GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-12-06 09:27:07 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: 2u41nlnt.exe; Driver: C:\Users\Maciek\AppData\Local\Temp\kwrdrpog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2708] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779f1590 14 bytes {MOV RAX, 0x7fef5488d50; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 00000000779f13e0 7 bytes [48, B8, 74, 0B, 42, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread + 8 00000000779f13e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken 00000000779f1550 7 bytes {ADD [RAX-0x48], CL; CALL 0x13f4213} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadToken + 8 00000000779f1558 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess 00000000779f1570 7 bytes [48, B8, 94, 0F, 42, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcess + 8 00000000779f1578 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile 00000000779f1580 7 bytes [48, B8, 98, 0D, 42, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationFile + 8 00000000779f1588 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 00000000779f1590 7 bytes [48, B8, 58, 0A, 42, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection + 8 00000000779f1598 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000779f15b0 7 bytes [48, B8, C4, 0A, 42, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection + 8 00000000779f15b8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx 00000000779f1600 7 bytes [48, B8, 58, 0C, 42, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThreadTokenEx + 8 00000000779f1608 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx 00000000779f1610 7 bytes [48, B8, D0, 0F, 42, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessTokenEx + 8 00000000779f1618 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile 00000000779f1640 7 bytes [48, B8, 3C, 0D, 42, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenFile + 8 00000000779f1648 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile 00000000779f16e0 7 bytes [48, B8, 70, 0D, 42, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryAttributesFile + 8 00000000779f16e8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile 00000000779f1860 7 bytes [48, B8, C8, 0C, 42, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtCreateFile + 8 00000000779f1868 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken 00000000779f22d0 7 bytes [48, B8, B8, 0F, 42, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenProcessToken + 8 00000000779f22d8 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread 00000000779f2320 7 bytes [48, B8, 70, 0F, 42, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtOpenThread + 8 00000000779f2328 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile 00000000779f2470 7 bytes [48, B8, 84, 0D, 42, 3F, 01] .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] C:\Windows\SYSTEM32\ntdll.dll!NtQueryFullAttributesFile + 8 00000000779f2478 6 bytes {ADD [RAX], AL; JMP RAX} .text C:\Program Files\WinRAR\WinRAR.exe[4084] C:\Windows\system32\kernel32.dll!K32GetMappedFileNameW 00000000778bf010 5 bytes JMP 000000006fff0148 .text C:\Program Files\WinRAR\WinRAR.exe[4084] C:\Windows\system32\kernel32.dll!K32EnumProcessModulesEx 00000000778e99f0 7 bytes JMP 000000006fff00d8 .text C:\Program Files\WinRAR\WinRAR.exe[4084] C:\Windows\system32\kernel32.dll!K32GetModuleInformation 00000000778f9510 5 bytes JMP 000000006fff0180 .text C:\Program Files\WinRAR\WinRAR.exe[4084] C:\Windows\system32\kernel32.dll!K32GetModuleFileNameExW 00000000778f9680 5 bytes JMP 000000006fff0110 .text C:\Program Files\WinRAR\WinRAR.exe[4084] C:\Windows\system32\kernel32.dll!RegSetValueExA 000000007791a530 7 bytes JMP 000000006fff01b8 .text C:\Program Files\WinRAR\WinRAR.exe[4084] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleW 000007fefdbb40b0 7 bytes JMP 000007fefdba00d8 .text C:\Program Files\WinRAR\WinRAR.exe[4084] C:\Windows\system32\KERNELBASE.dll!LoadLibraryExW 000007fefdbb9ec0 7 bytes JMP 000007fefdba0148 .text C:\Program Files\WinRAR\WinRAR.exe[4084] C:\Windows\system32\KERNELBASE.dll!FreeLibrary 000007fefdbbaea0 5 bytes JMP 000007fefdba0180 .text C:\Program Files\WinRAR\WinRAR.exe[4084] C:\Windows\system32\KERNELBASE.dll!GetModuleHandleExW 000007fefdbbb040 5 bytes JMP 000007fefdba0110 .text C:\Program Files\WinRAR\WinRAR.exe[4084] C:\Windows\system32\GDI32.dll!D3DKMTQueryAdapterInfo 000007fefec089e0 8 bytes JMP 000007fefdba01f0 .text C:\Program Files\WinRAR\WinRAR.exe[4084] C:\Windows\system32\GDI32.dll!D3DKMTGetDisplayModeList 000007fefec0be40 8 bytes JMP 000007fefdba01b8 .text C:\Program Files\WinRAR\WinRAR.exe[4084] C:\Windows\system32\ole32.dll!CoCreateInstance 000007fefea17490 11 bytes JMP 000007fefdba0228 .text C:\Program Files\WinRAR\WinRAR.exe[4084] C:\Windows\system32\ole32.dll!CoSetProxyBlanket 000007fefea2bf00 7 bytes JMP 000007fefdba0260 .text D:\Download\2u41nlnt.exe[3192] C:\Windows\syswow64\kernel32.dll!RegSetValueExA 0000000076731441 7 bytes JMP 000000006e6b128f .text D:\Download\2u41nlnt.exe[3192] C:\Windows\syswow64\kernel32.dll!K32GetModuleFileNameExW 000000007674b23b 5 bytes JMP 000000006e6b159b .text D:\Download\2u41nlnt.exe[3192] C:\Windows\syswow64\kernel32.dll!K32EnumProcessModulesEx 00000000767c88ec 7 bytes JMP 000000006e6b1339 .text D:\Download\2u41nlnt.exe[3192] C:\Windows\syswow64\kernel32.dll!K32GetModuleInformation 00000000767c8971 5 bytes JMP 000000006e6b16b8 .text D:\Download\2u41nlnt.exe[3192] C:\Windows\syswow64\kernel32.dll!K32GetMappedFileNameW 00000000767c8cc7 5 bytes JMP 000000006e6b101e .text D:\Download\2u41nlnt.exe[3192] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleW 0000000077241094 5 bytes JMP 000000006e6b11d1 .text D:\Download\2u41nlnt.exe[3192] C:\Windows\syswow64\KERNELBASE.dll!GetModuleHandleExW 0000000077241142 5 bytes JMP 000000006e6b1019 .text D:\Download\2u41nlnt.exe[3192] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000077241bb2 5 bytes JMP 000000006e6b154b .text D:\Download\2u41nlnt.exe[3192] C:\Windows\syswow64\KERNELBASE.dll!FreeLibrary 0000000077241d92 5 bytes JMP 000000006e6b1276 .text D:\Download\2u41nlnt.exe[3192] C:\Windows\syswow64\GDI32.dll!D3DKMTGetDisplayModeList 000000007731e9a2 5 bytes JMP 000000006e6b15b4 .text D:\Download\2u41nlnt.exe[3192] C:\Windows\syswow64\GDI32.dll!D3DKMTQueryAdapterInfo 000000007731ebdc 5 bytes JMP 000000006e6b119a .text D:\Download\2u41nlnt.exe[3192] C:\Windows\syswow64\ole32.dll!CoSetProxyBlanket 00000000758b5ea5 5 bytes JMP 000000006e6b15e6 .text D:\Download\2u41nlnt.exe[3192] C:\Windows\syswow64\ole32.dll!CoCreateInstance 00000000758e9d0b 5 bytes JMP 000000006e6b122b ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3284] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feeb717598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3284] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feeb717cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3284] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feeb717f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3284] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feeb717d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[3284] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feea8d2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1936] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feeb717598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1936] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feeb717cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1936] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feeb717f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1936] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feeb717d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[1936] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feea8d2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!CloseServiceHandle] [7feeb717598] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenSCManagerW] [7feeb717cf8] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!StartServiceW] [7feeb717f4c] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] @ C:\Windows\system32\DWrite.dll[ADVAPI32.dll!OpenServiceW] [7feeb717d10] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2984] @ C:\Windows\system32\DWrite.dll[ntdll.dll!NtAlpcConnectPort] [7feea8d2164] C:\Program Files (x86)\Google\Chrome\Application\54.0.2840.99\chrome_child.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AE69DCF7-ABEB-4021-AC34-DC378F59AE8B}@LeaseObtainedTime 1481010439 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AE69DCF7-ABEB-4021-AC34-DC378F59AE8B}@T1 1481053639 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AE69DCF7-ABEB-4021-AC34-DC378F59AE8B}@T2 1481086039 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{AE69DCF7-ABEB-4021-AC34-DC378F59AE8B}@LeaseTerminatesTime 1481096839 ---- EOF - GMER 2.2 ----