GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-01 23:24:51 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST950032 rev.0003 465,76GB Running: pdimm5xs.exe; Driver: C:\Users\DOMOWY\AppData\Local\Temp\axdiikoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076d91401 2 bytes JMP 7753b20b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076d91419 2 bytes JMP 7753b336 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076d91431 2 bytes JMP 775b8f39 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076d9144a 2 bytes CALL 77514885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076d914dd 2 bytes JMP 775b8832 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076d914f5 2 bytes JMP 775b8a08 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076d9150d 2 bytes JMP 775b8728 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076d91525 2 bytes JMP 775b8af2 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076d9153d 2 bytes JMP 7752fc98 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076d91555 2 bytes JMP 775368df C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076d9156d 2 bytes JMP 775b8ff1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076d91585 2 bytes JMP 775b8b52 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076d9159d 2 bytes JMP 775b86ec C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076d915b5 2 bytes JMP 7752fd31 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076d915cd 2 bytes JMP 7753b2cc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076d916b2 2 bytes JMP 775b8eb4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Common Files\Microsoft Shared\Virtualization Handler\CVHSVC.EXE[3148] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076d916bd 2 bytes JMP 775b8681 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\0025d3b2962e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a0f7fe Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a0f7fe@d487d807ed7a 0x58 0xE4 0x82 0xD0 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a0f7fe@6c5f1c06c2a6 0xF5 0x76 0x92 0x26 ... Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\742f68a0f7fe@14a364166db2 0xB3 0xB5 0xC5 0x23 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\0025d3b2962e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a0f7fe (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a0f7fe@d487d807ed7a 0x58 0xE4 0x82 0xD0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a0f7fe@6c5f1c06c2a6 0xF5 0x76 0x92 0x26 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\742f68a0f7fe@14a364166db2 0xB3 0xB5 0xC5 0x23 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0EEFB371-14B9-323E-29F9-F1469DE2890E} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0EEFB371-14B9-323E-29F9-F1469DE2890E}@hambogkljabkoihi 0x6B 0x61 0x63 0x69 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\{0EEFB371-14B9-323E-29F9-F1469DE2890E}@iagcffmglaoendgbhn 0x6B 0x61 0x63 0x69 ... ---- EOF - GMER 2.1 ----