GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2014-07-22 18:56:53 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 ADATA_SP rev.5.0. 238,47GB Running: 9vxcdhze.exe; Driver: C:\Users\SIWY\AppData\Local\Temp\kwldypob.sys ---- User code sections - GMER 2.1 ---- .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076841465 2 bytes [84, 76] .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1468] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768414bb 2 bytes [84, 76] .text ... * 2 .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationThread + 5 000000007784f9b1 7 bytes {MOV EDX, 0xc88a28; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadToken + 5 000000007784fbf5 7 bytes {MOV EDX, 0xc88a68; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcess + 5 000000007784fc25 7 bytes {MOV EDX, 0xc889a8; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtSetInformationFile + 5 000000007784fc3d 7 bytes {MOV EDX, 0xc88928; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection + 5 000000007784fc55 7 bytes {MOV EDX, 0xc88b28; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtUnmapViewOfSection + 5 000000007784fc85 7 bytes {MOV EDX, 0xc88b68; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtOpenThreadTokenEx + 5 000000007784fd05 7 bytes {MOV EDX, 0xc88ae8; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessTokenEx + 5 000000007784fd1d 7 bytes {MOV EDX, 0xc88aa8; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtOpenFile + 5 000000007784fd69 7 bytes {MOV EDX, 0xc88868; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtQueryAttributesFile + 5 000000007784fe61 7 bytes {MOV EDX, 0xc888a8; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtCreateFile + 5 00000000778500b9 7 bytes {MOV EDX, 0xc88828; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtOpenProcessToken + 5 00000000778510c5 7 bytes {MOV EDX, 0xc889e8; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtOpenThread + 5 000000007785113d 7 bytes {MOV EDX, 0xc88968; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\SysWOW64\ntdll.dll!NtQueryFullAttributesFile + 5 0000000077851341 7 bytes {MOV EDX, 0xc888e8; JMP RDX} .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 69 0000000076841465 2 bytes [84, 76] .text C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe[1844] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 155 00000000768414bb 2 bytes [84, 76] .text ... * 2 ---- Processes - GMER 2.1 ---- Library C:\Users\SIWY\AppData\Local\Pokki\Engine\libPokki.dll (*** suspicious ***) @ C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe [1468] (Chromium/The Chromium Authors)(2013-12-05 18:21:02) 0000000070a00000 Library C:\Users\SIWY\AppData\Local\Pokki\Engine\icudt.dll (*** suspicious ***) @ C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe [1468] (ICU Data DLL/The ICU Project)(2013-09-07 02:11:12) 000000006fa90000 Library C:\Users\SIWY\AppData\Local\Pokki\Engine\libPokki.dll (*** suspicious ***) @ C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe [1844] (Chromium/The Chromium Authors)(2013-12-05 18:21:02) 0000000070a00000 Library C:\Users\SIWY\AppData\Local\Pokki\Engine\icudt.dll (*** suspicious ***) @ C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe [1844] (ICU Data DLL/The ICU Project)(2013-09-07 02:11:12) 000000006fa90000 Library C:\Users\SIWY\AppData\Local\Pokki\Engine\ppGoogleNaClPluginChrome.dll (*** suspicious ***) @ C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe [1844](2013-09-07 02:11:12) 0000000075170000 Library C:\Users\SIWY\AppData\Local\Pokki\Engine\avcodec-54.dll (*** suspicious ***) @ C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe [1844](2013-09-07 02:11:12) 0000000074f60000 Library C:\Users\SIWY\AppData\Local\Pokki\Engine\avutil-51.dll (*** suspicious ***) @ C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe [1844](2013-09-07 02:11:12) 0000000074f30000 Library C:\Users\SIWY\AppData\Local\Pokki\Engine\avformat-54.dll (*** suspicious ***) @ C:\Users\SIWY\AppData\Local\Pokki\Engine\pokki.exe [1844](2013-09-07 02:11:12) 0000000074ef0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl\Performance@Last Counter 7918 Reg HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl\Performance@Last Help 7919 Reg HKLM\SYSTEM\CurrentControlSet\services\WmiApRpl\Performance@Object List 7740 7746 7758 7768 7778 7798 7842 7852 7890 7896 7912 ---- Files - GMER 2.1 ---- File C:\Users\SIWY\AppData\Local\Temp\tmpBED4.tmp 0 bytes ---- EOF - GMER 2.1 ----