GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-10 22:30:52 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500LM000-1EJ162 rev.SM28 465,76GB Running: d5nn9jry.exe; Driver: C:\Users\pysiol\AppData\Local\Temp\afkdipog.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\kernel32.dll!SetUnhandledExceptionFilter 00000000768f8781 4 bytes [C2, 04, 00, 00] .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExW + 17 0000000076eb1401 2 bytes JMP 7691b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!EnumProcessModules + 17 0000000076eb1419 2 bytes JMP 7691b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 17 0000000076eb1431 2 bytes JMP 76998fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 42 0000000076eb144a 2 bytes CALL 768f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!EnumDeviceDrivers + 17 0000000076eb14dd 2 bytes JMP 769988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameA + 17 0000000076eb14f5 2 bytes JMP 76998aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!QueryWorkingSetEx + 17 0000000076eb150d 2 bytes JMP 769987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!GetDeviceDriverBaseNameW + 17 0000000076eb1525 2 bytes JMP 76998b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameW + 17 0000000076eb153d 2 bytes JMP 7690fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!EnumProcesses + 17 0000000076eb1555 2 bytes JMP 769168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!GetProcessMemoryInfo + 17 0000000076eb156d 2 bytes JMP 76999089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!GetPerformanceInfo + 17 0000000076eb1585 2 bytes JMP 76998bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!QueryWorkingSet + 17 0000000076eb159d 2 bytes JMP 7699877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!GetModuleBaseNameA + 17 0000000076eb15b5 2 bytes JMP 7690fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!GetModuleFileNameExA + 17 0000000076eb15cd 2 bytes JMP 7691b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 20 0000000076eb16b2 2 bytes JMP 76998f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files\ESET\ESET NOD32 Antivirus\x86\ekrn.exe[1980] C:\Windows\syswow64\psapi.dll!GetProcessImageFileNameW + 31 0000000076eb16bd 2 bytes JMP 76998713 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076eb1401 2 bytes JMP 7691b21b C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076eb1419 2 bytes JMP 7691b346 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076eb1431 2 bytes JMP 76998fd1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076eb144a 2 bytes CALL 768f489d C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076eb14dd 2 bytes JMP 769988c4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076eb14f5 2 bytes JMP 76998aa0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076eb150d 2 bytes JMP 769987ba C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076eb1525 2 bytes JMP 76998b8a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076eb153d 2 bytes JMP 7690fca8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076eb1555 2 bytes JMP 769168ef C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076eb156d 2 bytes JMP 76999089 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076eb1585 2 bytes JMP 76998bea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076eb159d 2 bytes JMP 7699877e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076eb15b5 2 bytes JMP 7690fd41 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076eb15cd 2 bytes JMP 7691b2dc C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076eb16b2 2 bytes JMP 76998f4c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\Sony\VAIO Event Service\VESMgrSub.exe[2908] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076eb16bd 2 bytes JMP 76998713 C:\Windows\syswow64\kernel32.dll ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [1776:3572] 000007feea8f9688 ---- Processes - GMER 2.1 ---- Library C:\Users\pysiol\AppData\Local\Temp\jna--973225924\jna3249077760989672170.dll (*** suspicious ***) @ C:\Program Files (x86)\Java\jre7\bin\javaw.exe [984] (JNA native library/Java(TM) Native Access (JNA))(2015-12-10 17:33:29) 000000003a890000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEA 0x72 0x84 0x88 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x6C 0x6B 0x89 0x66 ... Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 Reg HKLM\SYSTEM\CurrentControlSet\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xF5 0x7A 0xCD 0xFF ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@p0 C:\Program Files (x86)\Alcohol Soft\Alcohol 120\ Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@h0 0 Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04@ujdew 0xEA 0x72 0x84 0x88 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@a0 0x20 0x01 0x00 0x00 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001@ujdew 0x6C 0x6B 0x89 0x66 ... Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\sptd\Cfg\0D79C293C1ED61418462E24595C90D04\00000001\jdgg40@ujdew 0xF5 0x7A 0xCD 0xFF ... ---- Files - GMER 2.1 ---- File C:\Users\pysiol\AppData\Local\Mozilla\Firefox\Profiles\62n1d2sh.default\cache2\entries\55DA4904C23C1DA9198EA5B7F4344E6C981F1C79 156 bytes File C:\Users\pysiol\AppData\Local\Mozilla\Firefox\Profiles\62n1d2sh.default\cache2\entries\1FB0455CE5710F74D21DF2B3AFEC69C5281AF84E 156 bytes ---- EOF - GMER 2.1 ----