GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-04 00:01:09 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000005b ST1000LM rev.2BA3 931,51GB Running: ij35icd5.exe; Driver: C:\Users\Paula\AppData\Local\Temp\kwddrkob.sys ---- Kernel code sections - GMER 2.2 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff960001a5900 7 bytes [80, 4F, F3, FF, 01, 5B, F0] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff960001a5908 3 bytes [C0, 06, 02] ---- User code sections - GMER 2.2 ---- .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[4556] C:\Windows\system32\kernel32.dll!LoadLibraryW 0000000077566420 5 bytes JMP 0000000067aa22c0 .text C:\Program Files\Common Files\McAfee\Platform\McSvcHost\McSvHost.exe[4556] C:\Windows\system32\kernel32.dll!LoadLibraryA 0000000077566510 5 bytes JMP 0000000067aa2160 .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076a21401 2 bytes JMP 7599b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076a21419 2 bytes JMP 7599b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076a21431 2 bytes JMP 75a19149 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076a2144a 2 bytes CALL 75974885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076a214dd 2 bytes JMP 75a18a42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076a214f5 2 bytes JMP 75a18c18 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076a2150d 2 bytes JMP 75a18938 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076a21525 2 bytes JMP 75a18d02 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076a2153d 2 bytes JMP 7598fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076a21555 2 bytes JMP 75996907 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076a2156d 2 bytes JMP 75a19201 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076a21585 2 bytes JMP 75a18d62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076a2159d 2 bytes JMP 75a188fc C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076a215b5 2 bytes JMP 7598fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076a215cd 2 bytes JMP 7599b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076a216b2 2 bytes JMP 75a190c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[647428] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076a216bd 2 bytes JMP 75a18891 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 0000000076a21401 2 bytes JMP 7599b233 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 0000000076a21419 2 bytes JMP 7599b35e C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 0000000076a21431 2 bytes JMP 75a19149 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 0000000076a2144a 2 bytes CALL 75974885 C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 0000000076a214dd 2 bytes JMP 75a18a42 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 0000000076a214f5 2 bytes JMP 75a18c18 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 0000000076a2150d 2 bytes JMP 75a18938 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 0000000076a21525 2 bytes JMP 75a18d02 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 0000000076a2153d 2 bytes JMP 7598fcc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 0000000076a21555 2 bytes JMP 75996907 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 0000000076a2156d 2 bytes JMP 75a19201 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 0000000076a21585 2 bytes JMP 75a18d62 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 0000000076a2159d 2 bytes JMP 75a188fc C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 0000000076a215b5 2 bytes JMP 7598fd59 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 0000000076a215cd 2 bytes JMP 7599b2f4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 0000000076a216b2 2 bytes JMP 75a190c4 C:\Windows\syswow64\kernel32.dll .text C:\Users\Paula\AppData\Local\Akamai\netsession_win.exe[648208] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 0000000076a216bd 2 bytes JMP 75a18891 C:\Windows\syswow64\kernel32.dll ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\mfevtps.exe[3028] @ C:\Windows\system32\CRYPT32.dll[KERNEL32.dll!LoadLibraryA] [13ffb2080] C:\Windows\system32\mfevtps.exe ---- Threads - GMER 2.2 ---- Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:1332] 000000007799f523 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:1576] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:1668] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3236] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3360] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3328] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3464] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3472] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3420] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3416] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3468] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3424] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:1176] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:1288] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3784] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3788] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3808] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3832] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3836] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3856] 00000000779a046c Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:3060] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:403804] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:469628] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:549188] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:591932] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:592856] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:623012] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:624248] 00000000779a046c Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:624732] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:625440] 00000000681029e1 Thread C:\Program Files (x86)\Microsoft SQL Server\MSSQL.1\MSSQL\Binn\sqlservr.exe [3452:627836] 00000000681029e1 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot@OfficeODC ???s????????????????p????????j???????~???*??AT??PnP Filter??????????x????h?j?j???j?j?????j?j?j???????o??Galaxy J5????q?~????@oem52.inf,%sn.usbvideo.devicedesc%;Lenovo EasyCamera???Imaging??????????????????????????????c??pt??IUSB3\DevClass_00&SubClass_00&Prot_00?IUSB3\DevClass_00&SubClass_00?IUSB3\DevClass_00?IUSB3\COMPOSITE?USB\DevClass_00&SubClass_00&Prot_00?USB\DevClass_00&SubClass_00?USB\DevClass_00?USB\COMPOSITE??7???????h???m??!\???????????g??m ???????j???\??Af???????????????????????k???????????????????????????j?j?j??System32\DRIVERS\srv.sys??????N??~?????????D?????????????????????????????B??FE??FE???j???????????????????????????????????c???????e??Rodzajowa kopia w tle wolumin?w?????6.1.7600.16385???????????????????????????????????????????????j???????????????????????????s?????ssb???k?ux?????????????????????X??j???5???2???????j???2??98????@??j??????????????fe??????????????????{00000000-0000-0000-0000-000000000000}?502??????????????????{533c5b84-ec70-11d2-9505-00c04f79deaf}?e=@??????????????????? ~??????F? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\d05349ce1158 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\d05349cebdda Reg HKLM\SYSTEM\ControlSet002\Control\BackupRestore\FilesNotToSnapshot@OfficeODC ?????????????????l??23???????????????????????????9??????????????C:\Windows\system32\EscSvc64.exe????&0????????????????????&??????????????????????????????????????????v??????????????????????????????????????0.0.0.0?????????is???f??? ???????/???????????U?,??????(?????????????Ex??? ???????3?????D D??????????? ????????????????????????????????????????????sved??? ???????????????????u?,????????N???????????? ????????????????????N??????d???e??{a61615ae-2eb3-11e5-84a0-d05349ce1158}??????????????? ??????????????????????????????????????????? ?????????????????????0??L????????? ???????????????????????????????? ?????????????????????0????????????&???????????????????????????????? ?????????????????????0????????????????????????????? ???????????????????t?0????????H???????????iPhone (Paulina)?????????????????&??????????????????????????????????????????????? ?????????????????????0????????????&????????????????????i??? ?????????????????????0????????????????????? ???????????????????t?0????????????????????{eec5ad98-8080-425f-922a-dabf3d Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\d05349ce1158 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\d05349cebdda (not active ControlSet) ---- EOF - GMER 2.2 ----