GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-05-07 11:06:30 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000036 WDC_WD1002FAEX-00Y9A0 rev.05.01D05 931,51GB Running: b3m3r201.exe; Driver: C:\Users\Michal\AppData\Local\Temp\axdcipog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\Windows\System32\win32k.sys!W32pServiceTable fffff9600023fe00 7 bytes [00, 77, 82, 01, 00, 57, F2] .text C:\Windows\System32\win32k.sys!W32pServiceTable + 8 fffff9600023fe08 7 bytes [01, 42, C0, FF, 00, 17, DB] ---- User code sections - GMER 2.1 ---- .text C:\Windows\System32\dwm.exe[1948] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fb5a59177a 4 bytes [59, 5A, FB, 07] .text C:\Windows\System32\dwm.exe[1948] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fb5a591782 4 bytes [59, 5A, FB, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5848] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fb55031532 4 bytes [03, 55, FB, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5848] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fb5503153a 4 bytes [03, 55, FB, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvxdsync.exe[5848] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fb5503165a 4 bytes [03, 55, FB, 07] .text C:\Windows\system32\nvvsvc.exe[248] C:\Windows\system32\MSIMG32.dll!GradientFill + 690 000007fb55031532 4 bytes [03, 55, FB, 07] .text C:\Windows\system32\nvvsvc.exe[248] C:\Windows\system32\MSIMG32.dll!GradientFill + 698 000007fb5503153a 4 bytes [03, 55, FB, 07] .text C:\Windows\system32\nvvsvc.exe[248] C:\Windows\system32\MSIMG32.dll!TransparentBlt + 246 000007fb5503165a 4 bytes [03, 55, FB, 07] .text C:\Windows\system32\nvvsvc.exe[248] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fb5a59177a 4 bytes [59, 5A, FB, 07] .text C:\Windows\system32\nvvsvc.exe[248] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fb5a591782 4 bytes [59, 5A, FB, 07] .text C:\Windows\system32\taskhostex.exe[3024] C:\Windows\system32\ws2_32.dll!getsockname 000007fb57b32f40 6 bytes {JMP QWORD [RIP-0x7fee2ede]} .text C:\Windows\system32\taskhostex.exe[3024] C:\Windows\system32\ws2_32.dll!connect + 1 000007fb57b34941 5 bytes {JMP QWORD [RIP-0x7fef490e]} .text C:\Windows\system32\taskhostex.exe[3024] C:\Windows\system32\ws2_32.dll!getpeername 000007fb57b460c0 6 bytes {JMP QWORD [RIP-0x7fef602e]} .text C:\Windows\system32\taskhostex.exe[3024] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fb57b476e0 6 bytes {JMP QWORD [RIP-0x7fef76ae]} .text C:\Windows\Explorer.EXE[5220] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fb5a59177a 4 bytes [59, 5A, FB, 07] .text C:\Windows\Explorer.EXE[5220] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fb5a591782 4 bytes [59, 5A, FB, 07] .text C:\Windows\Explorer.EXE[5220] C:\Windows\system32\WS2_32.dll!getsockname 000007fb57b32f40 6 bytes {JMP QWORD [RIP-0x7fee2ede]} .text C:\Windows\Explorer.EXE[5220] C:\Windows\system32\WS2_32.dll!connect + 1 000007fb57b34941 5 bytes {JMP QWORD [RIP-0x7fef490e]} .text C:\Windows\Explorer.EXE[5220] C:\Windows\system32\WS2_32.dll!getpeername 000007fb57b460c0 6 bytes {JMP QWORD [RIP-0x7fef602e]} .text C:\Windows\Explorer.EXE[5220] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fb57b476e0 6 bytes {JMP QWORD [RIP-0x7fef76ae]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2932] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 690 000007fb55031532 4 bytes [03, 55, FB, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2932] C:\Windows\SYSTEM32\MSIMG32.dll!GradientFill + 698 000007fb5503153a 4 bytes [03, 55, FB, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2932] C:\Windows\SYSTEM32\MSIMG32.dll!TransparentBlt + 246 000007fb5503165a 4 bytes [03, 55, FB, 07] .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2932] C:\Windows\system32\WS2_32.dll!getsockname 000007fb57b32f40 6 bytes {JMP QWORD [RIP-0x7fee2ede]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2932] C:\Windows\system32\WS2_32.dll!connect + 1 000007fb57b34941 5 bytes {JMP QWORD [RIP-0x7fef490e]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2932] C:\Windows\system32\WS2_32.dll!getpeername 000007fb57b460c0 6 bytes {JMP QWORD [RIP-0x7fef602e]} .text C:\Program Files\NVIDIA Corporation\Display\nvtray.exe[2932] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fb57b476e0 6 bytes {JMP QWORD [RIP-0x7fef76ae]} .text C:\Windows\ImmersiveControlPanel\SystemSettings.exe[5908] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 306 000007fb5a59177a 4 bytes [59, 5A, FB, 07] .text C:\Windows\ImmersiveControlPanel\SystemSettings.exe[5908] C:\Windows\system32\PSAPI.DLL!GetProcessImageFileNameA + 314 000007fb5a591782 4 bytes [59, 5A, FB, 07] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2800] C:\Windows\system32\WS2_32.dll!getsockname 000007fb57b32f40 6 bytes {JMP QWORD [RIP-0x7fee2ede]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2800] C:\Windows\system32\WS2_32.dll!connect + 1 000007fb57b34941 5 bytes {JMP QWORD [RIP-0x7fef490e]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2800] C:\Windows\system32\WS2_32.dll!getpeername 000007fb57b460c0 6 bytes {JMP QWORD [RIP-0x7fef602e]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2800] C:\Windows\system32\WS2_32.dll!WSAConnect 000007fb57b476e0 6 bytes {JMP QWORD [RIP-0x7fef76ae]} .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2800] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 690 000007fb55031532 4 bytes [03, 55, FB, 07] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2800] C:\Windows\SYSTEM32\msimg32.dll!GradientFill + 698 000007fb5503153a 4 bytes [03, 55, FB, 07] .text C:\Program Files\ESET\ESET Smart Security\egui.exe[2800] C:\Windows\SYSTEM32\msimg32.dll!TransparentBlt + 246 000007fb5503165a 4 bytes [03, 55, FB, 07] .text C:\Windows\System32\svchost.exe[1772] c:\windows\system32\WSOCK32.dll!recvfrom + 742 000007fb50971b32 4 bytes [97, 50, FB, 07] .text C:\Windows\System32\svchost.exe[1772] c:\windows\system32\WSOCK32.dll!recvfrom + 750 000007fb50971b3a 4 bytes [97, 50, FB, 07] .text C:\Windows\system32\NOTEPAD.EXE[5568] C:\Windows\system32\ws2_32.dll!getsockname 000007fb57b32f40 6 bytes {JMP QWORD [RIP-0x7fee2ede]} .text C:\Windows\system32\NOTEPAD.EXE[5568] C:\Windows\system32\ws2_32.dll!connect + 1 000007fb57b34941 5 bytes {JMP QWORD [RIP-0x7fef490e]} .text C:\Windows\system32\NOTEPAD.EXE[5568] C:\Windows\system32\ws2_32.dll!getpeername 000007fb57b460c0 6 bytes {JMP QWORD [RIP-0x7fef602e]} .text C:\Windows\system32\NOTEPAD.EXE[5568] C:\Windows\system32\ws2_32.dll!WSAConnect 000007fb57b476e0 6 bytes {JMP QWORD [RIP-0x7fef76ae]} ---- Threads - GMER 2.1 ---- Thread System [4:880] fffffa80092e7eb0 Thread C:\Windows\system32\csrss.exe [4568:4100] fffff960008245e8 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -432291506 ---- EOF - GMER 2.1 ----