GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-02-22 10:25:06 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\00000071 KINGSTON rev.600A 111,79GB Running: g63jlt59.exe; Driver: C:\Users\Maciek\AppData\Local\Temp\kwrdrpog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\GIGABYTE\Smart TimeLock\TimeMgmtDaemon.exe[1080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\Program Files (x86)\GIGABYTE\Smart TimeLock\TimeMgmtDaemon.exe[1080] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\Update Core\NvBackend.exe[3548] C:\Windows\syswow64\KERNELBASE.dll!LoadLibraryExW 0000000074a91bb2 5 bytes JMP 0000000000a08c60 .text E:\Program Files (x86)\RPGVX\TortoiseSVN\bin\TSVNCache.exe[3748] C:\Windows\system32\kernel32.dll!SetUnhandledExceptionFilter 0000000076ab9b70 3 bytes [33, C0, C3] .text C:\Program Files (x86)\Gigabyte\AppCenter\ApCent.exe[4056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\Program Files (x86)\Gigabyte\AppCenter\ApCent.exe[4056] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 .text C:\Program Files (x86)\Gigabyte\SIV\thermald.exe[4796] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 69 0000000075ad1465 2 bytes [AD, 75] .text C:\Program Files (x86)\Gigabyte\SIV\thermald.exe[4796] C:\Windows\syswow64\psapi.dll!GetModuleInformation + 155 0000000075ad14bb 2 bytes [AD, 75] .text ... * 2 ---- Processes - GMER 2.2 ---- Library C:\Program Files (x86)\ScreenShot\SSSvc.exe (*** suspicious ***) @ C:\Program Files (x86)\ScreenShot\SSSvc.exe [6468] 0000000001340000 Library C:\Program Files (x86)\ScreenShot\MSVCP110.dll (*** suspicious ***) @ C:\Program Files (x86)\ScreenShot\SSSvc.exe [6468] 000000000f9a0000 Library C:\Program Files (x86)\ScreenShot\MSVCR110.dll (*** suspicious ***) @ C:\Program Files (x86)\ScreenShot\SSSvc.exe [6468] 000000000f650000 Library C:\Program Files (x86)\ScreenShot\SSCommon.dll (*** suspicious ***) @ C:\Program Files (x86)\ScreenShot\SSSvc.exe [6468] 00000000510e0000 Library C:\Users\Maciek\AppData\Local\Temp\nsm8D81.tmp\UninstHlp.dll (*** suspicious ***) @ C:\Users\Maciek\AppData\Local\Temp\~nsu.tmp\Au_.exe [3296] 000000000fc50000 Library C:\Users\Maciek\AppData\Local\Temp\nsm8D81.tmp\Lang\ENU.dll (*** suspicious ***) @ C:\Users\Maciek\AppData\Local\Temp\~nsu.tmp\Au_.exe [3296] 0000000077160000 Library C:\Users\Maciek\AppData\Local\Temp\nsm8D81.tmp\Lang\PLK.dll (*** suspicious ***) @ C:\Users\Maciek\AppData\Local\Temp\~nsu.tmp\Au_.exe [3296] 0000000077130000 Library C:\Users\Maciek\AppData\Local\Temp\nsm8D81.tmp\InstallOptions.dll (*** suspicious ***) @ C:\Users\Maciek\AppData\Local\Temp\~nsu.tmp\Au_.exe [3296] 0000000010000000 Library C:\Users\Maciek\AppData\Local\Temp\nsm8D81.tmp\System.dll (*** suspicious ***) @ C:\Users\Maciek\AppData\Local\Temp\~nsu.tmp\Au_.exe [3296] 0000000002c10000 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???yc???????????????????#????W?Z?Z?Z?Z?Z?Z?Z?Z?Z?Z?Z?Z?Z?Z?[?Z?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[?[,DFPX.CR?[?[?[?[ONE?R&T0??HID\VID_04D9&PID_A067&REV_0106&MI_01&Col02?HID\VID_04D9&PID_A067&MI_01&Col02?HID_DEVICE_SYSTEM_CONTROL?HID_DEVICE_UP:0001_U:0080?HID_DEVICE?????????????????????????????????{4d36e97d-e325-11ce-bfc1-08002be10318}\0044???????8????????????e????@input.inf,%stdmfg%;(Standardowe urz?dzenia systemowe)???????k?k?y?y?y?y?????????u??????????????????????@%systemroot%\system32\rascfg.dll,-32002????Sterownik magistrali programowej?????n?n?n?n?n?n?n?n?n???n?n?n???n?n?n?n?o?n?o?n???o????????Verbatim STORE N GO USB Device????(???\?????????????pA??????????@volsnap.inf,%storage\volumesnapshot.devicedesc%;Rodzajowa kopia w tle wolumin?w?????????????????????????????m????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14877526711342286@SetupOperations ?????z??????????PCStandard??????3-30-2014????????????????h??.NT?????? ???????o?????o???????0??L????????? ??????18}?????o???o??????-8FA??? P??????1?????D-A??????????? ???????@???????????????????? ?????????????disk.inf????? ??????????????????disk_install????? ??????????????????Microsoft?????????6?????????????????? ???????:?????????????0??L????????? ???????? ??? ?????????????????????0????????????&???????????????????????9xxxx???? ?????????????????????0????????????????????? ?????????????????????0?????????????????????????????????????????????????????(??????oem12.inf???????????? ?????????????????????0????????????????????? ?????????????????????0????????????????????????????????????????????????????????A???IUsb3HubModel???????????? ?????????????????????0????????????????????? ?????????????????????0????????*????????????????????????????????????????????????o???????????????????????????????????????????h???-?-?-??NVIDIA?ft?????????????B??,??????????????????? ?????????????????????0??L????????? ?????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\aswRvrt\Parameters\Instup_14877526850492286@SetupOperations ?????????? ?????? ?????????????????????0????????????????????????????????????????? ???????????????????y?0??????????????????P?DAEMON Tools Lite Virtual SCSI Bus??????????????? ?????????????????????0????????????&???????????????????????????????????? ?????????????????????0????????????????????? ???????????????????y?0????????????????????? ?????????????o???????0??L????????? ??????z?z??????????? ?????????????????????0????????????????????????????????? ???????????????????y?0????????????????????? ???????6??????????????????????N???????????????????????????? ?????????????????????0?????????????????? ?????????????????????? ???????????????????y?0????????@????????????????????d???e??? ?????????????????????0????????????????????????????????????? ?????????????????????0????????????????????? ???????????????????y?0????????????????????? ?????????????????????0????????????????????????????????????????? ?????????????????????0????????????????????????????????????????????????p???? ???????????????????y?0????????0???????????{533c5b84-ec70-11d2 Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14833950798732280@SetupOperations ????s????????????????????????? ??|?????????t?????????????0?????????59.???i?i?k?l?l?l?l?l?l???????????????I???????????????????g????????????IotF??? ???????z??????????{745a17a0-74d3-11d0-b6fe-00a0c90f57da}\0025??&???????????????????????????-?/?/?/?/?/?/?/?/??????????????????????????{533c5b84-ec70-11d2-9505-00c04f79deaf}\0015??????????????5???????????h?j?j?i?j?j?j?j?j???????l?l?l?i?l?l?k?l?l???l??v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=17|LPort=47995|LPort=47998|LPort=47999|LPort=48000|LPort=48010|App=C:\Program Files\NVIDIA Corporation\NvStreamSrv\nvstreamer.exe|Name=SHIELD Streaming NvStreamer UDP Exception|Desc=UDP exceptions for SHIELD Streaming NvStreamer (RTSP/RI/A/V)|?y?y??v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Public|App=C:\Users\Maciek\AppData\Roaming\uTorrent\uTorrent.exe|Name=?Torrent (Maciek)|????????,???I?????el??????????k???????????n?n?n??????????H??????m????????)??.????????????????????????????????????????????????????????????????????????????????????????????????????????????? Reg HKLM\SYSTEM\ControlSet002\services\aswRvrt\Parameters\Instup_14833952338932280@SetupOperations ????????? ?????????????????????0??L????????? ??????-?-??? ?????????????????????0????????????&????????????????????.???????????????????????????o??????????????? ??????????????????? ??????????????nr??6.1.7601.17514????????&?????????????????generic_hid_device?y?y??????????????????????? 2?????????????????Urz?dzenie wej?ciowe USB????? ??????????????????????? ???????T?????????????,????????P???R???????????????????????????????????????????????? ????????????????????????X??????a???0???????????_??????? ???????????????????????????? ?2????????????????&???????v???????????????????v?????????/???????????????????????????????????????????????5???5???5???5???????????????????????5???4??th Edge Trav??? >??????T??????????\\?\USB#VID_0000&PID_3821#5&2b9922dd&0&12#{a5dcbf10-6530-11d2-901f-00c04fb951ed}????? ????????????????????????"???????????????????0J????? ???????????????????????????????????????f??{69e56652-21ce-11e6-9ab4-806e6f6e6963}??????{4d36e96f-e325-11ce-bfc1-08002be10318}??????????????????#???USB\VID_0930&PID_6545&REV_0100?USB\ ---- EOF - GMER 2.2 ----