GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-05 22:54:16 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000033 rev. 0,00MB Running: jhnmqgsg.exe; Driver: C:\Users\Andrew\AppData\Local\Temp\kwddqfod.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable fffff9600024aa00 15 bytes [00, 2E, F4, 01, 80, A0, 6E, ...] .text C:\WINDOWS\System32\win32k.sys!W32pServiceTable + 17 fffff9600024aa11 10 bytes [5E, FC, FF, 00, BB, C7, 00, ...] ---- User IAT/EAT - GMER 2.1 ---- IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\Explorer.EXE[USER32.dll!DeferWindowPos] [7ff945c71e30] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\Explorer.EXE[USER32.dll!SetWindowPos] [7ff945c71c70] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\Explorer.EXE[USER32.dll!EndPaint] [7ff945c71fe0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\Explorer.EXE[USER32.dll!MoveWindow] [7ff945c71ad0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!DeferWindowPos] [7ff945c71e30] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!SetWindowPos] [7ff945c71c70] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!MoveWindow] [7ff945c71ad0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!EndPaint] [7ff945c71fe0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\SYSTEM32\UxTheme.dll[USER32.dll!SetWindowPos] [7ff945c71c70] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\SYSTEM32\TWINAPI.dll[USER32.dll!SetWindowPos] [7ff945c71c70] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\SYSTEM32\dxgi.dll[USER32.dll!SetWindowPos] [7ff945c71c70] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\system32\IMM32.DLL[USER32.dll!EndPaint] [7ff945c71fe0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\system32\IMM32.DLL[USER32.dll!SetWindowPos] [7ff945c71c70] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\system32\MSCTF.dll[USER32.dll!MoveWindow] [7ff945c71ad0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\system32\MSCTF.dll[USER32.dll!EndPaint] [7ff945c71fe0] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll IAT C:\WINDOWS\Explorer.EXE[3964] @ C:\WINDOWS\system32\MSCTF.dll[USER32.dll!SetWindowPos] [7ff945c71c70] C:\Program Files (x86)\Elex-tech\YAC\iDskDllPatch64.dll ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [832:856] fffff9600095d2d0 Thread C:\WINDOWS\system32\dwm.exe [972:540] 00007ff9505837b0 Thread C:\WINDOWS\System32\svchost.exe [1096:1332] 00007ff93bc86370 Thread C:\WINDOWS\System32\svchost.exe [1096:1948] 00007ff93bc898f0 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1132:1136] 00000000002b13fe Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1132:2964] 0000000001c9c250 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1132:2968] 0000000001c9c250 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1132:2972] 0000000001c9c250 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1132:2976] 0000000001c9c250 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1132:6704] 0000000073cfcf40 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1200] 00000000001d13fe Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1248] 00000000753d0330 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1336] 00000000020a3c17 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1348] 00000000752d4e50 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1668] 0000000073e0aa90 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1712] 0000000003aec250 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1716] 0000000003aec250 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1720] 0000000003aec250 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1724] 0000000003aec250 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1900] 0000000073d7a280 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1908] 0000000073d79e10 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1912] 0000000073d75618 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1916] 0000000073d7a280 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1920] 0000000073d79e10 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1928] 0000000073d7a280 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:2004] 0000000073d79e10 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:2036] 0000000073d7a280 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:1580] 0000000073d79e10 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:4632] 00000000752d4c30 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:4020] 0000000073d79c80 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:2356] 0000000073d79c80 Thread C:\WINDOWS\SYSTEM32\ntdll.dll [1196:6660] 0000000075d162d0 Thread C:\WINDOWS\system32\svchost.exe [1364:1792] 00007ff94cad20f0 Thread C:\WINDOWS\system32\svchost.exe [1364:2220] 00007ff94a7c1dc0 Thread C:\WINDOWS\system32\svchost.exe [1364:2832] 00007ff94970ce30 Thread C:\WINDOWS\system32\svchost.exe [1364:3904] 00007ff947307240 Thread C:\WINDOWS\system32\svchost.exe [1364:3908] 00007ff9477c1ed0 Thread C:\WINDOWS\system32\svchost.exe [1364:3920] 00007ff9477c1ed0 Thread C:\WINDOWS\system32\svchost.exe [1364:4404] 00007ff949351050 Thread C:\WINDOWS\system32\svchost.exe [1364:7108] 00007ff9434639b0 Thread C:\WINDOWS\System32\svchost.exe [1464:1736] 00007ff94ced71b0 Thread C:\WINDOWS\System32\svchost.exe [1464:2456] 00007ff9531e3ad0 Thread C:\WINDOWS\System32\svchost.exe [1464:2600] 00007ff94a113190 Thread C:\WINDOWS\System32\svchost.exe [1464:3116] 00007ff948eb1db0 Thread C:\WINDOWS\System32\svchost.exe [1464:3120] 00007ff948eb2380 Thread C:\WINDOWS\System32\svchost.exe [1464:3124] 00007ff948eb2690 Thread C:\WINDOWS\System32\svchost.exe [1464:3400] 00007ff94ff71df0 Thread C:\WINDOWS\System32\svchost.exe [1464:3420] 00007ff94ff71df0 Thread C:\WINDOWS\System32\svchost.exe [1464:3424] 00007ff94ff71df0 Thread C:\WINDOWS\System32\svchost.exe [1464:3428] 00007ff94ff71df0 Thread C:\WINDOWS\System32\svchost.exe [1464:3432] 00007ff94ff71df0 Thread C:\WINDOWS\System32\svchost.exe [1464:3436] 00007ff94ff71df0 Thread C:\WINDOWS\System32\svchost.exe [1464:3440] 00007ff94ff71df0 Thread C:\WINDOWS\System32\svchost.exe [1464:3288] 00007ff94a1118f0 Thread C:\WINDOWS\System32\svchost.exe [1464:3704] 00007ff946a236f0 Thread C:\WINDOWS\System32\svchost.exe [1464:4712] 00007ff94a0f3720 Thread C:\WINDOWS\System32\svchost.exe [1464:4908] 00007ff942d337a0 Thread C:\WINDOWS\System32\svchost.exe [1464:1472] 00007ff9540aad30 Thread C:\WINDOWS\system32\svchost.exe [1560:2040] 00007ff94c0a05e0 Thread C:\WINDOWS\system32\svchost.exe [1560:2264] 00007ff94ab87470 Thread C:\WINDOWS\system32\svchost.exe [1560:2612] 00007ff94a17d0f0 Thread C:\WINDOWS\system32\svchost.exe [1560:6924] 00007ff94b371530 Thread [1828:1840] 00007ff9567a7ef0 Thread [1828:5036] 00007ff956e745e0 Thread [1828:1432] 00007ff949f41120 Thread [1828:4116] 00007ff949f23460 Thread [1828:3948] 00007ff93c465e40 Thread [1828:2564] 00007ff93c5bcd30 Thread [1828:4016] 00007ff956e745e0 Thread C:\WINDOWS\System32\svchost.exe [3404:3640] 00007ff94ab87470 Thread [3848:3884] 000000006c1f1dbc Thread [3848:3912] 00007ff9477c1ed0 Thread [3848:5852] 00007ff9546a12c0 Thread [3848:3944] 00007ff956e745e0 Thread [4084:2856] 00007ff9546a12c0 Thread [4084:352] 00007ff947049b10 Thread C:\WINDOWS\system32\taskhostex.exe [3416:3716] 00007ff947012100 Thread C:\WINDOWS\system32\taskhostex.exe [3416:3668] 00007ff946fd24e0 Thread C:\WINDOWS\system32\taskhostex.exe [3416:3696] 00007ff94e851120 Thread C:\WINDOWS\system32\taskhostex.exe [3416:888] 00007ff956cbc230 Thread C:\WINDOWS\system32\taskhostex.exe [3416:4064] 00007ff94ab87470 Thread C:\WINDOWS\Explorer.EXE [3964:5008] 00007ff94cf0f3c0 Thread C:\WINDOWS\Explorer.EXE [3964:3896] 00000001800116c0 Thread C:\WINDOWS\Explorer.EXE [3964:4104] 00000001800116c0 Thread C:\WINDOWS\Explorer.EXE [3964:4112] 00007ff9537ac900 Thread C:\WINDOWS\Explorer.EXE [3964:1308] 00007ff93eee9a20 Thread C:\WINDOWS\Explorer.EXE [3964:4152] 00007ff943a79970 Thread C:\WINDOWS\Explorer.EXE [3964:3600] 00007ff93a8206e0 Thread C:\WINDOWS\Explorer.EXE [3964:5084] 00007ff943a7e630 Thread C:\WINDOWS\Explorer.EXE [3964:6676] 00007ff943a7e630 Thread C:\WINDOWS\Explorer.EXE [3964:6504] 00007ff943a7e630 Thread C:\WINDOWS\Explorer.EXE [3964:5192] 00007ff93ef8ecb0 Thread C:\WINDOWS\Explorer.EXE [3964:6580] 00007ff93ef8ecb0 Thread C:\WINDOWS\Explorer.EXE [3964:5140] 00007ff93ef8ecb0 Thread C:\WINDOWS\Explorer.EXE [3964:3756] 00007ff93ef8ecb0 Thread C:\WINDOWS\Explorer.EXE [3964:6780] 00007ff94e851120 Thread C:\WINDOWS\Explorer.EXE [3964:3392] 00007ff943a7e630 Thread C:\WINDOWS\Explorer.EXE [3964:1316] 00007ff949f41120 Thread C:\WINDOWS\Explorer.EXE [3964:3136] 00007ff94746ab50 Thread [5644:5824] 0000000077e64b70 Thread [5644:6988] 0000000077e64b70 Thread [5644:4840] 0000000077e64b70 ---- Processes - GMER 2.1 ---- Process C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100\nsk62DD.tmp (*** suspicious ***) @ C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100\nsk62DD.tmp [2632](2015-04-05 17:43:45) 00000000008f0000 Process C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100\jnsmD2AD.tmp (*** suspicious ***) @ C:\Users\Andrew\AppData\Roaming\D0D66880-1428240119-11E2-B2A5-317CD4B82100\jnsmD2AD.tmp [3016](2015-04-05 13:22:25) 00000000003a0000 Process C:\Users\Andrew\AppData\Local\Temp\Rar$EXa0.883\jhnmqgsg.exe (*** suspicious ***) @ C:\Users\Andrew\AppData\Local\Temp\Rar$EXa0.883\jhnmqgsg.exe [6688](2015-02-04 12:59:56) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code Disk \Device\Harddisk0\DR0 sector 0: rootkit-like behavior ---- EOF - GMER 2.1 ----