GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-27 14:59:08 Windows 6.1.7601 Service Pack 1 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 Hitachi_HTS543232L9A300 rev.FB4OC40C 298,09GB Running: 763drls8.exe; Driver: C:\Users\Marian\AppData\Local\Temp\awxdrpog.sys ---- Kernel code sections - GMER 2.2 ---- .text ntkrnlpa.exe!ZwRenameKey + 1549 82A8BF05 1 Byte [06] .text ntkrnlpa.exe!KiDispatchInterrupt + 5A2 82AC6292 19 Bytes [E0, 0F, BA, F0, 07, 73, 09, ...] {LOOPNZ 0x11; MOV EDX, 0x97307f0; MOV CR4, EAX; OR AL, 0x80; MOV CR4, EAX; RET ; MOV ECX, CR3} ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtCreateFile + 6 77275196 4 Bytes [28, B8, 34, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtCreateFile + B 7727519B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtMapViewOfSection + 6 772757F6 4 Bytes [28, BB, 34, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtMapViewOfSection + B 772757FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenFile + 6 772758A6 4 Bytes [68, B8, 34, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenFile + B 772758AB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenProcess + 6 77275956 4 Bytes [A8, B9, 34, 00] {TEST AL, 0xb9; XOR AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenProcess + B 7727595B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenProcessToken + B 7727596B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenProcessTokenEx + 6 77275976 4 Bytes [A8, BA, 34, 00] {TEST AL, 0xba; XOR AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenProcessTokenEx + B 7727597B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenThread + 6 772759D6 4 Bytes [68, B9, 34, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenThread + B 772759DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenThreadToken + 6 772759E6 4 Bytes [68, BA, 34, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenThreadToken + B 772759EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtOpenThreadTokenEx + B 772759FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtQueryAttributesFile + 6 77275B06 4 Bytes [A8, B8, 34, 00] {TEST AL, 0xb8; XOR AL, 0x0} .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtQueryAttributesFile + B 77275B0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtQueryFullAttributesFile + B 77275BBB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtSetInformationFile + 6 77276206 4 Bytes [28, B9, 34, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtSetInformationFile + B 7727620B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtSetInformationThread + 6 77276266 4 Bytes [28, BA, 34, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtSetInformationThread + B 7727626B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtUnmapViewOfSection + 6 77276586 4 Bytes [68, BB, 34, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[980] ntdll.dll!NtUnmapViewOfSection + B 7727658B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtCreateFile + 6 77275196 4 Bytes [28, 44, 1D, 00] {SUB [EBP+EBX+0x0], AL} .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtCreateFile + B 7727519B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtMapViewOfSection + 6 772757F6 4 Bytes [28, 47, 1D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtMapViewOfSection + B 772757FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtOpenFile + 6 772758A6 4 Bytes [68, 44, 1D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtOpenFile + B 772758AB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtOpenProcess + 6 77275956 4 Bytes [A8, 45, 1D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtOpenProcess + B 7727595B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtOpenProcessToken + B 7727596B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtOpenProcessTokenEx + 6 77275976 4 Bytes [A8, 46, 1D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtOpenProcessTokenEx + B 7727597B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtOpenThread + 6 772759D6 4 Bytes [68, 45, 1D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtOpenThread + B 772759DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtOpenThreadToken + 6 772759E6 4 Bytes [68, 46, 1D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtOpenThreadToken + B 772759EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtOpenThreadTokenEx + B 772759FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtQueryAttributesFile + 6 77275B06 4 Bytes [A8, 44, 1D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtQueryAttributesFile + B 77275B0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtQueryFullAttributesFile + B 77275BBB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtSetInformationFile + 6 77276206 4 Bytes [28, 45, 1D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtSetInformationFile + B 7727620B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtSetInformationThread + 6 77276266 4 Bytes [28, 46, 1D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtSetInformationThread + B 7727626B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtUnmapViewOfSection + 6 77276586 4 Bytes [68, 47, 1D, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[1668] ntdll.dll!NtUnmapViewOfSection + B 7727658B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2204] ntdll.dll!NtMapViewOfSection + 6 772757F6 4 Bytes [18, D0, 9B, 72] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2204] ntdll.dll!NtMapViewOfSection + B 772757FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtCreateFile + 6 77275196 4 Bytes [28, 40, CB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtCreateFile + B 7727519B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtMapViewOfSection + 6 772757F6 4 Bytes [28, 43, CB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtMapViewOfSection + B 772757FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenFile + 6 772758A6 4 Bytes [68, 40, CB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenFile + B 772758AB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenProcess + 6 77275956 4 Bytes [A8, 41, CB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenProcess + B 7727595B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenProcessToken + 6 77275966 4 Bytes CALL 762824AC C:\Windows\system32\USER32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenProcessToken + B 7727596B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenProcessTokenEx + 6 77275976 4 Bytes [A8, 42, CB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenProcessTokenEx + B 7727597B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenThread + 6 772759D6 4 Bytes [68, 41, CB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenThread + B 772759DB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenThreadToken + 6 772759E6 4 Bytes [68, 42, CB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenThreadToken + B 772759EB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenThreadTokenEx + 6 772759F6 4 Bytes CALL 7628253D C:\Windows\system32\USER32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtOpenThreadTokenEx + B 772759FB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtQueryAttributesFile + 6 77275B06 4 Bytes [A8, 40, CB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtQueryAttributesFile + B 77275B0B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtQueryFullAttributesFile + 6 77275BB6 4 Bytes CALL 762826FB C:\Windows\system32\USER32.dll .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtQueryFullAttributesFile + B 77275BBB 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtSetInformationFile + 6 77276206 4 Bytes [28, 41, CB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtSetInformationFile + B 7727620B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtSetInformationThread + 6 77276266 4 Bytes [28, 42, CB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtSetInformationThread + B 7727626B 1 Byte [E2] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtUnmapViewOfSection + 6 77276586 4 Bytes [68, 43, CB, 00] .text C:\Program Files\Google\Chrome\Application\chrome.exe[2844] ntdll.dll!NtUnmapViewOfSection + B 7727658B 1 Byte [E2] .text C:\Program Files\CCleaner\CCleaner.exe[3328] USER32.dll!SetScrollRange 761E8E93 5 Bytes JMP 00E22F39 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3328] USER32.dll!GetScrollInfo 761F2D7B 5 Bytes JMP 00E22EC0 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3328] USER32.dll!SetScrollInfo 761F48B2 5 Bytes JMP 00E22F76 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3328] USER32.dll!GetScrollRange 7621042A 5 Bytes JMP 00E22E57 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3328] USER32.dll!SetScrollPos 7621048E 5 Bytes JMP 00E22E2C C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3328] USER32.dll!GetScrollPos 76210E13 5 Bytes JMP 00E22E95 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3328] USER32.dll!EnableScrollBar 7621199E 5 Bytes JMP 00E22FB0 C:\Program Files\CCleaner\CCleaner.exe .text C:\Program Files\CCleaner\CCleaner.exe[3328] USER32.dll!ShowScrollBar 76213C59 5 Bytes JMP 00E22EF9 C:\Program Files\CCleaner\CCleaner.exe ---- Registry - GMER 2.2 ---- Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0x05 0xFD 0xFC 0x16 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\System32\sdiagnhost.exe 0xB5 0xBC 0x61 0x7D ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe 0xCC 0x80 0xF8 0x84 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v2.0.50727/mscorwks.dll@\Device\HarddiskVolume2\Program Files\Lenovo\Customer Feedback Program 35\Lenovo.TVT.CustomerFeedback.Agent35.exe 0xC2 0x78 0xF3 0x97 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe 0xB9 0x99 0xFA 0x14 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\msiexec.exe 0xAB 0x63 0x26 0x19 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.exe 0xE3 0xA2 0x01 0xB7 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Windows\System32\rundll32.exe 0xA5 0x35 0x3C 0xA2 ... Reg HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\CIT\Module\Microsoft.NET/Framework/v4.0.30319/clr.dll@\Device\HarddiskVolume2\Program Files\Lenovo\SHAREit\Shareit.exe 0xB4 0x17 0x3F 0x21 ... ---- EOF - GMER 2.2 ----