GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-07-30 13:00:04 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD5000AAKX-22ERMA0 rev.17.01H17 465,76GB Running: ei5jykdc.exe; Driver: C:\Users\Sergiusz\AppData\Local\Temp\pftoipog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[2452] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000072d617fa 2 bytes CALL 75bd11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2452] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000072d61860 2 bytes CALL 75bd11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2452] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000072d61942 2 bytes JMP 76ff7089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrA.exe[2452] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000072d6194d 2 bytes JMP 76ffcba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\SysWOW64\WSOCK32.dll!recv + 82 0000000072d617fa 2 bytes CALL 75bd11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\SysWOW64\WSOCK32.dll!recvfrom + 88 0000000072d61860 2 bytes CALL 75bd11a9 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 98 0000000072d61942 2 bytes JMP 76ff7089 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 109 0000000072d6194d 2 bytes JMP 76ffcba6 C:\Windows\syswow64\WS2_32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000077861401 2 bytes JMP 75bfb21b C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000077861419 2 bytes JMP 75bfb346 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000077861431 2 bytes JMP 75c78f29 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 000000007786144a 2 bytes CALL 75bd489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 00000000778614dd 2 bytes JMP 75c78822 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 00000000778614f5 2 bytes JMP 75c789f8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 000000007786150d 2 bytes JMP 75c78718 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000077861525 2 bytes JMP 75c78ae2 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 000000007786153d 2 bytes JMP 75befca8 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000077861555 2 bytes JMP 75bf68ef C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 000000007786156d 2 bytes JMP 75c78fe3 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000077861585 2 bytes JMP 75c78b42 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 000000007786159d 2 bytes JMP 75c786dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 00000000778615b5 2 bytes JMP 75befd41 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 00000000778615cd 2 bytes JMP 75bfb2dc C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 00000000778616b2 2 bytes JMP 75c78ea4 C:\Windows\syswow64\kernel32.dll .text C:\Windows\SysWOW64\PnkBstrB.exe[2536] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 00000000778616bd 2 bytes JMP 75c78671 C:\Windows\syswow64\kernel32.dll ---- Processes - GMER 2.1 ---- Library C:\ProgramData\Microsoft\Microsoft Antimalware\Definition Updates\{776F3CBC-E2AD-4493-836C-3D77A3FA3B68}\offreg.600.dll (*** suspicious ***) @ C:\Program Files\Microsoft Security Client\MsMpEng.exe [600](2015-07-30 10:43:07) 000007fef3480000 ---- EOF - GMER 2.1 ----