GMER 2.1.19163 - http://www.gmer.net Rootkit scan 2013-06-09 12:18:31 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 TOSHIBA_ rev.GJ00 596,17GB Running: 7j3osi1i.exe; Driver: C:\Users\Krzysiek\AppData\Local\Temp\axrdrpoc.sys ---- User code sections - GMER 2.1 ---- .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1904] C:\windows\SysWOW64\ntdll.dll!NtQueryValueKey 0000000077b1fa88 5 bytes JMP 000000017507139e .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1904] C:\windows\SysWOW64\ntdll.dll!NtProtectVirtualMemory 0000000077b20018 5 bytes JMP 0000000175071a54 .text C:\Program Files (x86)\Kaspersky Lab\Kaspersky Internet Security 2013\avp.exe[1904] C:\windows\syswow64\user32.dll!DialogBoxParamW 0000000076fbcfca 5 bytes JMP 0000000174dc4720 .text C:\windows\SysWOW64\svchost.exe[2004] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076fbcfca 5 bytes JMP 0000000174dc4720 .text C:\windows\SysWOW64\svchost.exe[2004] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f21465 2 bytes [F2, 76] .text C:\windows\SysWOW64\svchost.exe[2004] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f214bb 2 bytes [F2, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1572] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076fbcfca 5 bytes JMP 0000000174dc4720 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1572] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f21465 2 bytes [F2, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\LMS\LMS.exe[1572] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f214bb 2 bytes [F2, 76] .text ... * 2 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2276] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076fbcfca 5 bytes JMP 0000000174dc4720 .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2276] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f21465 2 bytes [F2, 76] .text C:\Program Files (x86)\NVIDIA Corporation\NVIDIA Updatus\daemonu.exe[2276] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f214bb 2 bytes [F2, 76] .text ... * 2 .text C:\ProgramData\DatacardService\DCSHelper.exe[2784] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076fbcfca 5 bytes JMP 0000000174dc4720 .text C:\ProgramData\DatacardService\DCSHelper.exe[2784] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f21465 2 bytes [F2, 76] .text C:\ProgramData\DatacardService\DCSHelper.exe[2784] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f214bb 2 bytes [F2, 76] .text ... * 2 .text C:\windows\SysWOW64\vmnat.exe[2852] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076fbcfca 5 bytes JMP 0000000174dc4720 .text C:\windows\SysWOW64\vmnat.exe[2852] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 26 00000000714513c6 2 bytes [45, 71] .text C:\windows\SysWOW64\vmnat.exe[2852] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 74 00000000714513f6 2 bytes [45, 71] .text C:\windows\SysWOW64\vmnat.exe[2852] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 257 00000000714514ad 2 bytes [45, 71] .text C:\windows\SysWOW64\vmnat.exe[2852] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathW + 303 00000000714514db 2 bytes [45, 71] .text ... * 2 .text C:\windows\SysWOW64\vmnat.exe[2852] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 79 0000000071451577 2 bytes [45, 71] .text C:\windows\SysWOW64\vmnat.exe[2852] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 175 00000000714515d7 2 bytes [45, 71] .text C:\windows\SysWOW64\vmnat.exe[2852] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 620 0000000071451794 2 bytes [45, 71] .text C:\windows\SysWOW64\vmnat.exe[2852] C:\windows\SysWOW64\SHFOLDER.dll!SHGetFolderPathA + 921 00000000714518c1 2 bytes [45, 71] .text C:\windows\SysWOW64\vmnat.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f21465 2 bytes [F2, 76] .text C:\windows\SysWOW64\vmnat.exe[2852] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f214bb 2 bytes [F2, 76] .text ... * 2 .text C:\Program Files (x86)\Yontoo\Y2Desktop.Updater.exe[2812] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076fbcfca 5 bytes JMP 0000000174dc4720 .text C:\Program Files (x86)\Yontoo\Y2Desktop.Updater.exe[2812] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f21465 2 bytes [F2, 76] .text C:\Program Files (x86)\Yontoo\Y2Desktop.Updater.exe[2812] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f214bb 2 bytes [F2, 76] .text ... * 2 .text C:\windows\SysWOW64\vmnetdhcp.exe[3392] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076fbcfca 5 bytes JMP 0000000174dc4720 .text C:\windows\SysWOW64\vmnetdhcp.exe[3392] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f21465 2 bytes [F2, 76] .text C:\windows\SysWOW64\vmnetdhcp.exe[3392] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f214bb 2 bytes [F2, 76] .text ... * 2 .text C:\Users\Krzysiek\AppData\Roaming\Yontoo\YontooDesktop.exe[2040] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076fbcfca 5 bytes JMP 0000000174dc4720 .text C:\Users\Krzysiek\AppData\Roaming\Yontoo\YontooDesktop.exe[2040] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f21465 2 bytes [F2, 76] .text C:\Users\Krzysiek\AppData\Roaming\Yontoo\YontooDesktop.exe[2040] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f214bb 2 bytes [F2, 76] .text ... * 2 .text C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe[4676] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076fbcfca 5 bytes JMP 0000000174dc4720 .text C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe[4676] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f21465 2 bytes [F2, 76] .text C:\Program Files (x86)\TOSHIBA\TRCMan\TRCMan.exe[4676] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f214bb 2 bytes [F2, 76] .text ... * 2 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076fbcfca 5 bytes JMP 0000000174dc4720 .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f21465 2 bytes [F2, 76] .text C:\Program Files (x86)\Intel\Intel(R) Management Engine Components\UNS\UNS.exe[5972] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f214bb 2 bytes [F2, 76] .text ... * 2 .text C:\Users\Krzysiek\Downloads\7j3osi1i.exe[5408] C:\windows\syswow64\USER32.dll!DialogBoxParamW 0000000076fbcfca 5 bytes JMP 0000000174dc4720 .text C:\Users\Krzysiek\Downloads\7j3osi1i.exe[5408] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076f21465 2 bytes [F2, 76] .text C:\Users\Krzysiek\Downloads\7j3osi1i.exe[5408] C:\windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 0000000076f214bb 2 bytes [F2, 76] .text ... * 2 ---- Kernel IAT/EAT - GMER 2.1 ---- IAT C:\windows\System32\win32k.sys[ntoskrnl.exe!KeUserModeCallback] [fffff8800492dd18] \SystemRoot\system32\DRIVERS\klif.sys [PAGE] ---- EOF - GMER 2.1 ----