GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-28 23:46:32 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 HGST_HTS541075A9E680 rev.JA2OA590 698,64GB Running: GMER.exe; Driver: C:\Users\AGNIES~1\AppData\Local\Temp\uwryipob.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000216600 15 bytes [00, 96, F2, 01, 00, 6A, 6C, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff96000216610 11 bytes [00, D7, FB, FF, 00, 7B, D1, ...] ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffc8aeb1270 5 bytes JMP 00007ffd0afe0460 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject 00007ffc8aeb12c0 1 byte JMP 00007ffd0afe0450 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtQueryObject + 2 00007ffc8aeb12c2 3 bytes {JMP 0xffffffff8012f190} .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffc8aeb1420 5 bytes JMP 00007ffd0afe0370 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffc8aeb1470 5 bytes JMP 00007ffd0afe0470 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffc8aeb1480 5 bytes JMP 00007ffd0afe03e0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSection 00007ffc8aeb1530 5 bytes JMP 00007ffd0afe0320 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffc8aeb1560 5 bytes JMP 00007ffd0afe03b0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffc8aeb1580 5 bytes JMP 00007ffd0afe0390 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffc8aeb15c0 5 bytes JMP 00007ffd0afe02e0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffc8aeb1640 1 byte JMP 00007ffd0afe02d0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent + 2 00007ffc8aeb1642 3 bytes {JMP 0xffffffff8012ec90} .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00007ffc8aeb1660 5 bytes JMP 00007ffd0afe0310 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00007ffc8aeb16a0 5 bytes JMP 00007ffd0afe03c0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffc8aeb16f0 5 bytes JMP 00007ffd0afe03f0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffc8aeb1850 5 bytes JMP 00007ffd0afe0230 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffc8aeb1a40 5 bytes JMP 00007ffd0afe0480 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffc8aeb1a70 5 bytes JMP 00007ffd0afe03a0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffc8aeb1b90 5 bytes JMP 00007ffd0afe02f0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffc8aeb1bb0 5 bytes JMP 00007ffd0afe0350 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffc8aeb1c20 5 bytes JMP 00007ffd0afe0290 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffc8aeb1cb0 5 bytes JMP 00007ffd0afe02b0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffc8aeb1cd0 5 bytes JMP 00007ffd0afe03d0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffc8aeb1ce0 5 bytes JMP 00007ffd0afe0330 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffc8aeb1d90 5 bytes JMP 00007ffd0afe0410 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffc8aeb1dc0 5 bytes JMP 00007ffd0afe0240 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffc8aeb20e0 5 bytes JMP 00007ffd0afe01e0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffc8aeb21a0 5 bytes JMP 00007ffd0afe0250 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffc8aeb21d0 5 bytes JMP 00007ffd0afe0490 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffc8aeb21e0 5 bytes JMP 00007ffd0afe04a0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffc8aeb2210 5 bytes JMP 00007ffd0afe0300 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffc8aeb2220 5 bytes JMP 00007ffd0afe0360 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffc8aeb2280 5 bytes JMP 00007ffd0afe02a0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffc8aeb22d0 5 bytes JMP 00007ffd0afe02c0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00007ffc8aeb2300 5 bytes JMP 00007ffd0afe0380 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffc8aeb2310 5 bytes JMP 00007ffd0afe0340 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffc8aeb2620 5 bytes JMP 00007ffd0afe0440 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffc8aeb2820 5 bytes JMP 00007ffd0afe0260 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffc8aeb2830 5 bytes JMP 00007ffd0afe0270 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffc8aeb2850 5 bytes JMP 00007ffd0afe0400 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffc8aeb2a30 5 bytes JMP 00007ffd0afe01f0 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffc8aeb2a40 5 bytes JMP 00007ffd0afe0210 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffc8aeb2ad0 5 bytes JMP 00007ffd0afe0200 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffc8aeb2b40 5 bytes JMP 00007ffd0afe0420 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffc8aeb2b50 5 bytes JMP 00007ffd0afe0430 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffc8aeb2b60 5 bytes JMP 00007ffd0afe0220 .text C:\Windows\system32\AUDIODG.EXE[5312] C:\Windows\SYSTEM32\ntdll.dll!NtVdmControl 00007ffc8aeb2c70 5 bytes JMP 00007ffd0afe0280 ---- Devices - GMER 2.1 ---- Device \Driver\iaStorA \Device\00000030 ffffe0017a57a2c0 Device \Driver\iaStorA \Device\RaidPort0 ffffe0017a57a2c0 Device \Driver\cdrom \Device\CdRom0 ffffe0017a5f72c0 Device \Driver\iaStorA \Device\00000031 ffffe0017a57a2c0 Device \Driver\iaStorA \Device\ScsiPort0 ffffe0017a57a2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys >>UNKNOWN [0xffffe0017a57a2c0]<< sptd.sys storport.sys hal.dll iaStorA.sys ffffe0017a57a2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe0017cda9350] ffffe0017cda9350 Trace 3 CLASSPNP.SYS[fffff801a1a9d170] -> nt!IofCallDriver -> \Device\00000030[0xffffe0017affe060] ffffe0017affe060 Trace \Driver\iaStorA[0xffffe0017af93d60] -> IRP_MJ_CREATE -> 0xffffe0017a57a2c0 ffffe0017a57a2c0 ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [700:5092] fffff960004331fc Thread C:\Windows\system32\csrss.exe [568:2232] fffff960008192d0 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----