GMER 2.1.19357 - http://www.gmer.net Rootkit scan 2016-08-29 18:25:47 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\00000020 ST1000LM024_HN-M101MBB rev.2BA30001 931,51GB Running: jhnmqgsg.exe; Driver: C:\Users\Andrzej\AppData\Local\Temp\kwedafog.sys ---- Kernel code sections - GMER 2.1 ---- .text C:\windows\System32\win32k.sys!W32pServiceTable fffff9600018ce00 15 bytes [00, F1, F6, 01, 40, 8F, 6C, ...] .text C:\windows\System32\win32k.sys!W32pServiceTable + 16 fffff9600018ce10 11 bytes [00, 6D, FC, FF, 00, A3, C3, ...] ---- User code sections - GMER 2.1 ---- .text C:\windows\system32\atiesrxx.exe[628] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fff3a68169a 4 bytes [68, 3A, FF, 7F] .text C:\windows\system32\atiesrxx.exe[628] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fff3a6816a2 4 bytes [68, 3A, FF, 7F] .text C:\windows\system32\atiesrxx.exe[628] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fff3a68181a 4 bytes [68, 3A, FF, 7F] .text C:\windows\system32\atiesrxx.exe[628] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fff3a681832 4 bytes [68, 3A, FF, 7F] .text C:\windows\system32\atieclxx.exe[12128] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fff3a68169a 4 bytes [68, 3A, FF, 7F] .text C:\windows\system32\atieclxx.exe[12128] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fff3a6816a2 4 bytes [68, 3A, FF, 7F] .text C:\windows\system32\atieclxx.exe[12128] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fff3a68181a 4 bytes [68, 3A, FF, 7F] .text C:\windows\system32\atieclxx.exe[12128] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fff3a681832 4 bytes [68, 3A, FF, 7F] .text C:\Windows\explorer.exe[16320] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 506 00007fff3a68169a 4 bytes [68, 3A, FF, 7F] .text C:\Windows\explorer.exe[16320] C:\windows\system32\PSAPI.DLL!GetModuleBaseNameA + 514 00007fff3a6816a2 4 bytes [68, 3A, FF, 7F] .text C:\Windows\explorer.exe[16320] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 118 00007fff3a68181a 4 bytes [68, 3A, FF, 7F] .text C:\Windows\explorer.exe[16320] C:\windows\system32\PSAPI.DLL!QueryWorkingSet + 142 00007fff3a681832 4 bytes [68, 3A, FF, 7F] .text C:\Program Files\Microsoft Office\Office15\WINWORD.EXE[10472] C:\windows\system32\KERNEL32.DLL!SetUnhandledExceptionFilter + 1 00007fff3c09915d 11 bytes {MOV RAX, 0x7fff140f4d54; JMP RAX} .text C:\Program Files\Microsoft Office\Office15\WINWORD.EXE[10472] C:\windows\system32\ole32.dll!OleLoadFromStream 00007fff3a712db4 5 bytes JMP 00007ffffbf102f8 .text C:\Program Files\Microsoft Office\Office15\WINWORD.EXE[10472] C:\windows\system32\OLEAUT32.dll!SysFreeString 00007fff3a9613e0 5 bytes JMP 00007ffffbf103b8 .text C:\Program Files\Microsoft Office\Office15\WINWORD.EXE[10472] C:\windows\system32\OLEAUT32.dll!VariantClear 00007fff3a961740 5 bytes JMP 00007ffffbf10478 .text C:\Program Files\Microsoft Office\Office15\WINWORD.EXE[10472] C:\windows\system32\OLEAUT32.dll!VariantChangeType 00007fff3a961e8c 10 bytes JMP 00007ffffbf10418 .text C:\Program Files\Microsoft Office\Office15\WINWORD.EXE[10472] C:\windows\system32\OLEAUT32.dll!SysAllocStringByteLen 00007fff3a961eb0 5 bytes JMP 00007ffffbf10358 .text C:\Program Files\Microsoft Office\Office15\WINWORD.EXE[10472] C:\windows\system32\USER32.dll!BeginPaint 00007fff3bf11050 8 bytes JMP 00007ffffbf10238 .text C:\Program Files\Microsoft Office\Office15\WINWORD.EXE[10472] C:\windows\system32\USER32.dll!ValidateRect 00007fff3bf11330 8 bytes JMP 00007ffffbf10298 .text C:\Program Files\Microsoft Office\Office15\WINWORD.EXE[10472] C:\windows\system32\USER32.dll!RegisterClipboardFormatW 00007fff3bf16c54 9 bytes JMP 00007ffffbf101d8 .text C:\Program Files\Microsoft Office\Office15\WINWORD.EXE[10472] C:\windows\system32\USER32.dll!RegisterClipboardFormatA 00007fff3bf19ca4 5 bytes JMP 00007ffffbf10178 .text C:\Program Files\Microsoft Office\Office15\WINWORD.EXE[10472] C:\windows\system32\SHELL32.dll!SHParseDisplayName 00007fff3ab028f8 5 bytes JMP 00007ffffbf104d8 ---- User IAT/EAT - GMER 2.1 ---- IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[msvcrt.dll!wcsncpy_s] [8b48ffffdd8ee805] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[msvcrt.dll!_initterm] [ffffdd7ce8057400] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[msvcrt.dll!malloc] [ed0d3b48104b8b48] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[msvcrt.dll!free] [dd6ae80574000039] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[msvcrt.dll!_amsg_exit] [3b48584b8b48ffff] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[msvcrt.dll!_XcptFilter] [e8057400003a230d] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[msvcrt.dll!_ltow] [604b8b48ffffdd58] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[msvcrt.dll!wcsncat_s] [7400003a190d3b48] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[msvcrt.dll!_vsnprintf] [8348ffffdd46e805] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[msvcrt.dll!memcpy] [ccccccccc35b20c4] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[msvcrt.dll!memset] [fc98548cccccccc] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ntdll.dll!RtlVirtualUnwind] [498b48d98b4820ec] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ntdll.dll!RtlLookupFunctionEntry] [8b48ffffdd1ee808] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ntdll.dll!RtlCaptureContext] [48ffffdd15e8104b] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ntdll.dll!NtQueryValueKey] [ffffdd0ce8184b8b] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ntdll.dll!NtClose] [ffdd03e8204b8b48] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ntdll.dll!RtlNtStatusToDosError] [dcfae8284b8b48ff] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ntdll.dll!RtlInitUnicodeString] [f1e8304b8b48ffff] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ntdll.dll!NtQuerySystemInformation] [e9e80b8b48ffffdc] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ntdll.dll!NtOpenKey] [e8404b8b48ffffdc] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[WINSTA.dll!WinStationFreeMemory] [8348536674c98548] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[WINSTA.dll!WinStationEnumerateExW] [98b48d98b4820ec] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[UTILDLL.dll!StrConnectState] [20c48348ffffddb8] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!UnhandledExceptionFilter] [48404b8b48ffffde] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!Sleep] [57400003af20d3b] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!lstrlenW] [4b8b48ffffde3fe8] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!OutputDebugStringA] [3ae80d3b4848] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!DisableThreadLibraryCalls] [48ffffde2de80574] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!SetUnhandledExceptionFilter] [3af60d3b48684b8b] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetProcessHeap] [ffde1be805740000] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!HeapFree] [d3b48704b8b48ff] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetSystemTimeAsFileTime] [57400003ae20d3b] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetCurrentProcess] [8b8b48ffffddf7e8] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!TerminateProcess] [d50d3b4800000080] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!QueryPerformanceCounter] [dde2e8057400003a] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetCurrentProcessId] [888b8b48ffff] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetLastError] [3ac80d3b4800] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetCurrentThreadId] [48ffffddcde80574] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[KERNEL32.dll!GetTickCount] [3b48000000908b8b] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ADVAPI32.dll!RegisterEventSourceW] [3b100d3b4828] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ADVAPI32.dll!DeregisterEventSource] [48ffffde75e80574] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ADVAPI32.dll!RegOpenKeyExA] [3b060d3b48304b8b] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ADVAPI32.dll!RegCloseKey] [ffde63e805740000] IAT C:\windows\system32\wbem\wmiprvse.exe[4336] @ C:\Windows\System32\perfts.dll[ADVAPI32.dll!RegQueryValueExA] [d3b48384b8b48ff] ---- Threads - GMER 2.1 ---- Thread C:\windows\system32\csrss.exe [17748:14924] fffff9600084db90 ---- Disk sectors - GMER 2.1 ---- Disk \Device\Harddisk0\DR0 unknown MBR code ---- EOF - GMER 2.1 ----