GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-10-20 14:50:12 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 ST500LM000-1EJ162 rev.DEM9 465,76GB Running: 5znyowp4.exe; Driver: C:\Users\Piotrek\AppData\Local\Temp\kwdiipow.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\msiexec.exe[3352] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000076f0fc90 5 bytes JMP 000000007ef938b1 .text C:\Windows\SysWOW64\msiexec.exe[3352] C:\Windows\syswow64\ws2_32.dll!GetAddrInfoW 00000000766c4889 5 bytes JMP 00000001003e1370 ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe [3800:4836] 0000000002983e68 Thread C:\Windows\SysWOW64\msiexec.exe [3352:3608] 000000007ef9392e Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4460:1796] 000007fef52d2ae8 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4460:2528] 000007fee4e25648 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [4460:3592] 000007fef8b75124 ---- Processes - GMER 2.1 ---- Process C:\Users\Piotrek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe (*** suspicious ***) @ C:\Users\Piotrek\AppData\Roaming\Microsoft\SystemCertificates\VSSVC.exe [2344] (Microsoft® Volume Shadow Copy Service/Microsoft Corporation)(2015-06-23 10:58:03) 0000000000400000 Library C:\Users\Piotrek\AppData\Local\Temp\cdo3163136621.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [3352] (Microsoft CDO for Windows Library/Microsoft Corporation)(2015-10-19 18:58:04) 00000000003b0000 Library C:\Users\Piotrek\AppData\Local\Temp\cdo1941465742.dll (*** suspicious ***) @ C:\Windows\SysWOW64\msiexec.exe [3352] (Microsoft CDO for Windows Library/Microsoft Corporation)(2015-10-19 16:34:41) 00000000003e0000 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1008b18d7d96 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\1008b18d7d96@64a3cbb8727b 0x05 0x49 0x7D 0x46 ... Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters@DhcpNameServer 10.205.0.1 149.156.96.9 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2B692D03-A488-41D2-8F66-72113A56DD08}@LeaseObtainedTime 1445341936 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2B692D03-A488-41D2-8F66-72113A56DD08}@T1 1445343736 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2B692D03-A488-41D2-8F66-72113A56DD08}@T2 1445345086 Reg HKLM\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces\{2B692D03-A488-41D2-8F66-72113A56DD08}@LeaseTerminatesTime 1445345536 Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@ServiceBinary C:\Windows\system32\drivers\VDRV1000.SYS Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@Group SCSI Miniport Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@ImagePath system32\DRIVERS\vdrv1000.sys Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@ErrorControl 1 Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@Start 1 Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@Type 1 Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000@Tag 65 Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\Enum Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\Enum@0 {C317464A-8106-4e30-83E6-1825448A5FC3}\VDRV1_HWID\1&21a742e4&0&01 Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\Enum@Count 1 Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\Enum@NextInstance 1 Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\parameters Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\parameters@BusType 0 Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\parameters\pnpinterface Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\parameters\pnpinterface@0 1 Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000\security Reg HKLM\SYSTEM\CurrentControlSet\services\vdrv1000 Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1008b18d7d96 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\1008b18d7d96@64a3cbb8727b 0x05 0x49 0x7D 0x46 ... Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@ServiceBinary C:\Windows\system32\drivers\VDRV1000.SYS Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@Group SCSI Miniport Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@ImagePath system32\DRIVERS\vdrv1000.sys Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@ErrorControl 1 Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@Start 1 Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@Type 1 Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000@Tag 65 Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\Enum (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\Enum@0 {C317464A-8106-4e30-83E6-1825448A5FC3}\VDRV1_HWID\1&21a742e4&0&01 Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\Enum@Count 1 Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\Enum@NextInstance 1 Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\parameters (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\parameters@BusType 0 Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\parameters\pnpinterface (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\parameters\pnpinterface@0 1 Reg HKLM\SYSTEM\ControlSet002\services\vdrv1000\security (not active ControlSet) ---- Files - GMER 2.1 ---- File C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\64fdhpj4.default\cache2\entries\07E85F884EF88BC4F35A6E769CE2B921940B5226 0 bytes File C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\64fdhpj4.default\cache2\entries\F7565A575653C50804C7A7E0A3D4D2ECB73ADFAE 0 bytes File C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\64fdhpj4.default\cache2\entries\054D87E3E9C5EF157C5A77C2792D9D96F3F2DB69 0 bytes File C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\64fdhpj4.default\cache2\entries\D9B599BC6EBAB6CD9238EB8C90E85B8470FC4D52 320919 bytes File C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\64fdhpj4.default\cache2\entries\37D6814BA2301706DAF1BADC87CFCC2D54566899 3508 bytes File C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\64fdhpj4.default\cache2\entries\EE7CE00DA6897C69448D54F939800CA951C8C904 3518 bytes File C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\64fdhpj4.default\cache2\entries\024853BA3968182917B37BF960184A5C559B0E1A 170 bytes File C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\64fdhpj4.default\cache2\entries\EB3ABA7240CD9D8C06CB1E8A152CEB1DF09CA4CC 321129 bytes File C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\64fdhpj4.default\cache2\entries\5BE1324AF5E50857FD9D8D700F2573505442A481 3518 bytes File C:\Users\Piotrek\AppData\Local\Mozilla\Firefox\Profiles\64fdhpj4.default\cache2\entries\01AADB16793B42002AF9EF6BF1E9236A3F6C5D0F 321157 bytes ---- EOF - GMER 2.1 ----