GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-06-30 21:59:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.15.0 465,76GB Running: mgbonzfd.exe; Driver: C:\Users\Szymon\AppData\Local\Temp\awrdipob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!EngSetLastError + 620 fffff96000125108 8 bytes [0C, 12, 63, 04, 80, F8, FF, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000154300 7 bytes [00, A1, F3, FF, 41, B4, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff96000154308 3 bytes [00, 07, 02] .text ... * 107 .text C:\Windows\System32\win32k.sys!EngGetProcessHandle + 304 fffff9600021b200 6 bytes {JMP QWORD [RIP-0xbb862]} ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[1172] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000075c12ab1 5 bytes JMP 0000000100302dcc .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Program Files (x86)\Skype\Phone\Skype.exe[2096] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2384] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Program Files (x86)\Autodesk\Content Service\Connect.Service.ContentService.exe[2384] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2528] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 0000000076aa8791 8 bytes [31, C0, C2, 04, 00, 90, 90, ...] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Program Files\AVAST Software\Avast\AvastUI.exe[2528] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe[2540] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2552] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 69 0000000075ce1465 2 bytes [CE, 75] .text C:\Program Files (x86)\LogMeIn Hamachi\hamachi-2-ui.exe[2552] C:\Windows\syswow64\PsApi.dll!GetModuleInformation + 155 0000000075ce14bb 2 bytes [CE, 75] .text ... * 2 .text C:\Windows\SysWOW64\PnkBstrA.exe[4384] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 0000000072c01a22 2 bytes [C0, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[4384] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 0000000072c01ad0 2 bytes [C0, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[4384] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 0000000072c01b08 2 bytes [C0, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[4384] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 0000000072c01bba 2 bytes [C0, 72] .text C:\Windows\SysWOW64\PnkBstrA.exe[4384] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 0000000072c01bda 2 bytes [C0, 72] ---- Threads - GMER 2.1 ---- Thread C:\Windows\Explorer.EXE [1704:1304] 000000000253e260 Thread C:\Windows\Explorer.EXE [1704:1368] 000000000253e260 Thread C:\Windows\Explorer.EXE [1704:1364] 000000000253e260 Thread C:\Windows\Explorer.EXE [1704:1436] 000000000253e260 Thread C:\Windows\Explorer.EXE [1704:1440] 000000000253e260 Thread C:\Windows\Explorer.EXE [1704:3376] 000000000253e260 Thread C:\Windows\Explorer.EXE [1704:3380] 000000000253e260 Thread C:\Windows\Explorer.EXE [1704:3384] 000000000253e260 Thread C:\Windows\Explorer.EXE [1704:3388] 000000000253e260 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\Users\Szymon\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\GOG.com\WiedŸmin 3\xae - Dziki Gon\Usuñ WiedŸmin 3\xae - Dziki Gon.lnk 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\StartPage\NewShortcuts@C:\ProgramData\Microsoft\Windows\Start Menu\Programs\GOG.com\WiedŸmin 3\xae - Dziki Gon\Usuñ WiedŸmin 3\xae - Dziki Gon.lnk 1 ---- EOF - GMER 2.1 ----