GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-02-04 12:25:49 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000030 WDC_WD10S21X-24R1BT0-SSHD-8GB rev.03.01A02 931,51GB Running: gmer.exe; Driver: C:\Users\MIKOAJ~1\AppData\Local\Temp\fxlyrpog.sys ---- User code sections - GMER 2.1 ---- .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePort 00007ff937150ee0 5 bytes JMP 00007ff9b7280450 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryObject 00007ff937150f30 5 bytes JMP 00007ff9b7280440 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenProcess 00007ff937151090 5 bytes JMP 00007ff9b7280360 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtReplyWaitReceivePortEx 00007ff9371510e0 5 bytes JMP 00007ff9b7280460 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateProcess 00007ff9371510f0 5 bytes JMP 00007ff9b72803d0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSection 00007ff9371511a0 5 bytes JMP 00007ff9b7280310 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ff9371511d0 5 bytes JMP 00007ff9b72803a0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject 00007ff9371511f0 1 byte JMP 00007ff9b7280380 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDuplicateObject + 2 00007ff9371511f2 3 bytes {JMP 0xffffffff8012f190} .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ff937151230 5 bytes JMP 00007ff9b72802d0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ff9371512b0 5 bytes JMP 00007ff9b72802c0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSection 00007ff9371512d0 5 bytes JMP 00007ff9b7280300 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThread 00007ff937151310 5 bytes JMP 00007ff9b72803b0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtTerminateThread 00007ff937151360 5 bytes JMP 00007ff9b72803e0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAddBootEntry 00007ff9371514c0 5 bytes JMP 00007ff9b7280220 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAlpcSendWaitReceivePort 00007ff9371516b0 5 bytes JMP 00007ff9b7280470 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtAssignProcessToJobObject 00007ff9371516e0 5 bytes JMP 00007ff9b7280390 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEventPair 00007ff937151800 5 bytes JMP 00007ff9b72802e0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateIoCompletion 00007ff937151820 5 bytes JMP 00007ff9b7280340 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ff937151890 5 bytes JMP 00007ff9b7280280 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ff937151920 5 bytes JMP 00007ff9b72802a0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateThreadEx 00007ff937151940 5 bytes JMP 00007ff9b72803c0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateTimer 00007ff937151950 5 bytes JMP 00007ff9b7280320 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDebugActiveProcess 00007ff937151a00 5 bytes JMP 00007ff9b7280400 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtDeleteBootEntry 00007ff937151a30 5 bytes JMP 00007ff9b7280230 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtLoadDriver 00007ff937151d50 5 bytes JMP 00007ff9b72801d0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtModifyBootEntry 00007ff937151e10 5 bytes JMP 00007ff9b7280240 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeKey 00007ff937151e40 5 bytes JMP 00007ff9b7280480 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtNotifyChangeMultipleKeys 00007ff937151e50 5 bytes JMP 00007ff9b7280490 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEventPair 00007ff937151e80 5 bytes JMP 00007ff9b72802f0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenIoCompletion 00007ff937151e90 5 bytes JMP 00007ff9b7280350 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ff937151ef0 5 bytes JMP 00007ff9b7280290 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ff937151f40 5 bytes JMP 00007ff9b72802b0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenThread 00007ff937151f70 5 bytes JMP 00007ff9b7280370 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenTimer 00007ff937151f80 5 bytes JMP 00007ff9b7280330 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueueApcThreadEx 00007ff937152290 5 bytes JMP 00007ff9b7280430 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootEntryOrder 00007ff937152490 5 bytes JMP 00007ff9b7280250 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetBootOptions 00007ff9371524a0 5 bytes JMP 00007ff9b7280260 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetContextThread 00007ff9371524c0 5 bytes JMP 00007ff9b72803f0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemInformation 00007ff9371526a0 5 bytes JMP 00007ff9b72801e0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSetSystemPowerState 00007ff9371526b0 5 bytes JMP 00007ff9b7280200 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtShutdownSystem 00007ff937152740 5 bytes JMP 00007ff9b72801f0 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendProcess 00007ff9371527b0 5 bytes JMP 00007ff9b7280410 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSuspendThread 00007ff9371527c0 5 bytes JMP 00007ff9b7280420 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtSystemDebugControl 00007ff9371527d0 5 bytes JMP 00007ff9b7280210 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl 00007ff9371528e0 1 byte JMP 00007ff9b7280270 .text C:\WINDOWS\system32\AUDIODG.EXE[1552] C:\WINDOWS\SYSTEM32\ntdll.dll!NtVdmControl + 2 00007ff9371528e2 3 bytes {JMP 0xffffffff8012d990} ---- Threads - GMER 2.1 ---- Thread C:\WINDOWS\system32\csrss.exe [712:736] fffff960008c72d0 ---- Processes - GMER 2.1 ---- Library C:\Program Files (x86)\Google\Update\1.3.29.1\goopdate.dll (*** suspicious ***) @ C:\Program Files (x86)\Google\Update\GoogleUpdate.exe [6076] 0000000069eb0000 Library C:\Users\Miko (*** suspicious ***) @ C:\Users\Miko 0000000069760000 Library C:\Users\Miko (*** suspicious ***) @ C:\Users\Miko 0000000069610000 Library C:\Users\Miko (*** suspicious ***) @ C:\Users\Miko 00000000695f0000 Library C:\Users\Miko (*** suspicious ***) @ C:\Users\Miko 0000000069590000 Library C:\Users\Miko (*** suspicious ***) @ C:\Users\Miko 0000000010000000 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----