GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-27 14:52:01 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f ST1000LM014-SSHD-8GB rev.LVD3 931,51GB Running: ctx3snmp.exe; Driver: C:\Users\Karol\AppData\Local\Temp\fxdoruod.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\WLANExt.exe[1352] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff914ac169a 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1352] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff914ac16a2 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1352] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff914ac181a 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\system32\WLANExt.exe[1352] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff914ac1832 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1904] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff914ac169a 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1904] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff914ac16a2 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1904] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff914ac181a 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe[1904] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff914ac1832 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1972] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff914ac169a 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1972] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff914ac16a2 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1972] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff914ac181a 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1972] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff914ac1832 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1972] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 194 00007ff909791f6a 4 bytes [79, 09, F9, 7F] .text C:\Program Files\Intel\WiFi\bin\EvtEng.exe[1972] C:\WINDOWS\SYSTEM32\WSOCK32.dll!setsockopt + 218 00007ff909791f82 4 bytes [79, 09, F9, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2220] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff914ac169a 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2220] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff914ac16a2 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2220] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff914ac181a 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Common Files\Intel\WirelessCommon\RegSrvc.exe[2220] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff914ac1832 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2476] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff914ac169a 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2476] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff914ac16a2 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2476] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff914ac181a 4 bytes [AC, 14, F9, 7F] .text C:\Program Files\Intel\WiFi\bin\ZeroConfigService.exe[2476] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff914ac1832 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3004] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff914ac169a 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3004] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff914ac16a2 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3004] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff914ac181a 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\system32\wbem\wmiprvse.exe[3004] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff914ac1832 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff9158a0e80 5 bytes JMP 00007ff9959d0460 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ff9158a0ed0 5 bytes JMP 00007ff9959d0450 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff9158a1030 5 bytes JMP 00007ff9959d0370 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff9158a1080 5 bytes JMP 00007ff9959d0470 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff9158a1090 5 bytes JMP 00007ff9959d03e0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff9158a1140 5 bytes JMP 00007ff9959d0320 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff9158a1170 5 bytes JMP 00007ff9959d03b0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff9158a1190 5 bytes JMP 00007ff9959d0390 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff9158a11d0 5 bytes JMP 00007ff9959d02e0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff9158a1250 5 bytes JMP 00007ff9959d02d0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff9158a1270 5 bytes JMP 00007ff9959d0310 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff9158a12b0 5 bytes JMP 00007ff9959d03c0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff9158a1300 5 bytes JMP 00007ff9959d03f0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff9158a1460 5 bytes JMP 00007ff9959d0230 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff9158a1650 5 bytes JMP 00007ff9959d0480 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff9158a1680 5 bytes JMP 00007ff9959d03a0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff9158a17a0 5 bytes JMP 00007ff9959d02f0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff9158a17c0 1 byte JMP 00007ff9959d0350 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00007ff9158a17c2 3 bytes {JMP 0x14} .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff9158a1830 5 bytes JMP 00007ff9959d0290 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff9158a18c0 5 bytes JMP 00007ff9959d02b0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff9158a18e0 5 bytes JMP 00007ff9959d03d0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff9158a18f0 5 bytes JMP 00007ff9959d0330 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff9158a19a0 5 bytes JMP 00007ff9959d0410 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff9158a19d0 5 bytes JMP 00007ff9959d0240 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff9158a1cf0 5 bytes JMP 00007ff9959d01e0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff9158a1db0 5 bytes JMP 00007ff9959d0250 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff9158a1de0 5 bytes JMP 00007ff9959d0490 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff9158a1df0 5 bytes JMP 00007ff9959d04a0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff9158a1e20 5 bytes JMP 00007ff9959d0300 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff9158a1e30 5 bytes JMP 00007ff9959d0360 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff9158a1e90 5 bytes JMP 00007ff9959d02a0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff9158a1ee0 5 bytes JMP 00007ff9959d02c0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff9158a1f10 5 bytes JMP 00007ff9959d0380 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff9158a1f20 5 bytes JMP 00007ff9959d0340 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff9158a2230 5 bytes JMP 00007ff9959d0440 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff9158a2430 5 bytes JMP 00007ff9959d0260 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff9158a2440 5 bytes JMP 00007ff9959d0270 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff9158a2460 5 bytes JMP 00007ff9959d0400 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff9158a2640 5 bytes JMP 00007ff9959d01f0 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff9158a2650 5 bytes JMP 00007ff9959d0210 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff9158a26e0 5 bytes JMP 00007ff9959d0200 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff9158a2750 5 bytes JMP 00007ff9959d0420 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff9158a2760 5 bytes JMP 00007ff9959d0430 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff9158a2770 5 bytes JMP 00007ff9959d0220 .text C:\WINDOWS\system32\AUDIODG.EXE[5592] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ff9158a2880 5 bytes JMP 00007ff9959d0280 .text C:\WINDOWS\System32\dwm.exe[2280] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff914ac169a 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\System32\dwm.exe[2280] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff914ac16a2 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\System32\dwm.exe[2280] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff914ac181a 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\System32\dwm.exe[2280] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff914ac1832 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[5968] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ff914ac169a 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[5968] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ff914ac16a2 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[5968] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ff914ac181a 4 bytes [AC, 14, F9, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[5968] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ff914ac1832 4 bytes [AC, 14, F9, 7F] ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [6084:4920] fffff9600094db90 ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\mso.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE [6252] 00000000590e0000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\Office15\csi.dll (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE [6252] 0000000058360000 Library C:\Program Files (x86)\Common Files\Microsoft Shared\OFFICE15\ACEOLEDB.DLL (*** suspicious ***) @ C:\Program Files\Microsoft Office 15\Root\VFS\ProgramFilesCommonX86\Microsoft Shared\OFFICE15\CSISYNCCLIENT.EXE [6252] 0000000058310000 Library C:\Users\Karol\AppData\Local\Pokki\Engine\libPokki.dll (*** suspicious ***) @ C:\Users\Karol\AppData\Local\Pokki\Engine\HostAppService.exe [4664] (Chromium/The Chromium Authors)(2015-03-19 17:19:00) 000000000f4c0000 Library C:\Users\Karol\AppData\Local\Pokki\Engine\icudt.dll (*** suspicious ***) @ C:\Users\Karol\AppData\Local\Pokki\Engine\HostAppService.exe [4664] (ICU Data DLL/The ICU Project)(2015-01-04 04:06:14) 0000000061c30000 Library C:\Users\Karol\AppData\Local\Pokki\Engine\libPokki.dll (*** suspicious ***) @ C:\Users\Karol\AppData\Local\Pokki\Engine\HostAppService.exe [4744] (Chromium/The Chromium Authors)(2015-03-19 17:19:00) 000000000f4c0000 Library C:\Users\Karol\AppData\Local\Pokki\Engine\icudt.dll (*** suspicious ***) @ C:\Users\Karol\AppData\Local\Pokki\Engine\HostAppService.exe [4744] (ICU Data DLL/The ICU Project)(2015-01-04 04:06:14) 0000000061c30000 Library C:\Users\Karol\AppData\Local\Pokki\Engine\ppGoogleNaClPluginChrome.dll (*** suspicious ***) @ C:\Users\Karol\AppData\Local\Pokki\Engine\HostAppService.exe [4744](2015-01-04 04:06:14) 0000000063d20000 Library C:\Users\Karol\AppData\Local\Pokki\Engine\avcodec-54.dll (*** suspicious ***) @ C:\Users\Karol\AppData\Local\Pokki\Engine\HostAppService.exe [4744](2015-01-04 04:06:14) 0000000061800000 Library C:\Users\Karol\AppData\Local\Pokki\Engine\avutil-51.dll (*** suspicious ***) @ C:\Users\Karol\AppData\Local\Pokki\Engine\HostAppService.exe [4744](2015-01-04 04:06:14) 0000000068680000 Library C:\Users\Karol\AppData\Local\Pokki\Engine\avformat-54.dll (*** suspicious ***) @ C:\Users\Karol\AppData\Local\Pokki\Engine\HostAppService.exe [4744](2015-01-04 04:06:14) 0000000063330000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----