GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-25 15:41:34 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IAAStorageDevice-1 WDC_WD50 rev.01.0 465,76GB Running: w2l4xbz1.exe; Driver: C:\Users\Ja\AppData\Local\Temp\kwadrkob.sys ---- User code sections - GMER 2.2 ---- .text C:\WINDOWS\system32\taskhostw.exe[1656] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 00007ffa46e3eb50 5 bytes JMP 00007ffa2d292da0 .text C:\WINDOWS\system32\taskhostw.exe[1656] C:\WINDOWS\SYSTEM32\ntdll.dll!RtlDecompressBuffer 00007ffa46e99c20 5 bytes JMP 00007ffa2d292c60 .text C:\WINDOWS\system32\taskhostw.exe[1656] C:\WINDOWS\SYSTEM32\ntdll.dll!NtQueryInformationProcess 00007ffa46eb53f0 5 bytes JMP 00007ffa2d292e90 .text C:\WINDOWS\system32\taskhostw.exe[1656] C:\WINDOWS\SYSTEM32\ntdll.dll!NtMapViewOfSection 00007ffa46eb55d0 5 bytes JMP 00007ffa2d2925a0 .text C:\WINDOWS\system32\taskhostw.exe[1656] C:\WINDOWS\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 00007ffa46eb5810 5 bytes JMP 00007ffa2d292410 .text C:\WINDOWS\system32\taskhostw.exe[1656] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenEvent 00007ffa46eb58d0 5 bytes JMP 00007ffa2d2929a0 .text C:\WINDOWS\system32\taskhostw.exe[1656] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateEvent 00007ffa46eb59d0 5 bytes JMP 00007ffa2d292940 .text C:\WINDOWS\system32\taskhostw.exe[1656] C:\WINDOWS\SYSTEM32\ntdll.dll!NtResumeThread 00007ffa46eb5b10 5 bytes JMP 00007ffa2d2927d0 .text C:\WINDOWS\system32\taskhostw.exe[1656] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateMutant 00007ffa46eb65c0 5 bytes JMP 00007ffa2d2929f0 .text C:\WINDOWS\system32\taskhostw.exe[1656] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateSemaphore 00007ffa46eb6700 5 bytes JMP 00007ffa2d292aa0 .text C:\WINDOWS\system32\taskhostw.exe[1656] C:\WINDOWS\SYSTEM32\ntdll.dll!NtCreateUserProcess 00007ffa46eb6820 5 bytes JMP 00007ffa2d292b50 .text C:\WINDOWS\system32\taskhostw.exe[1656] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenMutant 00007ffa46eb7320 5 bytes JMP 00007ffa2d292a50 .text C:\WINDOWS\system32\taskhostw.exe[1656] C:\WINDOWS\SYSTEM32\ntdll.dll!NtOpenSemaphore 00007ffa46eb73e0 5 bytes JMP 00007ffa2d292b00 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [7836] entry point in ".rdata" section 0000000072368fa0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7836] entry point in ".rdata" section 000000007117d380 ? C:\WINDOWS\SYSTEM32\iertutil.dll [11568] entry point in ".rdata" section 000000007117d380 ? C:\Windows\SYSTEM32\ActXPrxy.dll [11568] entry point in ".rdata" section 000000007216bd10 ? C:\WINDOWS\system32\wbem\wbemsvc.dll [7880] entry point in ".rdata" section 0000000072368fa0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [7880] entry point in ".rdata" section 000000007117d380 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [7880] entry point in ".rdata" section 000000006569bb10 ? C:\WINDOWS\system32\apphelp.dll [8084] entry point in ".rdata" section 00000000736d0380 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\svchost.exe [1624:4184] 00007ffa2e95c330 Thread C:\WINDOWS\system32\svchost.exe [1624:7404] 00007ffa23941040 Thread C:\WINDOWS\system32\svchost.exe [1624:7408] 00007ffa2e2c4c50 Thread C:\WINDOWS\system32\svchost.exe [1624:7412] 00007ffa2e2c4c50 Thread C:\WINDOWS\system32\svchost.exe [1624:8420] 00007ffa1815c480 Thread C:\WINDOWS\system32\svchost.exe [1624:8412] 00007ffa1815c480 Thread C:\WINDOWS\system32\svchost.exe [1624:8432] 00007ffa1815c480 Thread C:\WINDOWS\system32\svchost.exe [1624:8408] 00007ffa18138640 Thread C:\WINDOWS\system32\svchost.exe [1624:8436] 00007ffa1815c480 Thread C:\WINDOWS\system32\svchost.exe [1624:8448] 00007ffa18167a10 Thread C:\WINDOWS\system32\svchost.exe [1624:7488] 00007ffa1815c480 Thread C:\WINDOWS\system32\svchost.exe [1624:12096] 00007ffa326b2750 Thread C:\WINDOWS\system32\svchost.exe [1632:11292] 00007ffa2fb7c040 Thread C:\WINDOWS\system32\svchost.exe [1632:11080] 00007ffa2fb7c040 Thread C:\WINDOWS\system32\svchost.exe [1632:8108] 00007ffa2fb7c040 Thread C:\WINDOWS\system32\svchost.exe [1768:5904] 00007ffa262cc550 Thread C:\WINDOWS\system32\svchost.exe [1768:5908] 00007ffa262cc530 Thread C:\WINDOWS\system32\svchost.exe [1768:1072] 00007ffa31276320 Thread C:\WINDOWS\system32\svchost.exe [1768:576] 00007ffa312886e0 Thread C:\WINDOWS\system32\svchost.exe [1856:2916] 00007ffa38936aa0 Thread C:\WINDOWS\system32\svchost.exe [1856:2968] 00007ffa3893b0c0 Thread C:\WINDOWS\system32\svchost.exe [1856:3792] 00007ffa2f151240 Thread C:\WINDOWS\system32\svchost.exe [1856:3796] 00007ffa2f169490 Thread C:\WINDOWS\system32\svchost.exe [1856:3800] 00007ffa2f1229b0 Thread C:\WINDOWS\system32\svchost.exe [1856:4168] 00007ffa2e3c3d30 Thread C:\WINDOWS\system32\svchost.exe [1856:11300] 00007ffa2e3c22b0 Thread C:\WINDOWS\System32\spoolsv.exe [2272:9352] 00007ffa31276320 Thread C:\WINDOWS\System32\spoolsv.exe [2272:9356] 00007ffa312529a0 Thread C:\WINDOWS\System32\spoolsv.exe [2272:9428] 00007ffa1837d590 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5764] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5768] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5772] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5792] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5796] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5800] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5804] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5812] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5816] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5820] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5824] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5828] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5832] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5860] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5864] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:4680] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:4836] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:6040] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5512] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5540] 00007ffa3f4619c0 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5524] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:4584] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:4588] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:5000] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:4244] 00007ffa23ccb284 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:720] 00007ffa23cdfda0 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:4880] 00007ffa23cdfda0 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:6148] 00007ffa23cdfda0 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:6152] 00007ffa23cdfda0 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:6156] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:6160] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:6204] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:11896] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:6192] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:9024] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:4320] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:4328] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:6428] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:11572] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:10728] 00007ffa352ef410 Thread C:\Program Files\Microsoft SQL Server\MSSQL11.RESET2\MSSQL\Binn\sqlservr.exe [2604:4864] 00007ffa352ef410 Thread C:\WINDOWS\system32\svchost.exe [2768:7792] 00007ffa31276320 Thread C:\WINDOWS\system32\svchost.exe [2768:6540] 00007ffa312529a0 Thread C:\WINDOWS\system32\svchost.exe [6596:6628] 0000000076a2b5fc Thread C:\WINDOWS\system32\svchost.exe [6596:6632] 0000000076a11760 Thread C:\WINDOWS\system32\svchost.exe [6596:6648] 0000000076ab8b1c Thread C:\WINDOWS\system32\svchost.exe [6596:6652] 0000000076abc740 Thread C:\WINDOWS\system32\svchost.exe [6596:6656] 0000000076ac498c Thread C:\WINDOWS\system32\svchost.exe [6596:6668] 0000000076a26394 Thread C:\WINDOWS\system32\svchost.exe [6596:5616] 00000000769e2234 Thread C:\WINDOWS\system32\svchost.exe [6596:11616] 0000000076a50398 Thread C:\WINDOWS\system32\csrss.exe [4436:11932] fffff960ba9d4030 Thread C:\Windows\WindowsMobile\wmdc.exe [10840:8536] 0000000076b03804 Thread C:\Windows\WindowsMobile\wmdc.exe [10840:8828] 0000000076b23368 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 1600617323 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\f07bcbe211a2 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\cc-7b-35-4b-60-8f@ClientLocalPort 64932 Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\cc-7b-35-4b-60-8f@AddressCreationTimestamp 0x66 0xFC 0x7E 0x0D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\iphlpsvc\Teredo\PreviousState\cc-7b-35-4b-60-8f@TeredoAddress 2001:0:9d38:6ab8:38bb:25b:a41f:6ce5 Reg HKLM\SYSTEM\CurrentControlSet\Services\rdyboost\Parameters@LastBootPlanUserTime ?sob.?, ?cze ?25 ?16, 10:38:35 AM?????????????????????????????? Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 8950 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 2877 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x45 0xAA 0x5C 0x17 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x45 0x12 0x21 0x79 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x45 0x42 0x98 0xB5 ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeTickCount 0x0F 0x65 0x20 0x03 ... ---- Files - GMER 2.2 ---- File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\FC80B9C8BDB9719C7D214195D1441C15E67F6780 3386 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\1EA66D4C0BF060ED048A58E905D1241C0F29AECA 2494 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\70DA2BBE39723331003A7AF965C8EFF827A6E006 2326 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\25CF2D685AECBDC41A5D3E9ED6792FE892D40F83 31523 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\1599B84140529CCAFB236769AEE04247CD0FAA6B 28729 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\86544E8556C165C519961094F5F3E68B749E2565 3136 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\A943241187EC2E15562DDCFD8684510592AE30E5 52973 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\768B158F3DBAE3E81F4899542D2A147356995246 3136 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\23D1B7EFCD74AAA074FE6FDA5CEB2F335A8E76BB 40649 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\706B02A2056F8A0CF3C0326913EC6EEDAB089896 3953 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\F7D31C9FC9DA79A0EF0411F60314B66C49BF6C74 3922 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\861D682DD1246737756676BEE2009A8B488DC85F 2495 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\59495977EBECEDD5018B3AA6E3C9A72FC231E0EB 3949 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\D2026642E31AB8B178B52DE6C4881CEE504ECEC2 3398 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\DC0B380C09F30788C1DCB7455D5E995659DA1102 0 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\23350FF151E6D043FF31C9895F6EA1DCE3BB43AF 3929 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\F1C13F2C69D7DBC8CB8EA3F82DC59D01CDB82536 3945 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\21F38780EC874E1F7F9154198B6C1D9A75B366A9 3929 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\3DCCE468AB5CFD257035E6CDE21FD25901492151 65935 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\A9FF4606B1A40F9CE09602ACB82BCF1FAD9E0295 2468 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\EC4B2DC5C82EEB2534B148A35AFDB86B5AC5EEA4 3938 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\BF779A19DF452764EFAAD8BACA95FD4A4865E4F0 3921 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\CFC98DCDF90103C08CF60FF45D5AFF5732271975 9540 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\51B93B9A1C8A2AF32C09B2A70AE35289BEB1684E 132129 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\200E99E9C5B99E8913D63A5A917BF486463FEF0C 3462 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\07203AB34BAAE9410B2113A60098A8C4D731CF86 3499 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\6DFDA0ECEDE9BC9DEF249DFBD168DC3919625530 14469 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\B423075895A1DEE7469807E3B47AD14306A766CE 4067 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\B60D569D2B4AC0C91BA7184E80D23DFFEBEC9A16 3637 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\4F305105C37933B342C4FEE5A0872EBB5DAE4FC4 63482 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\AC5665EF9F01EE02A309F72757CBBA8E74C38150 3933 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\C26B44CBE710D7E34EDD8565EE8BD6FD23EBD9D1 1920 bytes File C:\Users\Ja\AppData\Local\Mozilla\Firefox\Profiles\988a01xk.default\cache2\entries\1F7526AD423AFDB1457848BE58E8298B4E18DEF5 3165 bytes ---- EOF - GMER 2.2 ----