GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-11 19:25:18 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002f WDC_WD1002FAEX-00Y9A0 rev.05.01D05 931,51GB Running: gmer.exe; Driver: C:\Users\Michal\AppData\Local\Temp\axddipog.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\dwm.exe[832] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffcf7a1169a 4 bytes [A1, F7, FC, 7F] .text C:\WINDOWS\system32\dwm.exe[832] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffcf7a116a2 4 bytes [A1, F7, FC, 7F] .text C:\WINDOWS\system32\dwm.exe[832] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffcf7a1181a 4 bytes [A1, F7, FC, 7F] .text C:\WINDOWS\system32\dwm.exe[832] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffcf7a11832 4 bytes [A1, F7, FC, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[896] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffcf7a1169a 4 bytes [A1, F7, FC, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[896] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffcf7a116a2 4 bytes [A1, F7, FC, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[896] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffcf7a1181a 4 bytes [A1, F7, FC, 7F] .text C:\WINDOWS\system32\nvvsvc.exe[896] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffcf7a11832 4 bytes [A1, F7, FC, 7F] .text C:\Windows\System32\svchost.exe[1492] c:\windows\system32\WSOCK32.dll!setsockopt + 194 00007ffcef151f6a 4 bytes [15, EF, FC, 7F] .text C:\Windows\System32\svchost.exe[1492] c:\windows\system32\WSOCK32.dll!setsockopt + 218 00007ffcef151f82 4 bytes [15, EF, FC, 7F] .text C:\Windows\System32\svchost.exe[1744] c:\windows\system32\WSOCK32.dll!setsockopt + 194 00007ffcef151f6a 4 bytes [15, EF, FC, 7F] .text C:\Windows\System32\svchost.exe[1744] c:\windows\system32\WSOCK32.dll!setsockopt + 218 00007ffcef151f82 4 bytes [15, EF, FC, 7F] .text C:\WINDOWS\Explorer.EXE[2972] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007ffcf7a1169a 4 bytes [A1, F7, FC, 7F] .text C:\WINDOWS\Explorer.EXE[2972] C:\WINDOWS\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007ffcf7a116a2 4 bytes [A1, F7, FC, 7F] .text C:\WINDOWS\Explorer.EXE[2972] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 118 00007ffcf7a1181a 4 bytes [A1, F7, FC, 7F] .text C:\WINDOWS\Explorer.EXE[2972] C:\WINDOWS\system32\PSAPI.DLL!QueryWorkingSet + 142 00007ffcf7a11832 4 bytes [A1, F7, FC, 7F] .text C:\WINDOWS\Explorer.EXE[2972] C:\WINDOWS\system32\WS2_32.dll!getpeername 00007ffcf7a2ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\WINDOWS\Explorer.EXE[2972] C:\WINDOWS\system32\WS2_32.dll!getsockname 00007ffcf7a301b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\WINDOWS\Explorer.EXE[2972] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007ffcf7a307f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\WINDOWS\Explorer.EXE[2972] C:\WINDOWS\system32\WS2_32.dll!WSAConnect 00007ffcf7a369b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[3712] C:\WINDOWS\system32\WS2_32.dll!getpeername 00007ffcf7a2ef28 6 bytes {JMP QWORD [RIP-0x7feeee4e]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[3712] C:\WINDOWS\system32\WS2_32.dll!getsockname 00007ffcf7a301b0 6 bytes {JMP QWORD [RIP-0x7fef010e]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[3712] C:\WINDOWS\system32\WS2_32.dll!connect + 1 00007ffcf7a307f1 5 bytes {JMP QWORD [RIP-0x7fef07be]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[3712] C:\WINDOWS\system32\WS2_32.dll!WSAConnect 00007ffcf7a369b0 6 bytes {JMP QWORD [RIP-0x7fef6946]} ---- Threads - GMER 2.1 ---- Thread System [4:960] ffffe000864c6100 Thread C:\WINDOWS\system32\csrss.exe [540:564] fffff96000813b90 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0x83 0x54 0xA9 0x1B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0xE6 0x1D 0xBC 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 67 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\GSM5678328829_02_07D9_E3^366F980E75E8E37A601E41ADE71C4B7E@Timestamp 0xB7 0x0E 0x24 0x1C ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 636 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1453706264 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID eee36497-5cc6-4196-a921-cc3c9ad Reg HKLM\SYSTEM\CurrentControlSet\Control\WDI\Config@ServerName \BaseNamedObjects\WDI_{892543b0-42b3-4edc-9403-e2457cdc06bd} Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{2ede4ba4-6d01-4ddb-bcdf-1d40f04def4d}@LastProbeTime 1434034208 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\d8-5d-4c-bb-e0-66@ClientLocalPort 62305 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\d8-5d-4c-bb-e0-66@AddressCreationTimestamp 0xD2 0x40 0x8A 0x0B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\d8-5d-4c-bb-e0-66@TeredoAddress 2001:0:9d38:90d7:44:9948:b201:528 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@ReadyBootPlanAge 1 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Cz?, ?cze ?11 ?15, 02:51:25??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8472 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 5028 Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 70 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{64DDF4AD-B749-4B5B-BF27-4C9F32717154}@LeaseObtainedTime 1434026995 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{64DDF4AD-B749-4B5B-BF27-4C9F32717154}@T1 1434156595 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{64DDF4AD-B749-4B5B-BF27-4C9F32717154}@T2 1434253795 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{64DDF4AD-B749-4B5B-BF27-4C9F32717154}@LeaseTerminatesTime 1434286195 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{72853161-30C5-4D22-B7F9-0BBC1D38A37E}\iexplore@Count 813 ---- EOF - GMER 2.1 ----