GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-03-15 18:07:39 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000031 ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: yuguy4r2.exe; Driver: C:\Users\Thomas\AppData\Local\Temp\awddipod.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\system32\apphelp.dll [7332] entry point in ".rdata" section 000000006a120380 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [2208] entry point in ".rdata" section 000000006a1cbb10 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4232] entry point in ".rdata" section 000000006c28caf0 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [4232] entry point in ".rdata" section 0000000073738fa0 .text C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5336] C:\WINDOWS\SYSTEM32\ntdll.dll!LdrLoadDll 00007ff885ed0b30 12 bytes {MOV RAX, 0x7ff86fc9b660; JMP RAX} ---- User IAT/EAT - GMER 2.2 ---- IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] @ C:\WINDOWS\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff85b88bf68] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2736] @ C:\WINDOWS\SYSTEM32\dwrite.dll[ntdll.dll!NtAlpcConnectPort] [7ff85b88bf68] C:\Program Files (x86)\Google\Chrome\Application\48.0.2564.116\chrome_child.dll IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ff8c3390030] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2736] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GdiDllInitialize] [7ff8c3390030] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ff8c3390070] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!GetStockObject] [7ff8c3390070] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] @ C:\WINDOWS\system32\shlwapi.dll[GDI32.dll!GetStockObject] [7ff8c3390070] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ff8c3390070] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!GetStockObject] [7ff8c3390070] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\COMCTL32.dll[GDI32.dll!GetStockObject] [7ff8c3390070] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2736] @ C:\WINDOWS\system32\USER32.dll[GDI32.dll!GetStockObject] [7ff8c3390070] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2736] @ C:\WINDOWS\system32\SHELL32.dll[GDI32.dll!GetStockObject] [7ff8c3390070] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2736] @ C:\WINDOWS\system32\shlwapi.dll[GDI32.dll!GetStockObject] [7ff8c3390070] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2736] @ C:\WINDOWS\system32\COMDLG32.dll[GDI32.dll!GetStockObject] [7ff8c3390070] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2736] @ C:\WINDOWS\system32\ole32.dll[GDI32.dll!GetStockObject] [7ff8c3390070] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2736] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\COMCTL32.dll[GDI32.dll!GetStockObject] [7ff8c3390070] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!RegisterClassW] [7ff8c3790030] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] @ C:\WINDOWS\system32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ff8c3790030] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] @ C:\WINDOWS\system32\ole32.dll[USER32.dll!RegisterClassW] [7ff8c3790030] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[5188] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\COMCTL32.dll[USER32.dll!RegisterClassW] [7ff8c3790030] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2736] @ C:\WINDOWS\system32\SHELL32.dll[USER32.dll!RegisterClassW] [7ff8c3790030] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2736] @ C:\WINDOWS\system32\COMDLG32.dll[USER32.dll!RegisterClassW] [7ff8c3790030] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2736] @ C:\WINDOWS\system32\ole32.dll[USER32.dll!RegisterClassW] [7ff8c3790030] IAT C:\Program Files (x86)\Google\Chrome\Application\chrome.exe[2736] @ C:\WINDOWS\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.10586.0_none_8c15ae12515e1c22\COMCTL32.dll[USER32.dll!RegisterClassW] [7ff8c3790030] ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\csrss.exe [628:744] fffff961d3124060 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -239475593 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\142d27fd3c8a Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\142d27fd3c8a@241fa08f1462 0x44 0xBB 0x03 0x5B ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0002 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0002@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0002@Bluetooth_UniqueID {00000000-0000-0000-0000-000000000000}#241FA08F1462_00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0002@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0003 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0003@BackupContext 0x02 0x00 0x00 0x00 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0003@Bluetooth_UniqueID {0000112f-0000-1000-8000-00805f9b34fb}#241FA08F1462_C00000000 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Upgrade\LocalRadioSettings\0003@ConnectionCount 0 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-13-5f-07-6a-d9@ClientLocalPort 58111 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-13-5f-07-6a-d9@AddressCreationTimestamp 0xDD 0xA3 0xF8 0x0C ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\00-13-5f-07-6a-d9@TeredoAddress 2001:0:9d38:90d7:14cd:1d00:4d14:4dbd Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8825 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 3811 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0c6df06d-6318-4dbc-91b2-fd650dd9104c}@LeaseObtainedTime 1458050124 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0c6df06d-6318-4dbc-91b2-fd650dd9104c}@T1 1458053724 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0c6df06d-6318-4dbc-91b2-fd650dd9104c}@T2 1458056424 Reg HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0c6df06d-6318-4dbc-91b2-fd650dd9104c}@LeaseTerminatesTime 1458057324 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0xD6 0x87 0x51 0x93 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0xD6 0xEF 0x15 0xF5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0xD6 0x1F 0x8D 0x31 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0xB2 0xEA 0x37 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\0@RwMask 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\63\1@RwMask 0x64 0x62 0x03 0x00 ... Reg HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Live\Roaming\RegistrarData@LastRenewCollectionsInterest 0x19 0xA3 0x67 0xAA ... ---- Disk sectors - GMER 2.2 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.2 ----