GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-25 20:18:35 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 ST1000DM003-1SB10C rev.CC43 931,51GB Running: k5b9vnd1.exe; Driver: C:\Users\PIOTRN~1\AppData\Local\Temp\uglyrpog.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff96000070a00 15 bytes [00, 31, EF, 01, 00, 36, 6A, ...] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 16 fffff96000070a10 11 bytes [00, E4, FB, FF, C0, 4B, E6, ...] ---- User code sections - GMER 2.2 ---- .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer + 132 00007ff96a9e4ba4 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlPrefixString + 316 00007ff96a9e4fcc 8 bytes [A0, 6B, F8, 7F, 00, 00, 00, ...] .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!TpAllocIoCompletion + 710 00007ff96a9e52a6 8 bytes [90, 6B, F8, 7F, 00, 00, 00, ...] .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitForWnfMetaNotification + 479 00007ff96a9e549f 8 bytes {JMP 0xffffffffffffffee} .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 911 00007ff96a9e583f 8 bytes [70, 6B, F8, 7F, 00, 00, 00, ...] .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlUserThreadStart + 997 00007ff96a9e5895 8 bytes [60, 6B, F8, 7F, 00, 00, 00, ...] .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!TpAllocWork + 420 00007ff96a9e5a44 8 bytes [50, 6B, F8, 7F, 00, 00, 00, ...] .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!RtlWaitOnAddress + 657 00007ff96a9e5fe1 8 bytes {JMP 0xffffffffffffff9e} .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00007ff96aa60780 8 bytes {JMP QWORD [RIP-0x7af47]} .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationThread 00007ff96aa60900 8 bytes {JMP QWORD [RIP-0x7b071]} .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ff96aa60930 8 bytes {JMP QWORD [RIP-0x7b96a]} .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff96aa60a50 8 bytes {JMP QWORD [RIP-0x7b5b7]} .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00007ff96aa60b00 8 bytes {JMP QWORD [RIP-0x7b860]} .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff96aa611c0 8 bytes {JMP QWORD [RIP-0x7b1e5]} .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtGetContextThread 00007ff96aa614c0 8 bytes {JMP QWORD [RIP-0x7b77e]} .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff96aa61d40 8 bytes {JMP QWORD [RIP-0x7c302]} .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\system32\wow64cpu.dll!CpuSetContext + 438 00000000772713f6 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\system32\wow64cpu.dll!CpuGetContext + 387 0000000077271583 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\system32\wow64cpu.dll!CpuSetInstructionPointer + 49 0000000077271621 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\system32\wow64cpu.dll!CpuProcessInit + 68 0000000077271674 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\system32\wow64cpu.dll!CpuGetStackPointer + 23 00000000772716d7 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 9 00000000772716e9 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] .text C:\Users\Piotr Nalewajko\Downloads\k5b9vnd1.exe[4760] C:\Windows\system32\wow64cpu.dll!CpuNotifyAffinityChange + 71 0000000077271727 8 bytes [0D, F0, AD, BA, DE, C0, AD, ...] ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ff9a97e002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\system32\USER32.dll[GDI32.dll!GetStockObject] [7ff9a97e006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\system32\MSCTF.dll[GDI32.dll!GetStockObject] [7ff9a97e006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\system32\SHELL32.dll[USER32.dll!RegisterClassW] [7ff9a9b1002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\system32\SHELL32.dll[GDI32.dll!GetStockObject] [7ff9a97e006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\system32\SHLWAPI.dll[USER32.dll!RegisterClassW] [7ff9a9b1002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\system32\SHLWAPI.dll[GDI32.dll!GetStockObject] [7ff9a97e006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\system32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ff9a9b1002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\system32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ff9a97e006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\system32\ole32.dll[GDI32.dll!GetStockObject] [7ff9a97e006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\system32\ole32.dll[USER32.dll!RegisterClassW] [7ff9a9b1002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[GDI32.dll!GetStockObject] [7ff9a97e006c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.9600.17810_none_6240b9c7ecbd0bda\COMCTL32.dll[USER32.dll!RegisterClassW] [7ff9a9b1002c] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[4028] @ C:\Windows\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff94785aed8] C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1664] @ C:\Program Files (x86)\Google\Chrome\Application\51.0.2704.106\PepperFlash\pepflashplayer.dll[KERNEL32.dll!CreateNamedPipeW] [7ff9a999002c] ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [600:624] fffff960009ac2d0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot@OfficeODC ?????????????????? ??????????????????&????4?????????SWD\PRINTENUM\PrintQueues????????????????&???????????l???????????&???????????????d????????????????N?????????????????????????????????????????????????????????????????? ???9????????????????$?????????? T???????????????????N???????????D?????? p??????????????????????????????????&??? $?????????????????Local Print Queue?????H?????????????????Local Print Queue???????????????????????Microsoft????????????&??????????????Microsoft???????????????????????? ??????????????????6-21-2006???????????????PrintQueue.inf???&??????? ??????????????n???6.3.9600.16384??????????????????6.3.9600.16384??????????PrintQueue.inf????????4??????????????????????&????l??????&???????&??????? ??????????????????NO_DRV_LOCAL????????????????NO_DRV_LOCAL?????????????????&???????&????4?????????????????PRINTENUM\LocalPrintQueue??????????????$????????PRINTENUM\LocalPrintQueue????????????????????&???&???&???&???&??????????Send To OneNote 2013?l???#?$????????????????lA???????&????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Control\MUI\StringCacheSettings@StringCacheGeneration 100 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Program Files (x86)\Google\Chrome?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1260433058 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 3218 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 887 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{4e7ad5ef-1d0a-11e6-8291-fcaa14e7a8d9} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{4e7ad5ef-1d0a-11e6-8291-fcaa14e7a8d9}@Drive Type 1048593 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{4e7ad5ef-1d0a-11e6-8291-fcaa14e7a8d9}@IsImapiDataBurnSupported 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{68475ddd-16cf-11e6-828d-fcaa14e7a8d9} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{68475ddd-16cf-11e6-828d-fcaa14e7a8d9}@Drive Type 1048593 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{68475ddd-16cf-11e6-828d-fcaa14e7a8d9}@IsImapiDataBurnSupported 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{68475dee-16cf-11e6-828d-fcaa14e7a8d9} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{68475dee-16cf-11e6-828d-fcaa14e7a8d9}@Drive Type 1048593 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{68475dee-16cf-11e6-828d-fcaa14e7a8d9}@IsImapiDataBurnSupported 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{6847601a-16cf-11e6-828d-fcaa14e7a8d9} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{6847601a-16cf-11e6-828d-fcaa14e7a8d9}@Drive Type 1048593 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{6847601a-16cf-11e6-828d-fcaa14e7a8d9}@IsImapiDataBurnSupported 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{d98d271e-371b-11e6-8293-048d38ed02cc} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{d98d271e-371b-11e6-8293-048d38ed02cc}@Drive Type 1048593 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{d98d271e-371b-11e6-8293-048d38ed02cc}@IsImapiDataBurnSupported 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{d98d2722-371b-11e6-8293-048d38ed02cc} Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{d98d2722-371b-11e6-8293-048d38ed02cc}@Drive Type 1048593 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\Drives\Volume{d98d2722-371b-11e6-8293-048d38ed02cc}@IsImapiDataBurnSupported 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{4e7ad5ef-1d0a-11e6-8291-fcaa14e7a8d9}@Active 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{68475ddd-16cf-11e6-828d-fcaa14e7a8d9}@Active 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{68475dee-16cf-11e6-828d-fcaa14e7a8d9}@Active 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{6847601a-16cf-11e6-828d-fcaa14e7a8d9}@Active 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{d98d271e-371b-11e6-8293-048d38ed02cc}@Active 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\CD Burning\StagingInfo\Volume{d98d2722-371b-11e6-8293-048d38ed02cc}@Active 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.txt\OpenWithList@MRUList ab Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{D0498E0A-45B7-42AE-A9AA-ABA463DBD3BF}\iexplore@Count 194 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\DirtyLocalCollections@windows-spellingdictionary 1 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@PolicyDocumentLastRefresh 0xF3 0x62 0xE9 0x89 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsBandwidthBucketCounter 306 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsRequestBucketCounter 100 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsRequestBucketDrainTime 0x8F 0x1F 0x21 0x8A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@WindowsLargeRequestBucketCounter 98 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastWindowsLargeRequestBucketDrainTime 0x8F 0x1F 0x21 0x8A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastOtherRequestBucketDrainTime 0x8F 0x1F 0x21 0x8A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalBandwidthBucketCounter 617704 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@GlobalRequestBucketCounter 198 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastGlobalRequestBucketDrainTime 0x8F 0x1F 0x21 0x8A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\PolicyData@LastUploadTime 0xA7 0xF4 0x22 0x8A ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x53 0x98 0xC5 0x93 ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData@PendingOperations 6 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\SettingSync\SyncData\Namespace\windows\explorer@PendingOperations 0 Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store@LastTileRefresh 0x81 0x79 0xF2 0x7C ... Reg HKCU\Software\Microsoft\Windows\CurrentVersion\Store\RefreshBannedAppList@BannedAppsLastModified 0x00 0xAC 0x79 0x83 ... ---- EOF - GMER 2.2 ----