GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-20 20:21:12 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000001f ST500LM012_HN-M500MBB rev.2AR10002 465,76GB Running: gmer.exe; Driver: C:\Users\Mama\AppData\Local\Temp\agriaaob.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffe60b31280 5 bytes JMP 00007ffee0c60450 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffe60b312d0 5 bytes JMP 00007ffee0c60440 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffe60b31430 5 bytes JMP 00007ffee0c60360 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffe60b31480 5 bytes JMP 00007ffee0c60460 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffe60b31490 5 bytes JMP 00007ffee0c603d0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffe60b31540 5 bytes JMP 00007ffee0c60310 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffe60b31570 5 bytes JMP 00007ffee0c603a0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffe60b31590 5 bytes JMP 00007ffee0c60380 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffe60b315d0 5 bytes JMP 00007ffee0c602d0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffe60b31650 5 bytes JMP 00007ffee0c602c0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffe60b31670 1 byte JMP 00007ffee0c60300 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection + 2 00007ffe60b31672 3 bytes {JMP 0xffffffff8012ec90} .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffe60b316b0 5 bytes JMP 00007ffee0c603b0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffe60b31700 5 bytes JMP 00007ffee0c603e0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffe60b31860 5 bytes JMP 00007ffee0c60220 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffe60b31a50 5 bytes JMP 00007ffee0c60470 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffe60b31a80 5 bytes JMP 00007ffee0c60390 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffe60b31ba0 5 bytes JMP 00007ffee0c602e0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffe60b31bc0 5 bytes JMP 00007ffee0c60340 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffe60b31c30 5 bytes JMP 00007ffee0c60280 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffe60b31cc0 5 bytes JMP 00007ffee0c602a0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffe60b31ce0 5 bytes JMP 00007ffee0c603c0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffe60b31cf0 5 bytes JMP 00007ffee0c60320 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffe60b31da0 5 bytes JMP 00007ffee0c60400 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffe60b31dd0 5 bytes JMP 00007ffee0c60230 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffe60b320f0 5 bytes JMP 00007ffee0c601d0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffe60b321b0 1 byte JMP 00007ffee0c60240 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry + 2 00007ffe60b321b2 3 bytes {JMP 0xffffffff8012e090} .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffe60b321e0 5 bytes JMP 00007ffee0c60480 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffe60b321f0 5 bytes JMP 00007ffee0c60490 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffe60b32220 5 bytes JMP 00007ffee0c602f0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffe60b32230 5 bytes JMP 00007ffee0c60350 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffe60b32290 5 bytes JMP 00007ffee0c60290 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffe60b322e0 5 bytes JMP 00007ffee0c602b0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffe60b32310 5 bytes JMP 00007ffee0c60370 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffe60b32320 5 bytes JMP 00007ffee0c60330 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffe60b32630 5 bytes JMP 00007ffee0c60430 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffe60b32830 5 bytes JMP 00007ffee0c60250 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffe60b32840 5 bytes JMP 00007ffee0c60260 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffe60b32860 1 byte JMP 00007ffee0c603f0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread + 2 00007ffe60b32862 3 bytes {JMP 0xffffffff8012db90} .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffe60b32a40 5 bytes JMP 00007ffee0c601e0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffe60b32a50 5 bytes JMP 00007ffee0c60200 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffe60b32ae0 5 bytes JMP 00007ffee0c601f0 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffe60b32b50 5 bytes JMP 00007ffee0c60410 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffe60b32b60 5 bytes JMP 00007ffee0c60420 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffe60b32b70 5 bytes JMP 00007ffee0c60210 .text C:\WINDOWS\system32\AUDIODG.EXE[4048] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffe60b32c80 5 bytes JMP 00007ffee0c60270 ---- Devices - GMER 2.1 ---- Device \Driver\iaStorA \Device\0000001f ffffe000853ba2c0 Device \Driver\iaStorA \Device\RaidPort0 ffffe000853ba2c0 Device \Driver\cdrom \Device\CdRom0 ffffe000853fd2c0 Device \Driver\iaStorA \Device\ScsiPort0 ffffe000853ba2c0 Device \Driver\iaStorA \Device\00000020 ffffe000853ba2c0 ---- Trace I/O - GMER 2.1 ---- Trace ntoskrnl.exe CLASSPNP.SYS disk.sys ACPI.sys >>UNKNOWN [0xffffe000853ba2c0]<< sptd.sys storport.sys hal.dll iaStorA.sys ffffe000853ba2c0 Trace 1 nt!IofCallDriver -> \Device\Harddisk0\DR0[0xffffe000861b8350] ffffe000861b8350 Trace 3 CLASSPNP.SYS[fffff800ad402170] -> nt!IofCallDriver -> [0xffffe00085043e50] ffffe00085043e50 Trace 5 ACPI.sys[fffff800ac826c21] -> nt!IofCallDriver -> \Device\0000001f[0xffffe000861ca7f0] ffffe000861ca7f0 Trace \Driver\iaStorA[0xffffe00085ce7de0] -> IRP_MJ_CREATE -> 0xffffe000853ba2c0 ffffe000853ba2c0 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [700:724] fffff960009a52d0 ---- Processes - GMER 2.1 ---- Process C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe (*** suspicious ***) @ C:\ProgramData\Samsung\SW Update Service\SWMAgent.exe [1784] (SW Update Agent/Samsung Electronics CO., LTD.)(2013-10-21 20:07:30) 00000000008a0000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----