GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-18 23:16:19 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-5 SAMSUNG_HD502HI rev.1AG01118 465,76GB Running: gmer.exe; Driver: C:\Users\Krzysiek\AppData\Local\Temp\pxldipog.sys ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [612:700] fffff960008152d0 ---- EOF - GMER 2.1 ---- GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-09-18 23:54:46 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP2T1L0-5 SAMSUNG_HD502HI rev.1AG01118 465,76GB Running: gmer.exe; Driver: C:\Users\Krzysiek\AppData\Local\Temp\pxldipog.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ffed43f1280 5 bytes JMP 00007fff54520460 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ffed43f12d0 5 bytes JMP 00007fff54520450 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ffed43f1430 5 bytes JMP 00007fff54520370 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ffed43f1480 5 bytes JMP 00007fff54520470 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ffed43f1490 5 bytes JMP 00007fff545203e0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ffed43f1540 5 bytes JMP 00007fff54520320 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffed43f1570 5 bytes JMP 00007fff545203b0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ffed43f1590 5 bytes JMP 00007fff54520390 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffed43f15d0 5 bytes JMP 00007fff545202e0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffed43f1650 5 bytes JMP 00007fff545202d0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ffed43f1670 5 bytes JMP 00007fff54520310 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ffed43f16b0 5 bytes JMP 00007fff545203c0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ffed43f1700 5 bytes JMP 00007fff545203f0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ffed43f1860 5 bytes JMP 00007fff54520230 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ffed43f1a50 5 bytes JMP 00007fff54520480 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ffed43f1a80 5 bytes JMP 00007fff545203a0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ffed43f1ba0 5 bytes JMP 00007fff545202f0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ffed43f1bc0 1 byte JMP 00007fff54520350 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion + 2 00007ffed43f1bc2 3 bytes {JMP 0xffffffff8012e790} .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffed43f1c30 5 bytes JMP 00007fff54520290 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffed43f1cc0 5 bytes JMP 00007fff545202b0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ffed43f1ce0 5 bytes JMP 00007fff545203d0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ffed43f1cf0 5 bytes JMP 00007fff54520330 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ffed43f1da0 5 bytes JMP 00007fff54520410 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ffed43f1dd0 5 bytes JMP 00007fff54520240 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ffed43f20f0 5 bytes JMP 00007fff545201e0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ffed43f21b0 5 bytes JMP 00007fff54520250 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ffed43f21e0 5 bytes JMP 00007fff54520490 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ffed43f21f0 5 bytes JMP 00007fff545204a0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ffed43f2220 5 bytes JMP 00007fff54520300 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ffed43f2230 5 bytes JMP 00007fff54520360 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffed43f2290 5 bytes JMP 00007fff545202a0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffed43f22e0 5 bytes JMP 00007fff545202c0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ffed43f2310 5 bytes JMP 00007fff54520380 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ffed43f2320 5 bytes JMP 00007fff54520340 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ffed43f2630 5 bytes JMP 00007fff54520440 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ffed43f2830 5 bytes JMP 00007fff54520260 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ffed43f2840 5 bytes JMP 00007fff54520270 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ffed43f2860 5 bytes JMP 00007fff54520400 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ffed43f2a40 5 bytes JMP 00007fff545201f0 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ffed43f2a50 5 bytes JMP 00007fff54520210 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ffed43f2ae0 5 bytes JMP 00007fff54520200 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ffed43f2b50 5 bytes JMP 00007fff54520420 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ffed43f2b60 5 bytes JMP 00007fff54520430 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ffed43f2b70 5 bytes JMP 00007fff54520220 .text C:\WINDOWS\system32\AUDIODG.EXE[3004] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ffed43f2c80 5 bytes JMP 00007fff54520280 ---- Devices - GMER 2.1 ---- Device \Driver\WudfPf \Device\HostProcess-abfefa38-b93c-4e13-a0bb-578131f75369 fffff8011c058f10 Device \Driver\WudfPf \Device\WUDFLpcDevice fffff8011c058f10 Device \Driver\WudfPf \Device\HostProcess-7d6d44c7-de0f-4c21-a6a9-2f0b76375f12 fffff8011c058f10 Device \Driver\WudfRd \Device\UMDFCtrlDev-de012c16-5e49-11e5-bf8f-5404a662fc66 fffff8011bfc66b0 Device \Driver\WudfPf \Device\HostProcess-55ae25f2-71c1-4b13-9df8-7788f40af0e0 fffff8011c058f10 Device \Driver\WudfPf \Device\HostProcess-9db32e55-363e-4ad3-acf2-8432d9501f74 fffff8011c058f10 Device \Driver\WudfPf \Device\ProcessManagement fffff8011c058f10 ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [612:700] fffff960008152d0 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control@LastBootShutdown 0 Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemStartTime 0xE6 0x23 0x3B 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData@SystemLastStartTime 0x06 0x52 0x58 0x72 ... Reg HKLM\SYSTEM\CurrentControlSet\Control\CMF\SqmData\BootLanguages@pl-PL 169 Reg HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\Configuration\IVM560F11011M9A01217_29_07D9_43^0D7977A94C264746D5E174FE8849F99E@Timestamp 0xC8 0x27 0xFB 0xFB ... Reg HKLM\SYSTEM\CurrentControlSet\Control\Lsa@LsaPid 652 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations \??\C:\Users\Krzysiek\AppData\Local\Temp\nsy1F1E.tmp\??\??\C:\WINDOWS\SysWOW64\ACTIVE_X??\??\C:\ProgramData\Adobe\Setup\{AC76BA86-7AD7-1045-7B44-AB0000000001}??\??\C:\WINDOWS\SysWOW64\ACTIVE_X??\??\C:\Users\Krzysiek\AppData\Local\Temp\8C3E.tmp??\??\C:\WINDOWS\TEMP\GoogleUpdate.exe442f23??\??\C:\WINDOWS\TEMP\goopdate.dll442f81??\??\C:\Users\Krzysiek\AppData\Local\Temp\~nsu.tmp\Au_.exe??\??\C:\Users\Krzysiek\AppData\Local\Temp\~nsu.tmp?? Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Executive@UuidSequenceNumber 4521870 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Kernel\RNG@RNGAuxiliarySeed -1693190142 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BootId 174 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management\PrefetchParameters@BaseTime 453414799 Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Power@POSTTime 13464 Reg HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server@InstanceID d6d3b59e-2bdd-43a9-be3f-1fea7e9 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\AITEventLog@FileCounter 2 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\SQMLogger@FileCounter 4 Reg HKLM\SYSTEM\CurrentControlSet\Control\WMI\Autologger\WdiContextLog@FileCounter 3 Reg HKLM\SYSTEM\CurrentControlSet\Services\aswRvrt\Parameters@BootCounter 48 Reg HKLM\SYSTEM\CurrentControlSet\Services\Dnscache\Parameters\Probe\{7e3ed0c1-84b4-423c-946d-768acc7701d5}@LastProbeTime 1442611296 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?Pt?, ?wrz ?18 ?15, 09:38:50??????????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 5504 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 3350 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-In v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=6|Profile=Private|LPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-200|Desc=@%systemroot%\system32\provsvc.dll,-201|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-TCP3587-Out v2.22|Action=Allow|Active=FALSE|Dir=Out|Protocol=6|Profile=Private|RPort=3587|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=p2psvc|Name=@%systemroot%\system32\provsvc.dll,-203|Desc=@%systemroot%\system32\provsvc.dll,-204|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-In v2.22|Action=Allow|Active=FALSE|Dir=In|Protocol=17|Profile=Private|LPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-205|Desc=@%systemroot%\system32\provsvc.dll,-206|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\FirewallRules@Microsoft-Windows-HomeGroup-ProvSvc-UDP3540-Out v2.22|Action=Allow|Active=FALSE|Dir=Out|Protocol=17|Profile=Private|RPort=3540|RA4=LocalSubnet|RA6=LocalSubnet|App=%systemroot%\system32\svchost.exe|Svc=pnrpsvc|Name=@%systemroot%\system32\provsvc.dll,-207|Desc=@%systemroot%\system32\provsvc.dll,-208|EmbedCtxt=@%systemroot%\system32\provsvc.dll,-202| Reg HKLM\SYSTEM\CurrentControlSet\Services\srvnet\Parameters@MajorSequence 171 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{24A66938-EEC2-4E8B-9D62-9B3E3C5C8926}@LeaseObtainedTime 1442603989 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{24A66938-EEC2-4E8B-9D62-9B3E3C5C8926}@T1 1442647189 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{24A66938-EEC2-4E8B-9D62-9B3E3C5C8926}@T2 1442679589 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{24A66938-EEC2-4E8B-9D62-9B3E3C5C8926}@LeaseTerminatesTime 1442690389 Reg HKLM\SYSTEM\CurrentControlSet\Services\Winmgmt\Parameters@ServiceDllUnloadOnStop 0 Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... ---- EOF - GMER 2.1 ----