GMER 2.2.19882 - http://www.gmer.net Rootkit scan 2016-11-24 18:49:01 Windows 6.1.7601 Service Pack 1 x64 \Device\Harddisk0\DR0 -> \Device\Ide\IdeDeviceP0T0L0-0 WDC_WD6400AAKS-22A7B2 rev.01.03B01 596,17GB Running: 7d5k0mx5.exe; Driver: C:\Users\Przemek\AppData\Local\Temp\awdiyfow.sys ---- User code sections - GMER 2.2 ---- .text C:\Windows\System32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077c440c0 5 bytes JMP 0000000000020568 .text C:\Windows\System32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077c6bcc0 5 bytes JMP 00000000000205f0 .text C:\Windows\System32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c6bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\System32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c6bed0 5 bytes JMP 0000000000020018 .text C:\Windows\System32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c6bf30 5 bytes JMP 0000000000020348 .text C:\Windows\System32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c6bfb0 5 bytes JMP 0000000000020128 .text C:\Windows\System32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c6c500 5 bytes JMP 00000000000201b0 .text C:\Windows\System32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c6c590 5 bytes JMP 0000000000020238 .text C:\Windows\System32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c6c600 5 bytes JMP 00000000000202c0 .text C:\Windows\System32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c6cac0 5 bytes JMP 00000000000203d0 .text C:\Windows\System32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c6cb10 5 bytes JMP 0000000000020458 .text C:\Windows\System32\svchost.exe[4744] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077cc2530 5 bytes JMP 00000000000204e0 .text C:\Program Files\ByteFence\ByteFence.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077c440c0 5 bytes JMP 0000000000020568 .text C:\Program Files\ByteFence\ByteFence.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077c6bcc0 5 bytes JMP 00000000000205f0 .text C:\Program Files\ByteFence\ByteFence.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c6bdb0 5 bytes JMP 00000000000200a0 .text C:\Program Files\ByteFence\ByteFence.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c6bed0 5 bytes JMP 0000000000020018 .text C:\Program Files\ByteFence\ByteFence.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c6bf30 5 bytes JMP 0000000000020348 .text C:\Program Files\ByteFence\ByteFence.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c6bfb0 5 bytes JMP 0000000000020128 .text C:\Program Files\ByteFence\ByteFence.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c6c500 5 bytes JMP 00000000000201b0 .text C:\Program Files\ByteFence\ByteFence.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c6c590 5 bytes JMP 0000000000020238 .text C:\Program Files\ByteFence\ByteFence.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c6c600 5 bytes JMP 00000000000202c0 .text C:\Program Files\ByteFence\ByteFence.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c6cac0 5 bytes JMP 00000000000203d0 .text C:\Program Files\ByteFence\ByteFence.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c6cb10 5 bytes JMP 0000000000020458 .text C:\Program Files\ByteFence\ByteFence.exe[5460] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077cc2530 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\wbem\wmiprvse.exe[736] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077c440c0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\wbem\wmiprvse.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077c6bcc0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\wbem\wmiprvse.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c6bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\wbem\wmiprvse.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c6bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\wbem\wmiprvse.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c6bf30 5 bytes JMP 0000000000020348 .text C:\Windows\system32\wbem\wmiprvse.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c6bfb0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\wbem\wmiprvse.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c6c500 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\wbem\wmiprvse.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c6c590 5 bytes JMP 0000000000020238 .text C:\Windows\system32\wbem\wmiprvse.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c6c600 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\wbem\wmiprvse.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c6cac0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\wbem\wmiprvse.exe[736] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c6cb10 5 bytes JMP 0000000000020458 .text C:\Windows\system32\wbem\wmiprvse.exe[736] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077cc2530 5 bytes JMP 00000000000204e0 .text C:\Windows\system32\taskeng.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlQueryEnvironmentVariable 0000000077c440c0 5 bytes JMP 0000000000020568 .text C:\Windows\system32\taskeng.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtQueryInformationProcess 0000000077c6bcc0 5 bytes JMP 00000000000205f0 .text C:\Windows\system32\taskeng.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtMapViewOfSection 0000000077c6bdb0 5 bytes JMP 00000000000200a0 .text C:\Windows\system32\taskeng.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtWriteVirtualMemory 0000000077c6bed0 5 bytes JMP 0000000000020018 .text C:\Windows\system32\taskeng.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenEvent 0000000077c6bf30 5 bytes JMP 0000000000020348 .text C:\Windows\system32\taskeng.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateEvent 0000000077c6bfb0 5 bytes JMP 0000000000020128 .text C:\Windows\system32\taskeng.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateMutant 0000000077c6c500 5 bytes JMP 00000000000201b0 .text C:\Windows\system32\taskeng.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateSemaphore 0000000077c6c590 5 bytes JMP 0000000000020238 .text C:\Windows\system32\taskeng.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtCreateUserProcess 0000000077c6c600 5 bytes JMP 00000000000202c0 .text C:\Windows\system32\taskeng.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenMutant 0000000077c6cac0 5 bytes JMP 00000000000203d0 .text C:\Windows\system32\taskeng.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!NtOpenSemaphore 0000000077c6cb10 5 bytes JMP 0000000000020458 .text C:\Windows\system32\taskeng.exe[1080] C:\Windows\SYSTEM32\ntdll.dll!RtlDecompressBuffer 0000000077cc2530 5 bytes JMP 00000000000204e0 .text C:\Users\Przemek\Documents\diagnostyka\7d5k0mx5.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtQueryInformationProcess 0000000077e1fae8 5 bytes JMP 0000000075552d80 .text C:\Users\Przemek\Documents\diagnostyka\7d5k0mx5.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtMapViewOfSection 0000000077e1fc60 5 bytes JMP 0000000075552910 .text C:\Users\Przemek\Documents\diagnostyka\7d5k0mx5.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtWriteVirtualMemory 0000000077e1fe24 5 bytes JMP 00000000755527a0 .text C:\Users\Przemek\Documents\diagnostyka\7d5k0mx5.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtOpenEvent 0000000077e1feb8 5 bytes JMP 0000000075552ed0 .text C:\Users\Przemek\Documents\diagnostyka\7d5k0mx5.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateEvent 0000000077e1ff84 5 bytes JMP 0000000075552e90 .text C:\Users\Przemek\Documents\diagnostyka\7d5k0mx5.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateMutant 0000000077e207ac 5 bytes JMP 0000000075552f10 .text C:\Users\Przemek\Documents\diagnostyka\7d5k0mx5.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateSemaphore 0000000077e20884 5 bytes JMP 0000000075552f90 .text C:\Users\Przemek\Documents\diagnostyka\7d5k0mx5.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtCreateUserProcess 0000000077e2092c 5 bytes JMP 0000000075552c00 .text C:\Users\Przemek\Documents\diagnostyka\7d5k0mx5.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtOpenMutant 0000000077e21088 5 bytes JMP 0000000075552f50 .text C:\Users\Przemek\Documents\diagnostyka\7d5k0mx5.exe[3336] C:\Windows\SysWOW64\ntdll.dll!NtOpenSemaphore 0000000077e21100 5 bytes JMP 0000000075552fd0 .text C:\Users\Przemek\Documents\diagnostyka\7d5k0mx5.exe[3336] C:\Windows\SysWOW64\ntdll.dll!RtlQueryEnvironmentVariable 0000000077e3911f 5 bytes JMP 0000000075553620 .text C:\Users\Przemek\Documents\diagnostyka\7d5k0mx5.exe[3336] C:\Windows\SysWOW64\ntdll.dll!RtlDecompressBuffer 0000000077ebff31 5 bytes JMP 0000000075552c90 ---- Registry - GMER 2.2 ---- Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4D36E972-E325-11CE-BFC1-08002BE10318}\{F5C73C5B-D865-4745-9576-7ABA62303959}\Connection@Name isatap.{3F79ED4D-ECA6-4F66-B0B0-FB14D679098E} Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Bind \Device\{748B5BB5-36E8-4E86-B441-61BE86F07C46}?\Device\{F5C73C5B-D865-4745-9576-7ABA62303959}?\Device\{BDC51BB7-8FDF-456E-809A-9624061BDA8A}? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Route "{748B5BB5-36E8-4E86-B441-61BE86F07C46}"?"{F5C73C5B-D865-4745-9576-7ABA62303959}"?"{BDC51BB7-8FDF-456E-809A-9624061BDA8A}"? Reg HKLM\SYSTEM\CurrentControlSet\Control\Network\{4d36e975-e325-11ce-bfc1-08002be10318}\{2B07FAA1-8217-4E30-B5EC-FD4501E773BB}\Linkage@Export \Device\TCPIP6TUNNEL_{748B5BB5-36E8-4E86-B441-61BE86F07C46}?\Device\TCPIP6TUNNEL_{F5C73C5B-D865-4745-9576-7ABA62303959}?\Device\TCPIP6TUNNEL_{BDC51BB7-8FDF-456E-809A-9624061BDA8A}? Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{F5C73C5B-D865-4745-9576-7ABA62303959}@InterfaceName isatap.{3F79ED4D-ECA6-4F66-B0B0-FB14D679098E} Reg HKLM\SYSTEM\CurrentControlSet\services\iphlpsvc\Parameters\Isatap\{F5C73C5B-D865-4745-9576-7ABA62303959}@ReusableType 0 ---- EOF - GMER 2.2 ----