GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-01-23 12:30:33 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 ST1000LM014-1EJ164-SSHD rev.HPM6 931,51GB Running: jhnmqgsg.exe; Driver: C:\Users\MASTER\AppData\Local\Temp\pgldipow.sys ---- User IAT/EAT - GMER 2.1 ---- IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!??3@YAXPEAX@Z] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!wcsncmp] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!memmove] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!_wtol] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!_vsnwprintf] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!memcmp] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!_onexit] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!__dllonexit] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!_unlock] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!_lock] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!realloc] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!_errno] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!_initterm] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!_amsg_exit] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!_XcptFilter] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!malloc] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!memset] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!_wtoi64] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!_purecall] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!wcscat_s] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!wcscpy_s] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!wcsncpy_s] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!free] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!??2@YAPEAX_K@Z] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!wcstok] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[msvcrt.dll!memcpy] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[ntdll.dll!RtlVirtualUnwind] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[ntdll.dll!RtlLookupFunctionEntry] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[ntdll.dll!RtlCaptureContext] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[KERNEL32.dll!LoadLibraryW] [7265646165526c] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WSClient.dll!WSLicenseGetAllUserTokens] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WSClient.dll!WSLicenseGetLicensesForProducts] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WSClient.dll!WSLicenseGetExtendedUserInfo] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WSClient.dll!WSLicenseClose] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WSClient.dll!WSLicenseGetAllValidAppCategoryIds] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WSClient.dll!WSLicenseOpen] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[USER32.dll!UnregisterClassA] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[CRYPT32.dll!CryptProtectData] [50415940555f3f3f] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[CRYPT32.dll!CryptHashPublicKeyInfo] [5a404b5f584145] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[CRYPT32.dll!CertVerifyCertificateChainPolicy] [74726f737104a5] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[CRYPT32.dll!CertGetEnhancedKeyUsage] [7274737363770515] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[CRYPT32.dll!CertFreeCertificateChain] [636d656d04940000] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[CRYPT32.dll!CertFreeCertificateContext] [36a0000735f7970] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[CRYPT32.dll!CryptUnprotectData] [697270776e73765f] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[CRYPT32.dll!CertGetCertificateChain] [637705110066746e] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WINHTTP.dll!WinHttpGetIEProxyConfigForCurrentUser] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WINHTTP.dll!WinHttpGetDefaultProxyConfiguration] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WINHTTP.dll!WinHttpCloseHandle] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WINHTTP.dll!WinHttpGetProxyForUrl] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WINHTTP.dll!WinHttpCrackUrl] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WINHTTP.dll!WinHttpOpen] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[RPCRT4.dll!RpcStringFreeA] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[RPCRT4.dll!I_RpcBindingInqTransportType] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[RPCRT4.dll!UuidToStringA] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[SspiCli.dll!GetUserNameExW] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[SHLWAPI.dll!PathIsRootW] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[SHLWAPI.dll!PathIsUNCW] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[SHLWAPI.dll!PathIsRelativeW] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[SHLWAPI.dll!PathStripToRootW] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WINTRUST.dll!WTHelperGetProvSignerFromChain] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WINTRUST.dll!WinVerifyTrust] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WINTRUST.dll!WTHelperProvDataFromStateData] [0] IAT C:\Windows\system32\svchost.exe[1060] @ C:\Windows\System32\storewuauth.dll[WTSAPI32.dll!WTSQueryUserToken] [0] ---- Threads - GMER 2.1 ---- Thread C:\Windows\system32\csrss.exe [6076:7524] fffff960009212d0 Thread C:\Windows\Explorer.EXE [7500:8236] 00007ff824aee630 ---- Processes - GMER 2.1 ---- Process C:\Users\MASTER\AppData\Local\Temp\7zO01D1E6DD\jhnmqgsg.exe (*** suspicious ***) @ C:\Users\MASTER\AppData\Local\Temp\7zO01D1E6DD\jhnmqgsg.exe [4256](2015-02-04 12:59:56) 0000000000400000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----