GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-06-28 22:17:57 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\0000006c TS128GSS rev.N111 119,24GB Running: wymud2e0.exe; Driver: C:\Users\TomAS\AppData\Local\Temp\kwddykog.sys ---- User code sections - GMER 2.2 ---- .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000771e1401 2 bytes JMP 7616b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000771e1419 2 bytes JMP 7616b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000771e1431 2 bytes JMP 761e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000771e144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771e14dd 2 bytes JMP 761e89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771e14f5 2 bytes JMP 761e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000771e150d 2 bytes JMP 761e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000771e1525 2 bytes JMP 761e8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000771e153d 2 bytes JMP 7615fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000771e1555 2 bytes JMP 76166937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000771e156d 2 bytes JMP 761e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000771e1585 2 bytes JMP 761e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000771e159d 2 bytes JMP 761e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771e15b5 2 bytes JMP 7615fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771e15cd 2 bytes JMP 7616b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771e16b2 2 bytes JMP 761e906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\qksee\qkseeSvc.exe[1428] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771e16bd 2 bytes JMP 761e8839 C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000771e1401 2 bytes JMP 7616b263 C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000771e1419 2 bytes JMP 7616b38e C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000771e1431 2 bytes JMP 761e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000771e144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771e14dd 2 bytes JMP 761e89ea C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771e14f5 2 bytes JMP 761e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000771e150d 2 bytes JMP 761e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000771e1525 2 bytes JMP 761e8caa C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000771e153d 2 bytes JMP 7615fce8 C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000771e1555 2 bytes JMP 76166937 C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000771e156d 2 bytes JMP 761e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000771e1585 2 bytes JMP 761e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000771e159d 2 bytes JMP 761e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771e15b5 2 bytes JMP 7615fd81 C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771e15cd 2 bytes JMP 7616b324 C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771e16b2 2 bytes JMP 761e906c C:\Windows\syswow64\kernel32.dll .text C:\Users\TomAS\AppData\Roaming\TSv\TSvr.exe[2228] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771e16bd 2 bytes JMP 761e8839 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExW + 17 00000000771e1401 2 bytes JMP 7616b263 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!EnumProcessModules + 17 00000000771e1419 2 bytes JMP 7616b38e C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 17 00000000771e1431 2 bytes JMP 761e90f1 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleInformation + 42 00000000771e144a 2 bytes CALL 761448ad C:\Windows\syswow64\kernel32.dll .text ... * 9 .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!EnumDeviceDrivers + 17 00000000771e14dd 2 bytes JMP 761e89ea C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameA + 17 00000000771e14f5 2 bytes JMP 761e8bc0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSetEx + 17 00000000771e150d 2 bytes JMP 761e88e0 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetDeviceDriverBaseNameW + 17 00000000771e1525 2 bytes JMP 761e8caa C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameW + 17 00000000771e153d 2 bytes JMP 7615fce8 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!EnumProcesses + 17 00000000771e1555 2 bytes JMP 76166937 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetProcessMemoryInfo + 17 00000000771e156d 2 bytes JMP 761e91a9 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetPerformanceInfo + 17 00000000771e1585 2 bytes JMP 761e8d0a C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!QueryWorkingSet + 17 00000000771e159d 2 bytes JMP 761e88a4 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleBaseNameA + 17 00000000771e15b5 2 bytes JMP 7615fd81 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetModuleFileNameExA + 17 00000000771e15cd 2 bytes JMP 7616b324 C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 20 00000000771e16b2 2 bytes JMP 761e906c C:\Windows\syswow64\kernel32.dll .text C:\Program Files (x86)\TData\TData.exe[2648] C:\Windows\syswow64\PSAPI.DLL!GetProcessImageFileNameW + 31 00000000771e16bd 2 bytes JMP 761e8839 C:\Windows\syswow64\kernel32.dll ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\BackupRestore\FilesNotToSnapshot@OfficeODC ???V?t??????????????????6.1.7601.17514?11C??? ?????????????:???????0???????????????????????9?????????????}??????? ?????????????????????9??L????????? ???????????{f52ac1cc-b92d-4d8e-8cf5-699ca40a73d2}???????$|??:???????????????????????????????/??????????? \??????????????????????????4?????s?4????X??????????????h?h?h????????????????????X??????f???????????????s??????pp??? ???????l??????????? f?????????????????? \?????? ???????????????:??????p????????:???5???e???U?U????{4d36e97d-e325-11ce-bfc1-08002be10318}????????N??e??????????????s???????????????s???s????:???????????????????:???u???????????:????0??:???????s??2????????????????????????????:??? ???????:?????:???????0?????????????????????????:???:???????:?:.N???:???:?????5?&???:??????????????????????? ?????????????????????;??????????????????????slow??%systemroot%\system32\LogFiles\Firewall\pfirewall.log????????????a?????eVT????l??;???m?????hLE????N?????????????????????????????t?????????????????????????????????????????????????R??:????????h?????\SystemRoot\system32\dr Reg HKLM\SYSTEM\ControlSet002\Control\BackupRestore\FilesNotToSnapshot@OfficeODC ???y?d???????????????????z??la???z??HidUsb???????????x??192.168.0.1?tL??????|N??v2.10|Action=Allow|Active=TRUE|Dir=Out|Protocol=6|Profile=Domain|RPort=445|App=System|Name=@FirewallAPI.dll,-25401|Desc=@FirewallAPI.dll,-25401|EmbedCtxt=@FirewallAPI.dll,-25000|?0|?????8??z???????????????????????????d???????????????????d???y???????????????????????????s?v?y?y?y?y?y???????????????y???z???????|?????????????????7?????????????????????z???????????????m?m?r?z?y?y??????X??????7???e??Port_#0016.Hub_#0001?3??????????????t????????????????????????????????????????????????????????????A???????e??????????????????????et??????$???4????? ??????? ??????????????? ??????????? ????????????????????????????????????????? ???????????????????$???4????? ??????? ??????????????? ??????????? ????????????????????????????????????????? ???????????????????$???4????? ??????? ????\???????????????????? ????(??????P????????????????$??????????????????????????ne???$??????????????????????????????? ??????????????????????????????????Port_#0010.Hub_#0001?i? ---- EOF - GMER 2.2 ----