GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-04-10 12:01:10 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk1\DR1 -> \Device\Ide\IdeDeviceP1T0L0-1 SAMSUNG_HD200HJ rev.KF100-06 186,18GB Running: gmer.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\kwddykog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000070f51a22 2 bytes [F5, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000070f51ad0 2 bytes [F5, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000070f51b08 2 bytes [F5, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000070f51bba 2 bytes [F5, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000070f51bda 2 bytes [F5, 70] .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text C:\Windows\SysWOW64\PnkBstrA.exe[1832] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\kernel32.dll!CreateEventA + 8 0000000075983254 7 bytes JMP 0000000100cb1710 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\kernel32.dll!lstrcmpW + 30 000000007598590f 7 bytes JMP 0000000100cb1910 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\kernel32.dll!LoadResource + 8 000000007598591c 7 bytes JMP 0000000100cb1bb0 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\kernel32.dll!LockResource + 19 0000000075985934 7 bytes JMP 0000000100cb1000 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\kernel32.dll!GetLocalTime + 30 0000000075985a8c 7 bytes JMP 0000000100cb1cb0 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\kernel32.dll!GetQueuedCompletionStatus + 19 000000007599d3a6 7 bytes JMP 0000000100cb1f50 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\KERNELBASE.dll!SetEndOfFile + 152 000000007510c850 7 bytes JMP 0000000100d3df70 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\KERNELBASE.dll!GetFileType + 218 000000007510dc45 7 bytes JMP 0000000100d3dc90 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\KERNELBASE.dll!UnlockFile + 103 000000007510dff3 7 bytes JMP 0000000100d3e2c0 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\KERNELBASE.dll!CreateFileMappingNumaW + 298 000000007510e826 7 bytes JMP 0000000100d3e410 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\KERNELBASE.dll!UnmapViewOfFile + 81 000000007510eb2c 7 bytes JMP 0000000100d3e570 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\KERNELBASE.dll!SetFileInformationByHandle + 168 000000007511c294 7 bytes JMP 0000000100d3d790 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\OLEAUT32.dll!LoadTypeLibEx + 742 0000000075640a9d 7 bytes JMP 0000000100d3d740 .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075361465 2 bytes [36, 75] .text C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe[1540] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 00000000753614bb 2 bytes [36, 75] .text ... * 2 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe (*** suspicious ***) @ C:\ProgramData\{dd241b1e-5239-4c1b-dd24-41b1e5236c79}\Skyrim.exe [1540](2015-03-12 09:23:48) 0000000000cb0000 Library C:\Users\Mateusz\Desktop\Nowy folder\FRST64.exe (*** suspicious ***) @ C:\Users\Mateusz\Desktop\Nowy folder\FRST64.exe [3184] 000000013f580000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk1\DR1 unknown MBR code ---- EOF - GMER 2.1 ----