GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2017-03-17 10:07:29 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ST964032 rev.0002 596,17GB Running: 5umit50q.exe; Driver: C:\Users\Piotr\AppData\Local\Temp\awddrkog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077befac8 5 bytes JMP 000000006e0b33e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077befc40 5 bytes JMP 000000006e0b2800 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077befe04 5 bytes JMP 000000006e0b26a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077befe98 5 bytes JMP 000000006e0b2bd0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077beff64 5 bytes JMP 000000006e0b2a90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077bf0058 5 bytes JMP 000000006e0b2990 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bf078c 5 bytes JMP 000000006e0b2d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bf0864 5 bytes JMP 000000006e0b2f90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077bf090c 5 bytes JMP 000000006e0b3210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077bf1068 5 bytes JMP 000000006e0b2e50 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5888] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077bf10e0 5 bytes JMP 000000006e0b30d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5888] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077c096ef 5 bytes JMP 000000006e0b3370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\ATKOSD.exe[5888] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077c8fded 5 bytes JMP 000000006e0b32a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077befac8 5 bytes JMP 000000006e0b33e0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077befc40 5 bytes JMP 000000006e0b2800 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077befe04 5 bytes JMP 000000006e0b26a0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077befe98 5 bytes JMP 000000006e0b2bd0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077beff64 5 bytes JMP 000000006e0b2a90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077bf0058 5 bytes JMP 000000006e0b2990 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bf078c 5 bytes JMP 000000006e0b2d10 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bf0864 5 bytes JMP 000000006e0b2f90 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077bf090c 5 bytes JMP 000000006e0b3210 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077bf1068 5 bytes JMP 000000006e0b2e50 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[5820] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077bf10e0 5 bytes JMP 000000006e0b30d0 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[5820] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077c096ef 5 bytes JMP 000000006e0b3370 .text C:\Program Files (x86)\ASUS\ATK Package\ATK Hotkey\WDC.exe[5820] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077c8fded 5 bytes JMP 000000006e0b32a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5792] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077befac8 5 bytes JMP 000000006e0b33e0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5792] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077befc40 5 bytes JMP 000000006e0b2800 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5792] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077befe04 5 bytes JMP 000000006e0b26a0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5792] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077befe98 5 bytes JMP 000000006e0b2bd0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5792] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077beff64 5 bytes JMP 000000006e0b2a90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5792] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077bf0058 5 bytes JMP 000000006e0b2990 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5792] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bf078c 5 bytes JMP 000000006e0b2d10 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5792] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bf0864 5 bytes JMP 000000006e0b2f90 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5792] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077bf090c 5 bytes JMP 000000006e0b3210 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5792] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077bf1068 5 bytes JMP 000000006e0b2e50 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5792] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077bf10e0 5 bytes JMP 000000006e0b30d0 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5792] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077c096ef 5 bytes JMP 000000006e0b3370 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5792] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077c8fded 5 bytes JMP 000000006e0b32a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5232] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077a15b30 5 bytes JMP 00000000000205f0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5232] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077a414a0 5 bytes JMP 0000000000020678 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5232] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077a41590 5 bytes JMP 00000000000200a0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5232] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077a416b0 5 bytes JMP 0000000000020018 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077a41710 5 bytes JMP 00000000000203d0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077a41790 5 bytes JMP 00000000000201b0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5232] C:\Windows\SYSTEM32\ntdll.dll!NtResumeThread 0000000077a41830 5 bytes JMP 0000000000020128 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077a41ce0 5 bytes JMP 0000000000020238 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077a41d70 5 bytes JMP 00000000000202c0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5232] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077a41de0 5 bytes JMP 0000000000020348 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077a422a0 5 bytes JMP 0000000000020458 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5232] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077a422f0 5 bytes JMP 00000000000204e0 .text C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe[5232] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077a975b0 5 bytes JMP 0000000000020568 .text C:\Windows\SysWOW64\ctfmon.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077befac8 5 bytes JMP 000000006e0b33e0 .text C:\Windows\SysWOW64\ctfmon.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077befc40 5 bytes JMP 000000006e0b2800 .text C:\Windows\SysWOW64\ctfmon.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077befe04 5 bytes JMP 000000006e0b26a0 .text C:\Windows\SysWOW64\ctfmon.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077befe98 5 bytes JMP 000000006e0b2bd0 .text C:\Windows\SysWOW64\ctfmon.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077beff64 5 bytes JMP 000000006e0b2a90 .text C:\Windows\SysWOW64\ctfmon.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtResumeThread 0000000077bf0058 5 bytes JMP 000000006e0b2990 .text C:\Windows\SysWOW64\ctfmon.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077bf078c 5 bytes JMP 000000006e0b2d10 .text C:\Windows\SysWOW64\ctfmon.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077bf0864 5 bytes JMP 000000006e0b2f90 .text C:\Windows\SysWOW64\ctfmon.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077bf090c 5 bytes JMP 000000006e0b3210 .text C:\Windows\SysWOW64\ctfmon.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077bf1068 5 bytes JMP 000000006e0b2e50 .text C:\Windows\SysWOW64\ctfmon.exe[5184] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077bf10e0 5 bytes JMP 000000006e0b30d0 .text C:\Windows\SysWOW64\ctfmon.exe[5184] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077c096ef 5 bytes JMP 000000006e0b3370 .text C:\Windows\SysWOW64\ctfmon.exe[5184] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077c8fded 5 bytes JMP 000000006e0b32a0 ---- Kernel IAT/EAT - GMER 2.2 ---- IAT C:\Windows\system32\DRIVERS\CLASSPNP.SYS[ntoskrnl.exe!IofCallDriver] [fffff880044e0028] \SystemRoot\system32\drivers\avgSP.sys [unknown section] ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ????????192.168.0.1??????????????????????????$???&???????????????????????????????????????????????????????????????????&?&?&??????????????????? ?????????????????????3????????????????????192.168.0.1?????192.168.0.1?????????.NTAMD64?l???????????????????????~???~??? ?????????????????????,????????N????????????????&???????????????e???????&??Tcpip???????????????????????????????????????????????????????????????????????????????????????????????????????????????? ??^_??????????y??????????????????????????????????????????????????????l????? ??LM??????????y???????????????????????????????? ??????????????e?????????????????????e???????????????????????????????????????????????????L??,???/??????????Microsoft???????????????????????? ??????????????1???? ??????????????2???????????????????????s????????????????????????????????????????????????????????;??????????????????????????????????e??????????????????????????????????????????n????????@????????????????????????,???8?????????S????? 6??,???????????????????????????????????????:????????????? Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c4bd610429e Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1c4bd610429e@70f9271cd5a9 0x88 0xCC 0x22 0xAE ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c4bd610429e (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1c4bd610429e@70f9271cd5a9 0x88 0xCC 0x22 0xAE ... ---- EOF - GMER 2.2 ----