GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2015-12-07 20:42:11 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP1T0L0-1 Hitachi_HTS547564A9E384 rev.JEDOA50A 596,17GB Running: c9k13odn.exe; Driver: C:\Users\Beata\AppData\Local\Temp\fwddrkog.sys ---- User code sections - GMER 2.1 ---- .text C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 322 00000000730a1a22 2 bytes [0A, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 496 00000000730a1ad0 2 bytes [0A, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 552 00000000730a1b08 2 bytes [0A, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 730 00000000730a1bba 2 bytes [0A, 73] .text C:\Windows\SysWOW64\PnkBstrA.exe[1820] C:\Windows\SysWOW64\WSOCK32.dll!setsockopt + 762 00000000730a1bda 2 bytes [0A, 73] ---- Processes - GMER 2.1 ---- Library C:\Windows\SysWOW64\PnkBstrA.exe (*** suspicious ***) @ C:\Windows\SysWOW64\PnkBstrA.exe [1820](2015-02-27 10:16:16) 0000000000400000 Process C:\Users\Beata\AppData\Local\winlogon.exe (*** suspicious ***) @ C:\Users\Beata\AppData\Local\winlogon.exe [2228](2013-04-30 19:09:19) 0000000000400000 Process C:\Users\Beata\AppData\Local\services.exe (*** suspicious ***) @ C:\Users\Beata\AppData\Local\services.exe [2680](2013-04-30 19:09:19) 0000000000400000 Process C:\Users\Beata\AppData\Local\lsass.exe (*** suspicious ***) @ C:\Users\Beata\AppData\Local\lsass.exe [2720](2013-04-30 19:09:19) 0000000000400000 ---- Registry - GMER 2.1 ---- Reg HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Persisted@C:\Users\Beata\Documents\Zdjêcia\POLONUS\zdj\xa6Öcia\FW__[Fwd__]\FW__[Fwd__].exe 8 ---- EOF - GMER 2.1 ----