GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-11-26 15:15:10 Windows 6.1.7600 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 FUJITSU_MHZ2250BH_G2 rev.8909 232,89GB Running: 114zfoph.exe; Driver: C:\Users\Mateusz\AppData\Local\Temp\ufldypod.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\system32\taskhost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007789ff80 10 bytes {MOV EAX, 0x337ca; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000778a0150 10 bytes {MOV EAX, 0x337f6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 10 bytes {MOV EAX, 0x3361f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778a0300 10 bytes {MOV EAX, 0x33706; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 10 bytes {MOV EAX, 0x33822; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 10 bytes {MOV EAX, 0x3366b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 10 bytes {MOV EAX, 0x336b7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a0d30 10 bytes {MOV EAX, 0x3386e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 10 bytes {MOV EAX, 0x33752; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 10 bytes {MOV EAX, 0x3379e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 10 bytes {MOV EAX, 0x338c6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\taskhost.exe[2716] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000778a15c0 10 bytes {MOV EAX, 0x3389a; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007789ff80 10 bytes {MOV EAX, 0x337ca; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000778a0150 10 bytes {MOV EAX, 0x337f6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 10 bytes {MOV EAX, 0x3361f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778a0300 10 bytes {MOV EAX, 0x33706; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 10 bytes {MOV EAX, 0x33822; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 10 bytes {MOV EAX, 0x3366b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 10 bytes {MOV EAX, 0x336b7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a0d30 10 bytes {MOV EAX, 0x3386e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 10 bytes {MOV EAX, 0x33752; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 10 bytes {MOV EAX, 0x3379e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 10 bytes {MOV EAX, 0x338c6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\svchost.exe[1136] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000778a15c0 10 bytes {MOV EAX, 0x3389a; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetInformationThread 000000007789ff80 10 bytes {MOV EAX, 0x337ca; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtUnmapViewOfSection 00000000778a0150 10 bytes {MOV EAX, 0x337f6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00000000778a0250 10 bytes {MOV EAX, 0x3361f; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThread 00000000778a0300 10 bytes {MOV EAX, 0x33706; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSection 00000000778a0350 10 bytes {MOV EAX, 0x33822; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThread 00000000778a0390 10 bytes {MOV EAX, 0x3366b; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtCreateThreadEx 00000000778a0930 10 bytes {MOV EAX, 0x336b7; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtMakeTemporaryObject 00000000778a0d30 10 bytes {MOV EAX, 0x3386e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00000000778a11c0 10 bytes {MOV EAX, 0x33752; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetContextThread 00000000778a13e0 10 bytes {MOV EAX, 0x3379e; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemInformation 00000000778a15a0 10 bytes {MOV EAX, 0x338c6; MOVSXD RAX, EAX; JMP RAX} .text C:\Windows\system32\AUDIODG.EXE[3772] C:\Windows\SYSTEM32\ntdll.dll!NtSetSystemTime 00000000778a15c0 10 bytes {MOV EAX, 0x3389a; MOVSXD RAX, EAX; JMP RAX} .text C:\Users\Mateusz\Desktop\114zfoph.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 1 0000000077a50e79 3 bytes [9E, 3C, 1B] .text C:\Users\Mateusz\Desktop\114zfoph.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtMakeTemporaryObject + 5 0000000077a50e7d 2 bytes {JMP RAX} .text C:\Users\Mateusz\Desktop\114zfoph.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 1 0000000077a51bb5 3 bytes [CF, 3C, 1B] .text C:\Users\Mateusz\Desktop\114zfoph.exe[1216] C:\Windows\SysWOW64\ntdll.dll!NtSetSystemTime + 5 0000000077a51bb9 2 bytes {JMP RAX} ---- Threads - GMER 2.1 ---- Thread C:\Windows\System32\svchost.exe [796:940] 000007fefc3ef440 Thread C:\Windows\System32\svchost.exe [796:956] 000007fefc346204 Thread C:\Windows\System32\svchost.exe [796:292] 000007fefb962070 Thread C:\Windows\System32\svchost.exe [796:504] 000007fefb6e5440 Thread C:\Windows\System32\svchost.exe [796:2776] 000007fef4ba6b8c Thread C:\Windows\System32\svchost.exe [796:2780] 000007fef4ba1d88 Thread C:\Windows\system32\svchost.exe [864:904] 000007fefc90506c Thread C:\Windows\system32\svchost.exe [864:1836] 000007fef83e1c20 Thread C:\Windows\system32\svchost.exe [864:860] 000007fef83e1c20 Thread C:\Windows\system32\svchost.exe [864:2860] 000007fef87c5124 Thread C:\Windows\system32\svchost.exe [864:3720] 000007fef9bd1ab0 Thread C:\Windows\system32\svchost.exe [864:2056] 000007fef9b74164 Thread C:\Windows\system32\svchost.exe [992:792] 000007fefa5e6848 Thread C:\Windows\system32\svchost.exe [368:1944] 000007fef882f978 Thread C:\Windows\system32\svchost.exe [368:1840] 000007fefba2fd00 Thread C:\Windows\system32\svchost.exe [368:2544] 000007fef87c5124 Thread C:\Windows\System32\spoolsv.exe [1076:196] 000007fefb0b10c8 Thread C:\Windows\System32\spoolsv.exe [1076:1844] 000007fef7886144 Thread C:\Windows\System32\spoolsv.exe [1076:1096] 000007fef9425fd0 Thread C:\Windows\System32\spoolsv.exe [1076:1172] 000007fef90c3438 Thread C:\Windows\System32\spoolsv.exe [1076:1184] 000007fef94263ec Thread C:\Windows\System32\spoolsv.exe [1076:1300] 000007fefb915e5c Thread C:\Windows\System32\spoolsv.exe [1076:1608] 000007fef66a4828 Thread C:\Windows\system32\taskhost.exe [1220:1256] 000007fefa5a2740 Thread C:\Windows\system32\taskhost.exe [1220:1456] 000007fef9d71010 Thread C:\Windows\system32\taskhost.exe [1220:1460] 000007fef9d41f38 Thread C:\Windows\system32\taskhost.exe [1220:1464] 000007fef9d63d08 Thread C:\Windows\system32\svchost.exe [1344:1368] 000007fefd211a70 Thread C:\Windows\system32\svchost.exe [1344:1372] 000007fefd211a70 Thread C:\Windows\system32\svchost.exe [1344:1384] 000007fefd211a70 Thread C:\Windows\system32\svchost.exe [1344:1392] 000007fef9e22920 Thread C:\Windows\system32\svchost.exe [1344:1404] 000007fef9e35840 Thread C:\Windows\system32\svchost.exe [1344:1420] 000007fef9e3e680 Thread C:\Windows\system32\svchost.exe [1344:1424] 000007fef9e29140 Thread C:\Windows\system32\svchost.exe [1344:1644] 000007fef9913060 Thread C:\Windows\system32\svchost.exe [1344:1996] 000007fef9915570 Thread C:\Windows\system32\svchost.exe [1344:1624] 000007fef8002888 Thread C:\Windows\system32\svchost.exe [1344:1616] 000007fef7ff2940 Thread C:\Windows\system32\svchost.exe [1560:1668] 000007fef9425fd0 Thread C:\Windows\system32\svchost.exe [1560:1672] 000007fef94263ec Thread C:\Windows\system32\svchost.exe [1560:2536] 000007fef4938470 Thread C:\Windows\system32\svchost.exe [1560:2540] 000007fef4942418 Thread C:\Windows\system32\svchost.exe [1560:2796] 000007fef319f130 Thread C:\Windows\system32\svchost.exe [1560:2832] 000007fef3194734 Thread C:\Windows\system32\svchost.exe [1560:2656] 000007fef3194734 Thread C:\Windows\system32\svchost.exe [1740:1756] 000007feffa9a808 Thread C:\Windows\system32\svchost.exe [1740:1784] 000007fef9366f00 Thread C:\Windows\system32\svchost.exe [1740:1788] 000007fef935d390 Thread C:\Windows\system32\svchost.exe [1740:1796] 000007fef9425fd0 Thread C:\Windows\system32\svchost.exe [1740:1812] 000007fef90c3438 Thread C:\Windows\system32\svchost.exe [1740:1816] 000007fef94263ec Thread C:\Windows\system32\Dwm.exe [2020:568] 000007fefa36b0e4 Thread C:\Windows\system32\Dwm.exe [2020:700] 000007fefb8babf0 Thread C:\Windows\Explorer.EXE [1196:2108] 000007fef5062f9c Thread C:\Windows\Explorer.EXE [1196:2152] 000007fef4db2118 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2520:2652] 000007fef7012a74 Thread C:\Program Files\Windows Media Player\wmpnetwk.exe [2520:2660] 000007fef388dc08 Thread C:\Windows\system32\taskhost.exe [2716:636] 000007fef834ef24 ---- Registry - GMER 2.1 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager@PendingFileRenameOperations ???l????? ???????????????????7?,?????????????????d??? ???????????????????k?0?????????????????????????????????????????????????e??HidUsb???????h??? ???????U?????????????,????????H???N????????????????????????????????????????Z???????????n??%m??6.1.7600.16385??????????????????s???????????? ?????????????????????,??????????????#?????input.inf:Standard.NTamd64:HID_Inst:6.1.7600.16385::generic_hid_device:usb\class_03&subclass_01:usb\class_03????????????????????????????????Urz?dzenie wej?ciowe USB?o??? ?????????????????????0?????????????????????????????l??????????????????????v2.10|Action=Allow|Active=TRUE|Dir=Out|Protocol=17|Profile=Private|RA4=LocalSubnet|RA6=LocalSubnet|App=%PROGRAMFILES%\Windows Media Player\wmplayer.exe|Name=@FirewallAPI.dll,-31297|Desc=@FirewallAPI.dll,-31300|EmbedCtxt=@FirewallAPI.dll,-31252|????v2.10|Action=Allow|Active=TRUE|Dir=In|Protocol=6|Profile=Private|LPort=10243|RA4=LocalSubnet|RA6=LocalSubnet|App=System|Name=@FirewallAPI.dll,-31285|Desc=@FirewallAPI.dll,-31288|EmbedCtxt=@FirewallAPI.dl Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e4d17e5 Reg HKLM\SYSTEM\CurrentControlSet\services\BTHPORT\Parameters\Keys\00247e4d17e5@3c363ddd46be 0xD2 0x44 0xE7 0xC0 ... Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e4d17e5 (not active ControlSet) Reg HKLM\SYSTEM\ControlSet002\services\BTHPORT\Parameters\Keys\00247e4d17e5@3c363ddd46be 0xD2 0x44 0xE7 0xC0 ... ---- EOF - GMER 2.1 ----