GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-14 22:18:29 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d Hitachi_HTS545032B9A300 rev.PB3OC60N 298,09GB Running: k5g10pyc.exe; Driver: C:\Users\ASIAUK~1\AppData\Local\Temp\fwndyaob.sys ---- User code sections - GMER 2.2 ---- ? C:\WINDOWS\SYSTEM32\iertutil.dll [4756] entry point in ".rdata" section 0000000072621310 .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\USER32.dll!RegisterClassExW 00007ffe312eac60 6 bytes {JMP QWORD [RIP+0x1c53d0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\USER32.dll!RegisterClassW 00007ffe312eaea0 6 bytes {JMP QWORD [RIP+0x1d65190]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\USER32.dll!CreateWindowExW 00007ffe312ec4f0 6 bytes {JMP QWORD [RIP+0x1dc3b40]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\USER32.dll!TranslateMessage 00007ffe312f5330 6 bytes {JMP QWORD [RIP+0x1f5ad00]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\USER32.dll!PeekMessageW 00007ffe312fe430 6 bytes [68, 00, 00, 01, 00, C3] .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\USER32.dll!GetMessageA 00007ffe312fe8b0 6 bytes {JMP QWORD [RIP+0x1f91780]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\USER32.dll!GetMessageW 00007ffe31304840 6 bytes {JMP QWORD [RIP+0x1fab7f0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\USER32.dll!RegisterClassA 00007ffe31305210 6 bytes {JMP QWORD [RIP+0x1e5ae20]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\USER32.dll!CreateWindowExA 00007ffe31309e90 6 bytes {JMP QWORD [RIP+0x1dc61a0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\USER32.dll!DdeInitializeW 00007ffe3130a5a0 6 bytes {JMP QWORD [RIP+0x1ee5a90]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\USER32.dll!GetClipboardData 00007ffe313100d0 6 bytes {JMP QWORD [RIP+0x1f0ff60]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\GDI32.dll!BitBlt 00007ffe32fb2e80 6 bytes {JMP QWORD [RIP+0x1fd1b0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\combase.dll!CoCreateInstance 00007ffe316859c0 6 bytes {JMP QWORD [RIP+0x1aca670]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\combase.dll!CoCreateInstanceEx 00007ffe316b4fc0 6 bytes {JMP QWORD [RIP+0x1b1b070]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\WINTRUST.dll!WinVerifyTrust 00007ffe30a77ff0 6 bytes {JMP QWORD [RIP+0x27f8040]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\WS2_32.dll!connect 00007ffe332c87a0 6 bytes {JMP QWORD [RIP+0x87890]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\WS2_32.dll!WSAIoctl 00007ffe332cb420 6 bytes {JMP QWORD [RIP+0x124c10]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\WS2_32.dll!sendto 00007ffe332cea80 6 bytes {JMP QWORD [RIP+0x1015b0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\WS2_32.dll!getaddrinfo 00007ffe332cf520 6 bytes {JMP QWORD [RIP+0x170b10]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\WS2_32.dll!GetAddrInfoExW 00007ffe332d0160 6 bytes {JMP QWORD [RIP+0x13fed0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\WS2_32.dll!WSAConnectByNameW 00007ffe332d5ef0 6 bytes {JMP QWORD [RIP+0xda140]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\WS2_32.dll!WSAConnect 00007ffe332f4c70 6 bytes {JMP QWORD [RIP+0x7b3c0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\System32\WS2_32.dll!WSAConnectByList 00007ffe332f4d90 6 bytes {JMP QWORD [RIP+0x9b2a0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\urlmon.dll!CoInternetCombineUrlEx 00007ffe1ee60a80 6 bytes {JMP QWORD [RIP+0x1cf5b0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExA 00007ffe1d80d360 6 bytes {JMP QWORD [RIP+0x332cd0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!HttpAddRequestHeadersA 00007ffe1d82ba10 6 bytes {JMP QWORD [RIP+0x294620]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!InternetCloseHandle 00007ffe1d833c70 6 bytes {JMP QWORD [RIP+0x36c3c0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestW 00007ffe1d8348c0 6 bytes {JMP QWORD [RIP+0x2cb770]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!InternetConnectW 00007ffe1d879f10 6 bytes {JMP QWORD [RIP+0x366120]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!InternetConnectA 00007ffe1d87a040 6 bytes {JMP QWORD [RIP+0x345ff0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!InternetQueryDataAvailable 00007ffe1d880cd0 6 bytes {JMP QWORD [RIP+0x3ff360]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestW 00007ffe1d884450 6 bytes {JMP QWORD [RIP+0x2fbbe0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenA 00007ffe1d8866f0 6 bytes {JMP QWORD [RIP+0x3b9940]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!InternetOpenW 00007ffe1d8869f0 6 bytes {JMP QWORD [RIP+0x3d9640]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!InternetGetCookieExW 00007ffe1d88b950 6 bytes {JMP QWORD [RIP+0x3946e0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestExW 00007ffe1d89ca10 6 bytes {JMP QWORD [RIP+0x2c3620]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!InternetSetStatusCallback 00007ffe1d89cd00 6 bytes {JMP QWORD [RIP+0x403330]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!InternetWriteFile 00007ffe1d8a0fe0 6 bytes {JMP QWORD [RIP+0x41f050]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!HttpSendRequestA 00007ffe1d8a3fd0 6 bytes {JMP QWORD [RIP+0x27c060]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!HttpOpenRequestA 00007ffe1d936190 6 bytes {JMP QWORD [RIP+0x1a9ea0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\SYSTEM32\WININET.dll!InternetGetCookieExA 00007ffe1d937a70 6 bytes {JMP QWORD [RIP+0x2c85c0]} .text C:\Program Files\Internet Explorer\iexplore.exe[3320] C:\WINDOWS\system32\mswsock.dll!Tcpip6_WSHGetSocketInformation + 320 00007ffe2f97d9d0 6 bytes {JMP QWORD [RIP+0x72660]} ? C:\WINDOWS\system32\apphelp.dll [4784] entry point in ".rdata" section 000000006612f7c0 ? C:\WINDOWS\SYSTEM32\iertutil.dll [4784] entry point in ".rdata" section 0000000072621310 ? C:\Windows\System32\ieproxy.dll [4784] entry point in ".rdata" section 0000000006a39520 ? C:\WINDOWS\SYSTEM32\NTASN1.dll [4784] entry point in ".rdata" section 000000007217a020 ? C:\WINDOWS\system32\ncryptsslp.dll [4784] entry point in ".rdata" section 00000000721504f0 ? C:\WINDOWS\SYSTEM32\srpapi.dll [4784] entry point in ".rdata" section 0000000006e76100 ? C:\Windows\System32\OneCoreCommonProxyStub.dll [4784] entry point in ".rdata" section 000000000760da90 ? C:\Windows\System32\ActXPrxy.dll [4784] entry point in ".rdata" section 000000006f849b80 ? C:\WINDOWS\system32\apphelp.dll [4248] entry point in ".rdata" section 000000006612f7c0 ---- Threads - GMER 2.2 ---- Thread C:\WINDOWS\system32\svchost.exe [1068:2948] 00007ffe1ec41240 Thread C:\WINDOWS\system32\svchost.exe [1068:2952] 00007ffe1edba3b0 Thread C:\WINDOWS\system32\svchost.exe [1068:2956] 00007ffe1ed825e0 Thread C:\WINDOWS\system32\svchost.exe [1068:2296] 00007ffe2a5d2080 Thread C:\WINDOWS\system32\svchost.exe [1068:2576] 00007ffe2a5d3bc0 Thread C:\WINDOWS\system32\svchost.exe [2136:2184] 00007ffe22ee44b0 Thread C:\WINDOWS\system32\svchost.exe [2136:2252] 00007ffe2f366750 Thread C:\WINDOWS\System32\dwm.exe [212:3672] 00007ffe2e361270 Thread C:\WINDOWS\System32\dwm.exe [212:740] 00007ffe2e0f61c0 Thread C:\WINDOWS\System32\dwm.exe [212:6328] 00007ffe2e2c4780 Thread C:\WINDOWS\System32\dwm.exe [212:6296] 00007ffe2e0f6240 Thread C:\WINDOWS\System32\dwm.exe [212:1304] 00007ffe2e062040 Thread C:\WINDOWS\System32\dwm.exe [212:2496] 00007ffe2e0620f0 Thread C:\WINDOWS\System32\dwm.exe [212:6948] 00007ffe2e062190 Thread C:\WINDOWS\System32\dwm.exe [212:7384] 00007ffe2b1fea60 Thread C:\WINDOWS\system32\svchost.exe [5856:8060] 00007ffe2103c820 Thread C:\WINDOWS\system32\svchost.exe [5856:8108] 00007ffe2103c820 Thread C:\WINDOWS\system32\DllHost.exe [6132:3892] 00007ffe206f50b0 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed 325604635 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch@Epoch 1227 Reg HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Epoch2@Epoch 169 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x5A 0x3C 0x0B 0x5D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x5A 0xA4 0xCF 0xBE ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x5A 0xD4 0x46 0xFB ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@Rw 0x64 0x62 0x03 0x00 ... Reg HKLM\SYSTEM\Setup\Upgrade\NsiMigrationRoot\60\0@RwMask 0x64 0x62 0x03 0x00 ... ---- EOF - GMER 2.2 ----