GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-03-28 22:01:06 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002b rev. 0,00MB Running: gmer.exe; Driver: C:\Users\xxxxxxx\AppData\Local\Temp\fgldqpow.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff960000b4a00 15 bytes [00, 2E, F4, 01, 80, A0, 6E, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 17 fffff960000b4a11 10 bytes [5E, FC, FF, 00, BB, C7, 00, ...] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4360] @ C:\WINDOWS\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffbeb37e2ec] C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[908] @ C:\WINDOWS\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7ffbeb37e2ec] C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[908] @ C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\pdf.dll[GDI32.dll!GetFontData] [7ffbeac0f140] C:\Program Files (x86)\Google\Chrome\Application\41.0.2272.101\chrome_child.dll ---- Threads - GMER 2.1 ---- Thread System [4:976] ffffe000a33ac750 Thread C:\WINDOWS\system32\csrss.exe [672:692] fffff9600097f2d0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [2188:3964] 0000000001075478 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\FileSystem@NtfsDisableLastAccessUpdate 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration 616 Reg HKLM\SYSTEM\CurrentControlSet\Control\ServiceGroupOrder@List System Reserved?EMS?WdfLoadGroup?Boot Bus Extender?System Bus Extender?SCSI miniport?Port?Primary Disk?SCSI Class?SCSI CDROM Class?FSFilter Infrastructure?FSFilter System?FSFilter Bottom?FSFilter Copy Protection?FSFilter Security Enhancer?FSFilter Open File?FSFilter Physical Quota Management?FSFilter Virtualization?FSFilter Encryption?FSFilter Compression?FSFilter Imaging?FSFilter HSM?FSFilter Cluster File System?FSFilter System Recovery?FSFilter Quota Management?FSFilter Content Screener?FSFilter Continuous Backup?FSFilter Replication?FSFilter Anti-Virus?FSFilter Undelete?FSFilter Activity Monitor?FSFilter Top?Filter?Boot File System?Base?Pointer Port?Keyboard Port?Pointer Class?Keyboard Class?Video Init?Video?Video Save?File System?Streams Drivers?NDIS Wrapper?COM Infrastructure?Event Log?ProfSvc_Group?AudioGroup?UIGroup?MS_WindowsLocalValidation?PlugPlay?Cryptography?PNP_TDI?NDIS?TDI?iSCSI?NetBIOSGroup?ShellSvcGroup?SchedulerGroup?SpoolerGroup?SmartCardGroup?NetworkProvider?MS_WindowsRemoteValidation?NetD Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed 1870076514 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3537 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 678 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{3049C3E9-B461-4BC5-8870-4C09146192CA}\iexplore@Count 4 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Count 4 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\DirtyLocalCollections@browsersettings-tabroaming-internet-explorer 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0xA1 0x1A 0xF9 0xDE ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x0A 0x53 0x32 0xDF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsLargeBandwidthBucketCounter 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x0A 0x53 0x32 0xDF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@OtherBandwidthBucketCounter 29909 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x0A 0x53 0x32 0xDF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 157326 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x0A 0x53 0x32 0xDF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0x24 0x7A 0x39 0xDF ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x9A 0xBD 0x02 0x92 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 7 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Themes@CurrentTheme C:\Users\Bart?omiej Dylong\AppData\Local\Microsoft\Windows\Themes\Roamed.theme Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Themes\HighContrast@Pre-High Contrast Scheme C:\Users\Bart?omiej Dylong\AppData\Local\Microsoft\Windows\Themes\Roamed.theme Reg HKCU\Software\Microsoft\Windows\CurrentVersion\UFH\SHC@2 C:\ProgramData\Microsoft\Windows\Start Menu\Programs\TeamViewer 10.lnk?C:\Program Files (x86)\TeamViewer\TeamViewer.exe?? ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.1 ----