GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-10-31 11:24:27 Windows 6.2.9200 x64 \Device\Harddisk0\DR0 -> \Device\0000002d WDC_WD5000BPVT-80HXZT1 rev.01.01A01 465,76GB Running: yxjwxc48.exe; Driver: C:\Users\Martyna\AppData\Local\Temp\awwdqaog.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\system32\dwm.exe[1020] C:\Windows\System32\KERNEL32.DLL!K32GetModuleInformation 00007ff840660770 7 bytes JMP 00007ff83f2c0260 .text C:\Windows\system32\dwm.exe[1020] C:\Windows\System32\KERNEL32.DLL!RegSetValueExW 00007ff840661cd0 7 bytes JMP 00007ff83f2c0340 .text C:\Windows\system32\dwm.exe[1020] C:\Windows\System32\KERNEL32.DLL!RegDeleteValueW 00007ff840663370 7 bytes JMP 00007ff83f2c02d0 .text C:\Windows\system32\dwm.exe[1020] C:\Windows\System32\KERNEL32.DLL!K32EnumProcessModulesEx 00007ff840679f90 7 bytes JMP 00007ff83f2c01f0 .text C:\Windows\system32\dwm.exe[1020] C:\Windows\System32\KERNEL32.DLL!K32GetMappedFileNameW 00007ff840679ff0 7 bytes JMP 00007ff83f2c0228 .text C:\Windows\system32\dwm.exe[1020] C:\Windows\System32\KERNEL32.DLL!RegQueryValueExW 00007ff84067a570 7 bytes JMP 00007ff83f2c0298 .text C:\Windows\system32\dwm.exe[1020] C:\Windows\System32\KERNEL32.DLL!RegSetValueExA 00007ff84067a5d0 7 bytes JMP 00007ff83f2c0308 .text C:\Windows\system32\dwm.exe[1020] C:\Windows\System32\gdi32.dll!D3DKMTCreateSynchronizationObject 00007ff8402d2d60 9 bytes JMP 00007ff83f2c0618 .text C:\Windows\system32\dwm.exe[1020] C:\Windows\System32\gdi32.dll!D3DKMTOpenResource 00007ff8402d3b80 6 bytes JMP 00007ff83f2c0570 .text C:\Windows\system32\dwm.exe[1020] C:\Windows\system32\dxgi.dll!CreateDXGIFactory 00007ff83df55b30 5 bytes JMP 00007ff83df400d8 .text C:\Windows\system32\dwm.exe[1020] C:\Windows\system32\dxgi.dll!CreateDXGIFactory2 00007ff83df55c90 5 bytes JMP 00007ff83df40148 .text C:\Windows\system32\dwm.exe[1020] C:\Windows\system32\dxgi.dll!CreateDXGIFactory1 00007ff83df55ff0 5 bytes JMP 00007ff83df40110 ? C:\Windows\system32\apphelp.dll [2240] entry point in ".rdata" section 000000007407f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [2240] entry point in ".rdata" section 0000000073a21350 ? C:\Windows\SYSTEM32\NTASN1.dll [4768] entry point in ".rdata" section 00000000722aa020 ? C:\Windows\system32\ncryptsslp.dll [4768] entry point in ".rdata" section 000000006c8c04f0 ? C:\Windows\system32\apphelp.dll [2280] entry point in ".rdata" section 000000007407f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [2280] entry point in ".rdata" section 0000000073a21350 ? C:\Windows\SYSTEM32\dbgcore.DLL [2280] entry point in ".rdata" section 00000000728fc940 ? C:\Windows\system32\wbem\wbemsvc.dll [2280] entry point in ".rdata" section 000000006b7b8fc0 ? C:\Windows\system32\apphelp.dll [4024] entry point in ".rdata" section 000000007407f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [4024] entry point in ".rdata" section 0000000073a21350 .text E:\Programy\ccleaner\CCleaner64.exe[4512] C:\Windows\System32\win32u.dll!NtUserShowScrollBar 00007ff83f9f1830 5 bytes JMP 00007ff7bfa10018 ? C:\Windows\system32\apphelp.dll [5560] entry point in ".rdata" section 000000007407f7c0 ? C:\Windows\SYSTEM32\iertutil.dll [5560] entry point in ".rdata" section 0000000073a21350 ? C:\Windows\SYSTEM32\dbgcore.DLL [5560] entry point in ".rdata" section 00000000728fc940 .text C:\Users\Martyna\AppData\Roaming\Spotify\Spotify.exe[5560] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 3 00000000726a1003 2 bytes [6A, 72] .text C:\Users\Martyna\AppData\Roaming\Spotify\Spotify.exe[5560] C:\Program Files (x86)\NVIDIA Corporation\CoProcManager\detoured.dll!Detoured + 22 00000000726a1016 2 bytes [6A, 72] ? C:\Windows\system32\apphelp.dll [5072] entry point in ".rdata" section 000000007407f7c0 ---- Threads - GMER 2.2 ---- Thread C:\Windows\system32\csrss.exe [620:676] ffffdade37046c20 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\kernel\RNG@RNGAuxiliarySeed -1498084539 Reg HKLM\SYSTEM\CurrentControlSet\Services\BTHPORT\Parameters\Keys\e0b9a52f4ce9 Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeEstimated 0x90 0xCE 0xBC 0x1D ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeHigh 0x90 0x36 0x81 0x7F ... Reg HKLM\SYSTEM\CurrentControlSet\Services\W32Time\SecureTimeLimits@SecureTimeLow 0x90 0x66 0xF8 0xBB ... ---- EOF - GMER 2.2 ----