydrive.exe[3784] C:\Windows\system32\WS2_32.dll!getsockname 00007ffe4b5501b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Windows\System32\skydrive.exe[3784] C:\Windows\system32\WS2_32.dll!connect + 1 00007ffe4b5507f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Windows\System32\skydrive.exe[3784] C:\Windows\system32\WS2_32.dll!WSAConnect 00007ffe4b5569b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[2260] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe4b42169a 4 bytes [42, 4B, FE, 7F] .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[2260] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe4b4216a2 4 bytes [42, 4B, FE, 7F] .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[2260] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe4b42181a 4 bytes [42, 4B, FE, 7F] .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[2260] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe4b421832 4 bytes [42, 4B, FE, 7F] .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[2260] C:\Windows\system32\WS2_32.dll!getpeername 00007ffe4b54ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[2260] C:\Windows\system32\WS2_32.dll!getsockname 00007ffe4b5501b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[2260] C:\Windows\system32\WS2_32.dll!connect + 1 00007ffe4b5507f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Program Files\OO Software\CleverCache\ooccctrl.exe[2260] C:\Windows\system32\WS2_32.dll!WSAConnect 00007ffe4b5569b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[4100] C:\Windows\system32\WS2_32.dll!getpeername 00007ffe4b54ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[4100] C:\Windows\system32\WS2_32.dll!getsockname 00007ffe4b5501b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[4100] C:\Windows\system32\WS2_32.dll!connect + 1 00007ffe4b5507f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Program Files\OO Software\Defrag\oodtray.exe[4100] C:\Windows\system32\WS2_32.dll!WSAConnect 00007ffe4b5569b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4128] C:\Windows\system32\ws2_32.dll!getpeername 00007ffe4b54ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4128] C:\Windows\system32\ws2_32.dll!getsockname 00007ffe4b5501b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4128] C:\Windows\system32\ws2_32.dll!connect + 1 00007ffe4b5507f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Program Files\Realtek\Audio\HDA\RtkNGUI64.exe[4128] C:\Windows\system32\ws2_32.dll!WSAConnect 00007ffe4b5569b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Windows\system32\nvvsvc.exe[312] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe4b42169a 4 bytes [42, 4B, FE, 7F] .text C:\Windows\system32\nvvsvc.exe[312] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe4b4216a2 4 bytes [42, 4B, FE, 7F] .text C:\Windows\system32\nvvsvc.exe[312] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe4b42181a 4 bytes [42, 4B, FE, 7F] .text C:\Windows\system32\nvvsvc.exe[312] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe4b421832 4 bytes [42, 4B, FE, 7F] .text C:\Windows\system32\dwm.exe[2704] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffe4b42169a 4 bytes [42, 4B, FE, 7F] .text C:\Windows\system32\dwm.exe[2704] C:\Windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffe4b4216a2 4 bytes [42, 4B, FE, 7F] .text C:\Windows\system32\dwm.exe[2704] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffe4b42181a 4 bytes [42, 4B, FE, 7F] .text C:\Windows\system32\dwm.exe[2704] C:\Windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffe4b421832 4 bytes [42, 4B, FE, 7F] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[980] C:\Windows\system32\ws2_32.dll!getpeername 00007ffe4b54ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[980] C:\Windows\system32\ws2_32.dll!getsockname 00007ffe4b5501b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[980] C:\Windows\system32\ws2_32.dll!connect + 1 00007ffe4b5507f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[980] C:\Windows\system32\ws2_32.dll!WSAConnect 00007ffe4b5569b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [616:1360] fffff960008a3b90 Thread C:\Windows\Explorer.EXE [1720:4700] 00007ffe3cfcd73c ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Internet Manager\OnlineUpdate\mingwm10.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1796](2015-01-11 20:58:15) 000000006fbc0000 Library C:\ProgramData\Internet Manager\OnlineUpdate\libgcc_s_dw2-1.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1796](2015-01-11 20:58:15) 000000006e940000 Library C:\ProgramData\Internet Manager\OnlineUpdate\QtCore4.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1796](2015-01-11 20:58:15) 000000006a1c0000 Library C:\ProgramData\Internet Manager\OnlineUpdate\QtNetwork4.dll (*** suspicious ***) @ C:\ProgramData\Internet Manager\OnlineUpdate\ouc.exe [1796](2015-01-11 20:58:15) 000000006ff00000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\Jakub\AppData\Local\Temp\MSNET-48b7245c.NVX??\??\C:\Users\Jakub\AppData\Local\Temp\INS_9115f80b.TMP??\??\C:\Users\Jakub\AppData\Local\Temp\INS_c374685a.TMP??\??\C:\Users\Jakub\AppData\Local\Temp\INS_3bb9077e.TMP??\??\C:\Users\Jakub\AppData\Local\Temp\INS_9fd54614.TMP??\??\C:\Users\Jakub\AppData\Local\Temp\INS_44cf5faf.TMP??\??\C:\Users\Jakub\AppData\Local\Temp\INS_57081d2.TMP??\??\C:\Users\Jakub\AppData\Local\Temp\INS_c465aa56.TMP??\??\C:\Users\Jakub\AppData\Local\Temp\INS_e36991a5.TMP??\??\C:\Users\Jakub\AppData\Local\Temp\INS_df88ef3c.TMP??\??\C:\Users\Jakub\AppData\Local\Temp\INS_4339a96f.TMP??\??\C:\Users\Jakub\AppData\Local\Temp\MSNET-6b4dc78b.NVX??\??\C:\Windows\system32\SET82DB.tmp??\??\C:\Windows\system32\SET9315.tmp??\??\C:\Windows\SysWow64\SET94D0.tmp??\??\C:\Windows\SysWow64\SET9D9F.tmp??\??\C:\Users\Jakub\AppData\Local\Temp\INS_c16e298.TMP??\??\C:\Users\Jakub\AppData\Local\Temp\Wtmp34101781\402.json??\??\C:\Users\Jakub\AppData\Local\Temp\Wtmp34101781\images\code??\??\C:\Users\Jakub\A Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1096056255 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 1717 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9306D5EF-456C-49AE-ABA0-6B425A4611FF}@LeaseObtainedTime 1423914262 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9306D5EF-456C-49AE-ABA0-6B425A4611FF}@T1 1423957462 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9306D5EF-456C-49AE-ABA0-6B425A4611FF}@T2 1423989862 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{9306D5EF-456C-49AE-ABA0-6B425A4611FF}@LeaseTerminatesTime 1424000662 ---- EOF - GMER 2.1 ----